Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1412689
MD5:974ee5a979968d8d8ff4060f3db411aa
SHA1:87025bb6bc7a6d80c8a0ef878b835e22128e8e7e
SHA256:4a7d5362602e4689f02908a6b2107b89a05f2601c850804ed886d51af79756d0
Tags:exe
Infos:

Detection

PureLog Stealer, RedLine, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains long sleeps (>= 3 min)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 1536 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 974EE5A979968D8D8FF4060F3DB411AA)
    • conhost.exe (PID: 1812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: RedLine

{"C2 url": "45.15.156.127:23000"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.2221511032.0000000001132000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        00000000.00000002.2221511032.0000000001132000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.2221326793.0000000000FA6000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
            00000000.00000002.2221326793.0000000000FA6000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              00000000.00000002.2221326793.0000000000FA6000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                Click to see the 5 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.file.exe.fa6000.1.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                  0.2.file.exe.fa6000.1.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    0.2.file.exe.fa6000.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      0.2.file.exe.fa6000.1.raw.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
                      • 0x3d3a9:$s1: file:///
                      • 0x3d2e1:$s2: {11111-22222-10009-11112}
                      • 0x3d339:$s3: {11111-22222-50001-00000}
                      • 0x3880c:$s4: get_Module
                      • 0x38c76:$s5: Reverse
                      • 0x3b642:$s6: BlockCopy
                      • 0x39035:$s7: ReadByte
                      • 0x3d3bb:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
                      0.2.file.exe.1130000.2.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                        Click to see the 11 entries

                        Sigma Signatures

                        No Sigma rule has matched

                        Snort Signatures

                        Timestamp:03/20/24-20:30:14.605706
                        SID:2046045
                        Source Port:49705
                        Destination Port:23000
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:03/20/24-20:30:15.707164
                        SID:2046056
                        Source Port:23000
                        Destination Port:49705
                        Protocol:TCP
                        Classtype:A Network Trojan was detected

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: file.exeAvira: detected
                        Antivirus detection for URL or domain
                        Source: 45.15.156.127:23000Avira URL Cloud: Label: malware
                        Found malware configuration
                        Source: file.exe.1536.0.memstrminMalware Configuration Extractor: RedLine {"C2 url": "45.15.156.127:23000"}
                        Multi AV Scanner detection for submitted file
                        Source: file.exeReversingLabs: Detection: 31%
                        Machine Learning detection for sample
                        Source: file.exeJoe Sandbox ML: detected
                        Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: file.exe, 00000000.00000003.2173136805.0000000008005000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2171508461.0000000007FFE000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: PENDIN~1.PDBPending Pingsp,48W source: file.exe, 00000000.00000002.2250711849.0000000008005000.00000004.00000020.00020000.00000000.sdmp
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F965CA FindFirstFileExW,0_2_00F965CA
                        Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h0_2_075FE300
                        Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 075F7E45h0_2_075F7BC0
                        Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 075FB723h0_2_075FB478
                        Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 075FBA05h0_2_075FB478
                        Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 075FD1ABh0_2_075FCFCF
                        Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 075FF5D4h0_2_075FF59C
                        Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 075FD1ABh0_2_075FD019
                        Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 075FD1ABh0_2_075FD028
                        Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 0762A276h0_2_07629BC8

                        Networking

                        barindex
                        Snort IDS alert for network traffic
                        Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.5:49705 -> 45.15.156.127:23000
                        Source: TrafficSnort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 45.15.156.127:23000 -> 192.168.2.5:49705
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: 45.15.156.127:23000
                        Source: global trafficTCP traffic: 192.168.2.5:49705 -> 45.15.156.127:23000
                        Source: Joe Sandbox ViewIP Address: 45.15.156.127 45.15.156.127
                        Source: Joe Sandbox ViewASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: file.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $eq3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
                        Source: file.exe, 00000000.00000002.2225906747.00000000037C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $eqrC:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
                        Source: file.exe, 00000000.00000002.2246738219.0000000005BE4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
                        Source: file.exe, 00000000.00000002.2246738219.0000000005BE4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                        Source: file.exe, 00000000.00000002.2225366488.0000000001987000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.0/
                        Source: file.exe, 00000000.00000002.2225366488.0000000001987000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.c/r
                        Source: file.exe, 00000000.00000002.2225366488.0000000001987000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.microsoft.1.
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                        Source: file.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                        Source: file.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                        Source: file.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                        Source: file.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faulth
                        Source: file.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                        Source: file.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                        Source: file.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                        Source: file.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                        Source: file.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                        Source: file.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                        Source: file.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                        Source: file.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                        Source: file.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: file.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                        Source: file.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                        Source: file.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field1
                        Source: file.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field1Response
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field1ResponseD
                        Source: file.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field2
                        Source: file.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field2Response
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field2ResponseD
                        Source: file.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field3
                        Source: file.exe, 00000000.00000002.2225906747.00000000034B4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field3Response
                        Source: file.exe, 00000000.00000002.2225906747.00000000034B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field3ResponseD
                        Source: file.exe, 00000000.00000002.2225906747.00000000034B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                        Source: file.exe, 00000000.00000002.2225366488.0000000001987000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.w3.or22
                        Source: file.exe, 00000000.00000002.2244284556.0000000004539000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2244284556.0000000004379000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                        Source: file.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                        Source: file.exe, 00000000.00000002.2244284556.0000000004539000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2244284556.0000000004379000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                        Source: file.exe, 00000000.00000002.2244284556.0000000004539000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2244284556.0000000004379000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                        Source: file.exe, 00000000.00000002.2244284556.0000000004539000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2244284556.0000000004379000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                        Source: file.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
                        Source: file.exe, 00000000.00000002.2244284556.0000000004539000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2244284556.0000000004379000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                        Source: file.exe, 00000000.00000002.2244284556.0000000004539000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2244284556.0000000004379000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                        Source: file.exe, 00000000.00000002.2244284556.0000000004539000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2244284556.0000000004379000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                        Source: file.exe, 00000000.00000002.2244284556.0000000004539000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2244284556.0000000004379000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                        Source: file.exe, 00000000.00000002.2244284556.0000000004539000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2244284556.0000000004379000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                        Source: C:\Users\user\Desktop\file.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 0.2.file.exe.fa6000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                        Source: 0.2.file.exe.1130000.2.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                        Source: 0.2.file.exe.fa6000.1.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                        Source: 0.2.file.exe.f50000.0.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                        Source: 00000000.00000002.2221326793.0000000000FA6000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects zgRAT Author: ditekSHen
                        .NET source code contains very large array initializations
                        Source: 0.2.file.exe.fa6000.1.raw.unpack, Strings.csLarge array initialization: Strings: array initializer size 6160
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F6148A0_2_00F6148A
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F9D8310_2_00F9D831
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F5DC180_2_00F5DC18
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F510000_2_00F51000
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F605970_2_00F60597
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F5499B0_2_00F5499B
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F631790_2_00F63179
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F609610_2_00F60961
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F5E6E80_2_00F5E6E8
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F61AD40_2_00F61AD4
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F60AD10_2_00F60AD1
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F5F6D90_2_00F5F6D9
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F616AB0_2_00F616AB
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F616960_2_00F61696
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F60E940_2_00F60E94
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F5DA8F0_2_00F5DA8F
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F6224A0_2_00F6224A
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F612370_2_00F61237
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F5FE160_2_00F5FE16
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F542130_2_00F54213
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F907E00_2_00F907E0
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F5DFD80_2_00F5DFD8
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F617BF0_2_00F617BF
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F613690_2_00F61369
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F5A3380_2_00F5A338
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F5E3160_2_00F5E316
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_019576680_2_01957668
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_019508800_2_01950880
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_019508700_2_01950870
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0195765A0_2_0195765A
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_067671100_2_06767110
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06767AE00_2_06767AE0
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0676A3580_2_0676A358
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0676A34B0_2_0676A34B
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_067681500_2_06768150
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07563F500_2_07563F50
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07566FF80_2_07566FF8
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07566FE80_2_07566FE8
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0756EE780_2_0756EE78
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_075668680_2_07566868
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_075FC7080_2_075FC708
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_075FE3000_2_075FE300
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_075F83E80_2_075F83E8
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_075FD9600_2_075FD960
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_075F9D800_2_075F9D80
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_075FE8780_2_075FE878
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_075FB4780_2_075FB478
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_075F94700_2_075F9470
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_075F83E10_2_075F83E1
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_075FB4690_2_075FB469
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_075FE8680_2_075FE868
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_075F94600_2_075F9460
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0762AFB60_2_0762AFB6
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_076276D00_2_076276D0
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_076263000_2_07626300
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07629BC80_2_07629BC8
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0762EA680_2_0762EA68
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0762F8180_2_0762F818
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_076247100_2_07624710
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07690B380_2_07690B38
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0769DBF00_2_0769DBF0
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07699B880_2_07699B88
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_076959AA0_2_076959AA
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_076998680_2_07699868
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0769E1A70_2_0769E1A7
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0769E1B80_2_0769E1B8
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0769A9A80_2_0769A9A8
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_077A05880_2_077A0588
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_077AA4300_2_077AA430
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_077A9A480_2_077A9A48
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_077AAA400_2_077AAA40
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_077A7FA80_2_077A7FA8
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_077A76980_2_077A7698
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_077A76880_2_077A7688
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_077A05780_2_077A0578
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_077A3C480_2_077A3C48
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_077A3C380_2_077A3C38
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_077ABB500_2_077ABB50
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_077AD3300_2_077AD330
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_077AAA300_2_077AAA30
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_077A497E0_2_077A497E
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_077A49800_2_077A4980
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07DB0E2C0_2_07DB0E2C
                        Source: file.exe, 00000000.00000002.2221581031.00000000011B6000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGristles.exe" vs file.exe
                        Source: file.exe, 00000000.00000002.2221326793.0000000001029000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameGristles.exe" vs file.exe
                        Source: file.exe, 00000000.00000002.2222548682.000000000152E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs file.exe
                        Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
                        Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: 0.2.file.exe.fa6000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                        Source: 0.2.file.exe.1130000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                        Source: 0.2.file.exe.fa6000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                        Source: 0.2.file.exe.f50000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                        Source: 00000000.00000002.2221326793.0000000000FA6000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                        Source: 0.2.file.exe.fa6000.1.raw.unpack, Strings.csCryptographic APIs: 'CreateDecryptor'
                        Source: 0.2.file.exe.fa6000.1.raw.unpack, --.csCryptographic APIs: 'CreateDecryptor'
                        Source: 0.2.file.exe.fa6000.1.raw.unpack, --.csCryptographic APIs: 'CreateDecryptor'
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@2/1@0/1
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Wind?wsJump to behavior
                        Source: C:\Users\user\Desktop\file.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1812:120:WilError_03
                        Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                        Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                        Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                        Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: file.exeReversingLabs: Detection: 31%
                        Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32Jump to behavior
                        Source: file.exeStatic file information: File size 1060864 > 1048576
                        Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: file.exe, 00000000.00000003.2173136805.0000000008005000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2171508461.0000000007FFE000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: PENDIN~1.PDBPending Pingsp,48W source: file.exe, 00000000.00000002.2250711849.0000000008005000.00000004.00000020.00020000.00000000.sdmp

                        Data Obfuscation

                        barindex
                        .NET source code contains method to dynamically call methods (often used by packers)
                        Source: 0.2.file.exe.fa6000.1.raw.unpack, --.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F5FDB5 push edi; retf 0_2_00F5FDB6
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F60D30 push E019E181h; retf 0_2_00F60D35
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F9DF41 push ecx; ret 0_2_00F9DF54
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F5FB1F push 8928AE14h; iretd 0_2_00F5FB34
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0676DE28 push es; retf 0_2_0676DEDC
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06768A86 push es; retn 0004h0_2_06768AA0
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_067669C0 push es; retn 0004h0_2_06766EF0
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0676E7EB push eax; ret 0_2_0676E7F1
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06763240 push es; retn 0004h0_2_06763330
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06763240 push es; retn 0004h0_2_06763350
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06763240 push es; retn 0004h0_2_06763370
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06763240 push es; retn 0004h0_2_06763390
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06763321 push es; retn 0004h0_2_06763330
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0676E030 push cs; ret 0_2_0676E044
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0676F1EF push es; ret 0_2_0676F1F0
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06766F00 push es; retn 0004h0_2_06766EF0
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06766F00 push es; retn 0004h0_2_06766F10
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06761A91 push es; ret 0_2_06761AA0
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06761B70 push es; ret 0_2_06761B80
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06761B50 push es; ret 0_2_06761B60
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06761B30 push es; ret 0_2_06761B40
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06761B10 push es; ret 0_2_06761B20
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06769BB0 push es; ret 0_2_06769BC0
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0756AC13 push es; ret 0_2_0756AC20
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07566308 push es; ret 0_2_075662D0
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_075662C1 push es; ret 0_2_075662D0
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07699640 push FFFFFF8Bh; iretd 0_2_07699642
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0769955C push FFFFFF8Bh; iretd 0_2_0769955E
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_076995EC push FFFFFF8Bh; iretd 0_2_076995EE
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_077ACE88 push esp; iretd 0_2_077ACE89
                        Source: file.exeStatic PE information: section name: .text entropy: 7.144687828338716
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                        Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                        Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                        Source: file.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: 1950000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: 3300000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: 5300000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 2502Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 4643Jump to behavior
                        Source: C:\Users\user\Desktop\file.exe TID: 3552Thread sleep time: -26747778906878833s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\file.exe TID: 3012Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F965CA FindFirstFileExW,0_2_00F965CA
                        Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: file.exe, 00000000.00000002.2244284556.00000000044CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                        Source: file.exe, 00000000.00000002.2244284556.00000000044CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                        Source: file.exe, 00000000.00000002.2244284556.00000000044CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                        Source: file.exe, 00000000.00000002.2244284556.00000000044CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                        Source: file.exe, 00000000.00000002.2244284556.00000000044CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                        Source: file.exe, 00000000.00000002.2244284556.00000000044CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                        Source: file.exe, 00000000.00000002.2244284556.00000000044CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                        Source: file.exe, 00000000.00000002.2244284556.00000000044CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                        Source: file.exe, 00000000.00000002.2244284556.00000000044CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                        Source: file.exe, 00000000.00000002.2244284556.00000000044CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                        Source: file.exe, 00000000.00000002.2244284556.00000000044CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                        Source: file.exe, 00000000.00000002.2244284556.00000000044CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                        Source: file.exe, 00000000.00000002.2244284556.00000000044CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                        Source: file.exe, 00000000.00000002.2244284556.00000000044CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                        Source: file.exe, 00000000.00000002.2244284556.00000000044CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                        Source: file.exe, 00000000.00000002.2244284556.00000000044CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                        Source: file.exe, 00000000.00000002.2244284556.00000000044CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                        Source: file.exe, 00000000.00000002.2244284556.00000000044CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                        Source: file.exe, 00000000.00000002.2244284556.00000000044CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                        Source: file.exe, 00000000.00000002.2244284556.00000000044CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                        Source: file.exe, 00000000.00000002.2244284556.00000000044CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                        Source: file.exe, 00000000.00000002.2246738219.0000000005BE4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:
                        Source: file.exe, 00000000.00000002.2244284556.00000000044CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                        Source: file.exe, 00000000.00000002.2244284556.00000000044CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                        Source: file.exe, 00000000.00000002.2244284556.00000000044CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                        Source: file.exe, 00000000.00000002.2244284556.00000000044CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                        Source: file.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe
                        Source: file.exe, 00000000.00000002.2244284556.00000000044CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                        Source: file.exe, 00000000.00000002.2244284556.00000000044CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                        Source: file.exe, 00000000.00000002.2244284556.00000000044CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                        Source: file.exe, 00000000.00000002.2244284556.00000000044CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                        Source: file.exe, 00000000.00000002.2244284556.00000000044CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                        Source: file.exe, 00000000.00000002.2244284556.00000000044CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                        Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_077A1260 LdrLoadDll,0_2_077A1260
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F91AD1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F91AD1
                        Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F91AD1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F91AD1
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F91645 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00F91645
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F9438B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F9438B
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F91D35 cpuid 0_2_00F91D35
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F919B8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00F919B8
                        Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                        Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                        Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                        Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                        Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected PureLog Stealer
                        Source: Yara matchFile source: 0.2.file.exe.fa6000.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.1130000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.fa6000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.f50000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.2221511032.0000000001132000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2221326793.0000000000FA6000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.file.exe.fa6000.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.1130000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.fa6000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.f50000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.2221511032.0000000001132000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2221326793.0000000000FA6000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: file.exe PID: 1536, type: MEMORYSTR
                        Yara detected zgRAT
                        Source: Yara matchFile source: 0.2.file.exe.fa6000.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.1130000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.fa6000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.f50000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.2221326793.0000000000FA6000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                        Found many strings related to Crypto-Wallets (likely being stolen)
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumE#
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectronCashE#
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: JaxxE#
                        Source: file.exe, 00000000.00000002.2222548682.0000000001566000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\*.jsont6
                        Source: file.exe, 00000000.00000002.2222548682.0000000001566000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\*.jsont6
                        Source: file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
                        Source: file.exeString found in binary or memory: set_UseMachineKeyStore
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                        Tries to steal Crypto Currency Wallets
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                        Source: Yara matchFile source: 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: file.exe PID: 1536, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected PureLog Stealer
                        Source: Yara matchFile source: 0.2.file.exe.fa6000.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.1130000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.fa6000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.f50000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.2221511032.0000000001132000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2221326793.0000000000FA6000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.file.exe.fa6000.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.1130000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.fa6000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.f50000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.2221511032.0000000001132000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2221326793.0000000000FA6000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: file.exe PID: 1536, type: MEMORYSTR
                        Yara detected zgRAT
                        Source: Yara matchFile source: 0.2.file.exe.fa6000.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.1130000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.fa6000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.f50000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.2221326793.0000000000FA6000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		1
                        Process Injection                        		1
                        Masquerading                        		1
                        OS Credential Dumping                        		1
                        System Time Discovery                        		Remote Services11
                        Archive Collected Data                        		1
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                        DLL Side-Loading                        		1
                        Disable or Modify Tools                        		LSASS Memory331
                        Security Software Discovery                        		Remote Desktop Protocol3
                        Data from Local System                        		1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                        Virtualization/Sandbox Evasion                        		Security Account Manager1
                        Process Discovery                        		SMB/Windows Admin Shares1
                        Clipboard Data                        		1
                        Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                        Process Injection                        		NTDS241
                        Virtualization/Sandbox Evasion                        		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Deobfuscate/Decode Files or Information                        		LSA Secrets1
                        Application Window Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                        Obfuscated Files or Information                        		Cached Domain Credentials1
                        File and Directory Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                        Software Packing                        		DCSync124
                        System Information Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        DLL Side-Loading                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        file.exe32%ReversingLabsWin32.Trojan.RedLine
                        file.exe100%AviraHEUR/AGEN.1318539
                        file.exe100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        https://api.ip.sb/ip0%URL Reputationsafe
                        http://www.w3.o0%URL Reputationsafe
                        http://tempuri.org/example/Field1ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/example/Field1Response0%Avira URL Cloudsafe
                        http://ns.adobe.c/r0%Avira URL Cloudsafe
                        45.15.156.127:23000100%Avira URL Cloudmalware
                        http://www.w3.or220%Avira URL Cloudsafe
                        http://tempuri.org/0%Avira URL Cloudsafe
                        http://tempuri.org/example/Field3ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/example/Field10%Avira URL Cloudsafe
                        https://discord.com/api/v9/users/0%Avira URL Cloudsafe
                        http://ns.adobe.0/0%Avira URL Cloudsafe
                        http://tempuri.org/example/Field20%Avira URL Cloudsafe
                        http://tempuri.org/example/Field3Response0%Avira URL Cloudsafe
                        http://tempuri.org/D0%Avira URL Cloudsafe
                        http://tempuri.org/example/Field30%Avira URL Cloudsafe
                        http://ns.microsoft.1.0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        No contacted domains info

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        45.15.156.127:23000true
                        • Avira URL Cloud: malware
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Textfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2005/02/sc/sctfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://duckduckgo.com/chrome_newtabfile.exe, 00000000.00000002.2244284556.0000000004539000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2244284556.0000000004379000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://ns.adobe.c/rfile.exe, 00000000.00000002.2225366488.0000000001987000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://duckduckgo.com/ac/?q=file.exe, 00000000.00000002.2244284556.0000000004539000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2244284556.0000000004379000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.w3.or22file.exe, 00000000.00000002.2225366488.0000000001987000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://tempuri.org/file.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrapfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2004/08/addressing/faulthfile.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Preparefile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://ns.adobe.0/file.exe, 00000000.00000002.2225366488.0000000001987000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		low
                                              http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licensefile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuefile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Abortedfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequencefile.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://discord.com/api/v9/users/file.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/faultfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2004/10/wsatfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://tempuri.org/example/Field1Responsefile.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://tempuri.org/example/Field1ResponseDfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namefile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renewfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/ws/2004/10/wscoor/Registerfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://api.ip.sb/ipfile.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://schemas.xmlsoap.org/ws/2004/04/scfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancelfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=file.exe, 00000000.00000002.2244284556.0000000004539000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2244284556.0000000004379000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issuefile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://www.ecosia.org/newtab/file.exe, 00000000.00000002.2244284556.0000000004539000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2244284556.0000000004379000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedfile.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Replayfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegofile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binaryfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2004/08/addressingfile.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://tempuri.org/example/Field3ResponseDfile.exe, 00000000.00000002.2225906747.00000000034B4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuefile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Completionfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/trustfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponsefile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancelfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/Noncefile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsfile.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/Renewfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://tempuri.org/example/Field1file.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              http://schemas.xmlsoap.org/ws/2006/02/addressingidentityfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://schemas.xmlsoap.org/soap/envelope/file.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://tempuri.org/example/Field2file.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		unknown
                                                                                                                                    http://tempuri.org/example/Field3file.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		unknown
                                                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=file.exe, 00000000.00000002.2244284556.0000000004539000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2244284556.0000000004379000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trustfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollbackfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://tempuri.org/Dfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              		unknown
                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/06/addressingexfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wscoorfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/Noncefile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponsefile.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renewfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKeyfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfile.exe, 00000000.00000002.2244284556.0000000004539000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2244284556.0000000004379000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://www.w3.ofile.exe, 00000000.00000002.2225906747.00000000034B4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                • URL Reputation: safe
                                                                                                                                                                		unknown
                                                                                                                                                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentiffile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Committedfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://tempuri.org/example/Field3Responsefile.exe, 00000000.00000002.2225906747.00000000034B4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                                                        		unknown
                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/faultfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyfile.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/sc/sctfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponsefile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/Cancelfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgementfile.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCTfile.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://www.google.com/images/branding/product/ico/googleg_lodp.icofile.exe, 00000000.00000002.2244284556.0000000004539000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2244284556.0000000004379000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1file.exe, 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousfile.exe, 00000000.00000002.2225906747.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              http://ns.microsoft.1.file.exe, 00000000.00000002.2225366488.0000000001987000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                                                                              		low

                                                                                                                                                                                              World Map of Contacted IPs

                                                                                                                                                                                              • No. of IPs < 25%
                                                                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                                                                              • 75% < No. of IPs

                                                                                                                                                                                              Public IPs

                                                                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                              45.15.156.127
                                                                                                                                                                                              		unknownRussian Federation
                                                                                                                                                                                              		39493RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUtrue

                                                                                                                                                                                              General Information

                                                                                                                                                                                              Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                                                                              Analysis ID:1412689
                                                                                                                                                                                              Start date and time:2024-03-20 20:29:08 +01:00
                                                                                                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                                                                                                              Overall analysis duration:0h 6m 10s
                                                                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                                                                              Report type:full
                                                                                                                                                                                              Cookbook file name:default.jbs
                                                                                                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                              Number of analysed new started processes analysed:5
                                                                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                                                                              Technologies:
                                                                                                                                                                                              • HCA enabled
                                                                                                                                                                                              • EGA enabled
                                                                                                                                                                                              • AMSI enabled
                                                                                                                                                                                              Analysis Mode:default
                                                                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                                                                              Sample name:file.exe
                                                                                                                                                                                              Detection:MAL
                                                                                                                                                                                              Classification:mal100.troj.spyw.evad.winEXE@2/1@0/1
                                                                                                                                                                                              EGA Information:
                                                                                                                                                                                              • Successful, ratio: 100%
                                                                                                                                                                                              HCA Information:
                                                                                                                                                                                              • Successful, ratio: 97%
                                                                                                                                                                                              • Number of executed functions: 432
                                                                                                                                                                                              • Number of non-executed functions: 47
                                                                                                                                                                                              Cookbook Comments:
                                                                                                                                                                                              • Found application associated with file extension: .exe
                                                                                                                                                                                              • Stop behavior analysis, all processes terminated

                                                                                                                                                                                              Warnings

                                                                                                                                                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                              • VT rate limit hit for: file.exe

                                                                                                                                                                                              Simulations

                                                                                                                                                                                              Behavior and APIs

                                                                                                                                                                                              TimeTypeDescription
                                                                                                                                                                                              20:30:17API Interceptor35x Sleep call for process: file.exe modified

                                                                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                                                                              IPs

                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                              45.15.156.127doingCTIrocks_crypted.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                GbZkRO8wav.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                  lnker.lnkGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                    driver.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                      Eclipse.exeGet hashmaliciousAsyncRAT, PureLog Stealer, RHADAMANTHYS, RedLine, XWorm, zgRATBrowse
                                                                                                                                                                                                        7bXVSwc9dp.exeGet hashmaliciousPureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                          SecuriteInfo.com.Trojan.Agent.446.6903.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                            axfdj9gfw.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                              last.exeGet hashmaliciousRedLine, XmrigBrowse
                                                                                                                                                                                                                edgag365.exeGet hashmaliciousRedLineBrowse

                                                                                                                                                                                                                  Domains

                                                                                                                                                                                                                  No context

                                                                                                                                                                                                                  ASNs

                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                  RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUdoingCTIrocks_crypted.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                  • 45.15.156.127
                                                                                                                                                                                                                  file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                  • 5.42.65.68
                                                                                                                                                                                                                  ZaM8NyChIZ.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                  • 5.42.66.22
                                                                                                                                                                                                                  PkSZDobcRa.exeGet hashmaliciousLummaC, PureLog Stealer, RisePro StealerBrowse
                                                                                                                                                                                                                  • 5.42.65.117
                                                                                                                                                                                                                  file.exeGet hashmaliciousAmadey, Glupteba, Mars Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                  • 5.42.64.44
                                                                                                                                                                                                                  D0B2o3y7Zz.exeGet hashmaliciousLummaC, PureLog Stealer, RisePro StealerBrowse
                                                                                                                                                                                                                  • 5.42.65.117
                                                                                                                                                                                                                  https://forum.fontlab.com/index.php?thememode=full;redirect=https://ags.college/D5Qw4GQ3Ea4RAy2APw4GloTxB4GalP21z01coTxmGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                  • 45.15.157.52
                                                                                                                                                                                                                  GbZkRO8wav.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                  • 45.15.156.127
                                                                                                                                                                                                                  1nj V2.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                  • 45.15.156.142
                                                                                                                                                                                                                  Setup.exeGet hashmaliciousLummaC, PureLog Stealer, XmrigBrowse
                                                                                                                                                                                                                  • 45.15.156.43

                                                                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                                                                  No context

                                                                                                                                                                                                                  Dropped Files

                                                                                                                                                                                                                  No context

                                                                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):2543
                                                                                                                                                                                                                  Entropy (8bit):5.331950323785858
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:48:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HDfHKdHKLBHK7HKmTHQmHKtXoDHsLHqH5J:Pq5qHwCYqh3oPtI6eqzxTqdqlq7qqjqI
                                                                                                                                                                                                                  MD5:D1C706335BBF6ECA4BECB0CACD9231EB
                                                                                                                                                                                                                  SHA1:AC27DA2AC6FEC7C7F24C9796CB7BCECD5EF8F382
                                                                                                                                                                                                                  SHA-256:45449CD3FC0C10386A37510D13C883FEF94883D11D757FDD0FFE4EDAF0DAAD75
                                                                                                                                                                                                                  SHA-512:D5A4D33B362C4EF19CD0E43F2F518258EE45A1A32DED992B851276DF3BC8A4559E7D1872B155E10DAF1FF6B38C65AF472AF429B8362EBBB12976B3454C1FE68B
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                                                                                  Static File Info

                                                                                                                                                                                                                  General

                                                                                                                                                                                                                  File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                  Entropy (8bit):6.1319839950734245
                                                                                                                                                                                                                  TrID:
                                                                                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                  File name:file.exe
                                                                                                                                                                                                                  File size:1'060'864 bytes
                                                                                                                                                                                                                  MD5:974ee5a979968d8d8ff4060f3db411aa
                                                                                                                                                                                                                  SHA1:87025bb6bc7a6d80c8a0ef878b835e22128e8e7e
                                                                                                                                                                                                                  SHA256:4a7d5362602e4689f02908a6b2107b89a05f2601c850804ed886d51af79756d0
                                                                                                                                                                                                                  SHA512:6d5970dea875ec94bb3e54aecb69dcea7a2924504594cb6494b5eb64556bda331b4612c62480cecfdfc042706170ca667eedf77bafff129296877a8fd1e25109
                                                                                                                                                                                                                  SSDEEP:12288:83j6KKatirX7sDmORYDgu3t6b/hWASFLZVpVMwQhvOmjDEVT:0TWL4KF3tYJWAS/5Mwm2Ok
                                                                                                                                                                                                                  TLSH:2135070B56A3DE93F2B63D323628C8617465F47E95AE04D3AFB48908B10D4E6C1F87D6
                                                                                                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}...UB.5. ....f..R...E..|.<v.....u.....X....v...T.3'..;.y8I....^..<.a......;.......un.....O.g...I.&..:.........................

                                                                                                                                                                                                                  File Icon

                                                                                                                                                                                                                  Icon Hash:00928e8e8686b000

                                                                                                                                                                                                                  Static PE Info

                                                                                                                                                                                                                  General

                                                                                                                                                                                                                  Entrypoint:0x44163b
                                                                                                                                                                                                                  Entrypoint Section:.text
                                                                                                                                                                                                                  Digitally signed:false
                                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                                  Subsystem:windows cui
                                                                                                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                  Time Stamp:0x65FABC83 [Wed Mar 20 10:37:55 2024 UTC]
                                                                                                                                                                                                                  TLS Callbacks:
                                                                                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                                                                                  OS Version Major:6
                                                                                                                                                                                                                  OS Version Minor:0
                                                                                                                                                                                                                  File Version Major:6
                                                                                                                                                                                                                  File Version Minor:0
                                                                                                                                                                                                                  Subsystem Version Major:6
                                                                                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                                                                                  Import Hash:06b19df27312bd87fd2a26e776e82070

                                                                                                                                                                                                                  Entrypoint Preview

                                                                                                                                                                                                                  Instruction
                                                                                                                                                                                                                  call 00007F98C94BD0DAh
                                                                                                                                                                                                                  jmp 00007F98C94BCB89h
                                                                                                                                                                                                                  push ebp
                                                                                                                                                                                                                  mov ebp, esp
                                                                                                                                                                                                                  push 00000000h
                                                                                                                                                                                                                  call dword ptr [0044F02Ch]
                                                                                                                                                                                                                  push dword ptr [ebp+08h]
                                                                                                                                                                                                                  call dword ptr [0044F028h]
                                                                                                                                                                                                                  push C0000409h
                                                                                                                                                                                                                  call dword ptr [0044F030h]
                                                                                                                                                                                                                  push eax
                                                                                                                                                                                                                  call dword ptr [0044F034h]
                                                                                                                                                                                                                  pop ebp
                                                                                                                                                                                                                  ret
                                                                                                                                                                                                                  push ebp
                                                                                                                                                                                                                  mov ebp, esp
                                                                                                                                                                                                                  sub esp, 00000324h
                                                                                                                                                                                                                  push 00000017h
                                                                                                                                                                                                                  call dword ptr [0044F038h]
                                                                                                                                                                                                                  test eax, eax
                                                                                                                                                                                                                  je 00007F98C94BCD17h
                                                                                                                                                                                                                  push 00000002h
                                                                                                                                                                                                                  pop ecx
                                                                                                                                                                                                                  int 29h
                                                                                                                                                                                                                  mov dword ptr [00503828h], eax
                                                                                                                                                                                                                  mov dword ptr [00503824h], ecx
                                                                                                                                                                                                                  mov dword ptr [00503820h], edx
                                                                                                                                                                                                                  mov dword ptr [0050381Ch], ebx
                                                                                                                                                                                                                  mov dword ptr [00503818h], esi
                                                                                                                                                                                                                  mov dword ptr [00503814h], edi
                                                                                                                                                                                                                  mov word ptr [00503840h], ss
                                                                                                                                                                                                                  mov word ptr [00503834h], cs
                                                                                                                                                                                                                  mov word ptr [00503810h], ds
                                                                                                                                                                                                                  mov word ptr [0050380Ch], es
                                                                                                                                                                                                                  mov word ptr [00503808h], fs
                                                                                                                                                                                                                  mov word ptr [00503804h], gs
                                                                                                                                                                                                                  pushfd
                                                                                                                                                                                                                  pop dword ptr [00503838h]
                                                                                                                                                                                                                  mov eax, dword ptr [ebp+00h]
                                                                                                                                                                                                                  mov dword ptr [0050382Ch], eax
                                                                                                                                                                                                                  mov eax, dword ptr [ebp+04h]
                                                                                                                                                                                                                  mov dword ptr [00503830h], eax
                                                                                                                                                                                                                  lea eax, dword ptr [ebp+08h]
                                                                                                                                                                                                                  mov dword ptr [0050383Ch], eax
                                                                                                                                                                                                                  mov eax, dword ptr [ebp-00000324h]
                                                                                                                                                                                                                  mov dword ptr [00503778h], 00010001h

                                                                                                                                                                                                                  Data Directories

                                                                                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x549640x28.rdata
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1050000x1c8c.reloc
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x53ea00x1c.rdata
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x53de00x40.rdata
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x4f0000x130.rdata
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                  Sections

                                                                                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                  .text0x10000x4d2930x4d4005291851637685ffd5e17288f9c40cab3False0.621362383697411data7.144687828338716IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                  .rdata0x4f0000x60200x62004e3a30250535300ea68ca587315283ecFalse0.4145408163265306data4.776555730408556IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                  .data0x560000xae1ac0xad800f486588b64ee7b5ccebc571fea015e85False0.19355637608069165data4.944716442411832IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                  .reloc0x1050000x1c8c0x1e00f14931ee7fddfd5296502bbac3d435b7False0.7576822916666667data6.4675323814830294IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                  Imports

                                                                                                                                                                                                                  DLLImport
                                                                                                                                                                                                                  KERNEL32.dllVirtualProtect, WaitForSingleObject, VirtualAllocEx, lstrlenW, LoadLibraryA, Sleep, GetProcAddress, CreateThread, VirtualAlloc, FreeConsole, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, WriteConsoleW, RaiseException, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, EncodePointer, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetFileType, GetStringTypeW, CompareStringW, LCMapStringW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, SetFilePointerEx, CreateFileW, CloseHandle, DecodePointer

                                                                                                                                                                                                                  Network Behavior

                                                                                                                                                                                                                  Snort IDS Alerts

                                                                                                                                                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                  03/20/24-20:30:14.605706TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  03/20/24-20:30:15.707164TCP2046056ET TROJAN Redline Stealer/MetaStealer Family Activity (Response)230004970545.15.156.127192.168.2.5

                                                                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                                                                  TCP Packets

                                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                  Mar 20, 2024 20:30:13.484433889 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:13.702009916 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:13.703551054 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:13.862834930 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:14.080667019 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:14.122961044 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:14.605705976 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:14.823990107 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:14.872988939 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:15.486409903 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:15.707164049 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:15.707184076 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:15.707211971 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:15.707225084 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:15.707236052 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:15.707264900 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:15.707295895 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:15.707303047 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:15.707345963 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:15.707346916 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:15.707425117 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:15.707438946 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:15.707464933 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:15.707468987 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:15.707503080 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:15.924876928 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:15.924895048 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:15.925014973 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.039843082 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.258775949 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.258831024 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.258919001 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.259037971 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.259114981 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.259126902 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.259160042 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.476519108 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.476533890 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.476552010 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.476646900 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.476705074 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.476818085 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.476882935 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.476979971 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.477005005 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.477030993 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.694252968 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.694333076 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.694358110 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.694428921 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.694449902 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.694544077 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.694576979 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.694797039 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.694804907 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.694824934 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.694988966 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.695010900 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.695101023 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.695146084 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.695151091 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.695190907 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.695219994 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.695497036 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.695549965 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.912389994 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.912486076 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.912549973 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.912559032 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.912971973 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.913419008 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.913494110 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.913681984 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.913894892 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.913979053 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.914515018 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.914531946 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.914851904 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.914911032 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.915039062 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.915085077 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.915361881 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.915477037 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.915644884 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.915745020 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.915791988 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.916183949 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.916317940 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.916387081 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.916475058 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.916903973 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.916940928 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.917093039 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.917258978 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.917380095 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.917421103 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.917455912 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.917673111 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.917679071 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.917819977 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.917864084 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.918135881 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.918236017 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.918344975 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:21.918423891 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.129971981 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.129998922 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.132316113 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.132333040 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.132651091 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.132831097 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.132838964 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.132882118 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.132921934 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.132971048 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.133044004 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.133059025 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.133125067 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.133132935 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.133258104 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.133352995 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.133377075 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.133568048 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.133635998 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.133999109 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.134005070 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.134011030 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.134059906 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.134066105 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.134104967 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.134793043 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.135097027 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.135185957 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.135185957 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.135236979 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.356095076 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.356132030 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.356187105 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.356386900 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.356398106 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.356492043 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.356828928 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.356838942 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.360708952 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.361500978 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.361526012 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.361565113 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.361593008 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.361649036 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.365101099 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.365159035 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.365220070 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.365243912 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.365281105 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.365505934 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.365530014 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.365757942 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.365809917 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.365834951 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.365889072 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.365894079 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.365907907 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.367022991 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.367093086 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.367120981 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.367146969 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.367173910 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.367208004 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.367394924 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.367449999 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.367500067 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.367523909 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.367574930 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.367611885 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.583676100 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.584074020 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.584147930 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.587606907 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.587814093 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.587863922 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.587874889 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.587908983 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.587960005 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.587975979 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.588047028 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.588144064 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.588160992 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.588229895 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.588294983 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.588515997 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.588579893 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.801908970 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.802140951 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.802155972 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.802531004 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.802545071 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.802556992 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.802568913 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.802650928 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.802748919 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.802761078 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.805912971 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.805928946 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.805941105 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.806025982 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.806088924 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.806175947 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.806768894 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.806813002 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.806826115 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.806837082 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.806879997 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.807224035 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.807292938 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.807327986 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.807440996 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.807607889 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.807674885 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.807882071 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.807996035 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.807996035 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:22.808048964 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:23.025501966 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:23.025542974 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:23.025643110 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:23.025659084 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:23.025943995 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:23.025959015 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:23.026173115 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:23.026212931 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:23.026230097 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:23.026370049 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:23.026416063 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:23.026698112 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:23.026849985 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:23.026863098 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:23.026933908 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:23.027147055 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:23.027153969 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:23.027184963 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:23.027230978 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:23.027309895 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:23.027321100 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:23.027425051 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:23.027437925 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:23.027585030 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:23.028012991 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:23.028026104 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:23.028052092 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:23.028075933 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:23.028158903 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:23.028181076 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:23.064990044 CET230004970545.15.156.127192.168.2.5
                                                                                                                                                                                                                  Mar 20, 2024 20:30:23.107331038 CET4970523000192.168.2.545.15.156.127
                                                                                                                                                                                                                  Mar 20, 2024 20:30:23.117902040 CET4970523000192.168.2.545.15.156.127

                                                                                                                                                                                                                  Statistics

                                                                                                                                                                                                                  CPU Usage

                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                  Memory Usage

                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                                                                  Behavior

                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                  System Behavior

                                                                                                                                                                                                                  General

                                                                                                                                                                                                                  Target ID:0
                                                                                                                                                                                                                  Start time:20:30:06
                                                                                                                                                                                                                  Start date:20/03/2024
                                                                                                                                                                                                                  Path:C:\Users\user\Desktop\file.exe
                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                  Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                                                                                                                                                  Imagebase:0xf50000
                                                                                                                                                                                                                  File size:1'060'864 bytes
                                                                                                                                                                                                                  MD5 hash:974EE5A979968D8D8FF4060F3DB411AA
                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2221511032.0000000001132000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2221511032.0000000001132000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: 00000000.00000002.2221326793.0000000000FA6000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2221326793.0000000000FA6000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2221326793.0000000000FA6000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                                                                  • Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 00000000.00000002.2221326793.0000000000FA6000.00000004.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2225906747.0000000003372000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                  General

                                                                                                                                                                                                                  Target ID:1
                                                                                                                                                                                                                  Start time:20:30:06
                                                                                                                                                                                                                  Start date:20/03/2024
                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                  Disassembly

                                                                                                                                                                                                                  Reset < >