Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cClRqPh29S.exe

Overview

General Information

Sample name:cClRqPh29S.exe
renamed because original name is a hash value
Original sample name:a20fc3377c07aa683a47397f9f5ff355.exe
Analysis ID:1472618
MD5:a20fc3377c07aa683a47397f9f5ff355
SHA1:13160e27dcea48dc9c5393948b7918cb2fcdd759
SHA256:f7891ca59e0907217db3eeafbe751e2d184317a871450b5ec401217a12df9d33
Tags:32exetrojan
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RedLine Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • cClRqPh29S.exe (PID: 3320 cmdline: "C:\Users\user\Desktop\cClRqPh29S.exe" MD5: A20FC3377C07AA683A47397F9F5FF355)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["185.215.113.67:40960"], "Bot Id": "1307newbild", "Authorization Header": "be3b7a5bc11a06f2dbf64954f0b83062"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
cClRqPh29S.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
      dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000000.2075152820.00000000009E2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Process Memory Space: cClRqPh29S.exe PID: 3320JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Process Memory Space: cClRqPh29S.exe PID: 3320JoeSecurity_RedLineYara detected RedLine StealerJoe Security

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.cClRqPh29S.exe.9e0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  Timestamp:07/13/24-06:20:59.595805
                  SID:2046045
                  Source Port:49709
                  Destination Port:40960
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:07/13/24-06:20:59.841358
                  SID:2043234
                  Source Port:40960
                  Destination Port:49709
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:07/13/24-06:21:12.381393
                  SID:2043231
                  Source Port:49709
                  Destination Port:40960
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:07/13/24-06:21:05.149119
                  SID:2046056
                  Source Port:40960
                  Destination Port:49709
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: cClRqPh29S.exeMalware Configuration Extractor: RedLine {"C2 url": ["185.215.113.67:40960"], "Bot Id": "1307newbild", "Authorization Header": "be3b7a5bc11a06f2dbf64954f0b83062"}
                  Multi AV Scanner detection for submitted file
                  Source: cClRqPh29S.exeVirustotal: Detection: 78%Perma Link
                  Source: cClRqPh29S.exeReversingLabs: Detection: 68%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: cClRqPh29S.exeJoe Sandbox ML: detected
                  Source: cClRqPh29S.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: cClRqPh29S.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Networking

                  barindex
                  Snort IDS alert for network traffic
                  Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.6:49709 -> 185.215.113.67:40960
                  Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.6:49709 -> 185.215.113.67:40960
                  Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 185.215.113.67:40960 -> 192.168.2.6:49709
                  Source: TrafficSnort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 185.215.113.67:40960 -> 192.168.2.6:49709
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 185.215.113.67:40960
                  Source: global trafficTCP traffic: 192.168.2.6:49709 -> 185.215.113.67:40960
                  Source: Joe Sandbox ViewIP Address: 185.215.113.67 185.215.113.67
                  Source: Joe Sandbox ViewIP Address: 185.215.113.67 185.215.113.67
                  Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                  Source: cClRqPh29S.exe, 00000000.00000002.2233628001.00000000013BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://purl.oen
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmp, cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmp, cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002F22000.00000004.00000800.00020000.00000000.sdmp, cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmp, cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmp, cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002F2A000.00000004.00000800.00020000.00000000.sdmp, cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmp, cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                  Source: cClRqPh29S.exeString found in binary or memory: https://api.ip.sb/ip
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeCode function: 0_2_02C5DC740_2_02C5DC74
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs cClRqPh29S.exe
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefirefox.exe0 vs cClRqPh29S.exe
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q,\\StringFileInfo\\000004B0\\OriginalFilename vs cClRqPh29S.exe
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs cClRqPh29S.exe
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs cClRqPh29S.exe
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs cClRqPh29S.exe
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXED vs cClRqPh29S.exe
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q,\\StringFileInfo\\080904B0\\OriginalFilename vs cClRqPh29S.exe
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsedge.exe> vs cClRqPh29S.exe
                  Source: cClRqPh29S.exe, 00000000.00000000.2075215789.0000000000A24000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCrouping.exe8 vs cClRqPh29S.exe
                  Source: cClRqPh29S.exe, 00000000.00000002.2232969255.0000000000FCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs cClRqPh29S.exe
                  Source: cClRqPh29S.exeBinary or memory string: OriginalFilenameCrouping.exe8 vs cClRqPh29S.exe
                  Source: cClRqPh29S.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/1@0/1
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeFile created: C:\Users\user\AppData\Local\SystemCacheJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeMutant created: NULL
                  Source: cClRqPh29S.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: cClRqPh29S.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004266000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: cClRqPh29S.exeVirustotal: Detection: 78%
                  Source: cClRqPh29S.exeReversingLabs: Detection: 68%
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32Jump to behavior
                  Source: cClRqPh29S.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: cClRqPh29S.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: cClRqPh29S.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: cClRqPh29S.exeStatic PE information: 0x91D7AA1C [Mon Jul 15 19:01:48 2047 UTC]
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeCode function: 0_2_02C5C0A0 push cs; iretd 0_2_02C5C0AE
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeCode function: 0_2_02C5C1E1 push cs; iretd 0_2_02C5C1EE
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeCode function: 0_2_02C5983A push eax; iretd 0_2_02C5983B
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeMemory allocated: 1390000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeMemory allocated: 2E30000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeMemory allocated: 2B60000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeWindow / User API: threadDelayed 3692Jump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exe TID: 2016Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exe TID: 5144Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004172000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004172000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004172000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004172000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004172000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004172000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004172000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004172000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004172000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004172000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004172000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004172000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004172000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004172000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004172000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004172000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004172000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004172000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004172000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                  Source: cClRqPh29S.exe, 00000000.00000002.2232969255.00000000010A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004172000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                  Source: cClRqPh29S.exe, 00000000.00000002.2234102970.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, cClRqPh29S.exe, 00000000.00000002.2234102970.0000000003102000.00000004.00000800.00020000.00000000.sdmp, cClRqPh29S.exe, 00000000.00000002.2234102970.0000000003264000.00000004.00000800.00020000.00000000.sdmp, cClRqPh29S.exe, 00000000.00000002.2234102970.00000000032DC000.00000004.00000800.00020000.00000000.sdmp, cClRqPh29S.exe, 00000000.00000002.2234102970.000000000333F000.00000004.00000800.00020000.00000000.sdmp, cClRqPh29S.exe, 00000000.00000002.2234102970.0000000003029000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A6ySN83i+WdwHy5TP6AGa54yNOQDMt0K/OHXfg+kqThLIfk6QFsLDCjZdpZTGOzjUsCOwZe5C6Gi8Q8TVSedBLpSfsvQj8BDp18kmZ3ex54YP0+Gs0yuOc0oHyahpuklKSN9DNVuBZhWH/uMHS1PAuQ5a2Lju9F/SWeKm7prBc0jVP84iPJxdnHVJ/HDDDbXL54Z89qdU0Vcin6gqmwXrJjGgP4IA8IR19qewIwTnUCQdrTZp1GW0u9j1R6sUgPUrm2c5cvXl9oot3E2Yi+lA6TVxs+wzTv0RyoJlnAb/LVyrQ+JXXkt08JQiqZojt7zmAq6A6TMAI3d99XjZOb1H2Ej05cPkbrRi3jsQ/1cA/+FiEaSdYURoSjyCbui7SR58sFKCEAn3HKH4uwm3eDW6eeqSVnn3vRu5S+ZPUrZgKYs8lgl1/fYieGCfbdnVWn1in27qZ19Yfhv4WKpf3SAPgywfR4sYK3wdc8VGoHmK3TWFL5jmOUHB49Ogy2jYoedRvh3h9D96fGhUBv0WbVKW3Fxq4ViXVL2x9NKNgA+vC8A5zUncE8H2TafulfEOSRqFccYu86ht5uc0nLgpiCrzoulmnAYZLfk4zbvX51WQrYMsc8ORmzRWmqqLFXZVINxxVKaxrpheUhYRfRx54cZnzZZxdMOYT0VhpWbZdIcVFHnb3QBFJEgxwyQpCTte0yQjzn7uCUZsuA+iYIJO4a+Hmq+9ONtmOcMMYl7TbktlwpTMf366yxqm+uPbWY4CHOTnXrwGvPjnt7OfVwg2HHr8jHcJ5uzn/JOx/BvEfztbLR
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004172000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004172000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004172000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004172000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004172000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004172000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004172000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004172000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004172000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004172000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004172000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                  Source: cClRqPh29S.exe, 00000000.00000002.2236053129.0000000004007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeQueries volume information: C:\Users\user\Desktop\cClRqPh29S.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: cClRqPh29S.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.cClRqPh29S.exe.9e0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.2075152820.00000000009E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: cClRqPh29S.exe PID: 3320, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                  Tries to steal Crypto Currency Wallets
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                  Source: C:\Users\user\Desktop\cClRqPh29S.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                  Source: Yara matchFile source: 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: cClRqPh29S.exe PID: 3320, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: cClRqPh29S.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.cClRqPh29S.exe.9e0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.2075152820.00000000009E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: cClRqPh29S.exe PID: 3320, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Masquerading                  		1
                  OS Credential Dumping                  		221
                  Security Software Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                  Disable or Modify Tools                  		LSASS Memory1
                  Process Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                  Virtualization/Sandbox Evasion                  		Security Account Manager241
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Obfuscated Files or Information                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Timestomp                  		LSA Secrets113
                  System Information Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  cClRqPh29S.exe78%VirustotalBrowse
                  cClRqPh29S.exe68%ReversingLabsByteCode-MSIL.Ransomware.RedLine
                  cClRqPh29S.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%URL Reputationsafe
                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%URL Reputationsafe
                  http://tempuri.org/Entity/Id23ResponseD0%URL Reputationsafe
                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%URL Reputationsafe
                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%URL Reputationsafe
                  http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
                  http://tempuri.org/0%URL Reputationsafe
                  http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%URL Reputationsafe
                  http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                  http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%URL Reputationsafe
                  http://tempuri.org/Entity/Id90%URL Reputationsafe
                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%URL Reputationsafe
                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%URL Reputationsafe
                  http://tempuri.org/Entity/Id80%URL Reputationsafe
                  http://tempuri.org/Entity/Id50%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%URL Reputationsafe
                  http://tempuri.org/Entity/Id40%URL Reputationsafe
                  http://tempuri.org/Entity/Id70%URL Reputationsafe
                  http://tempuri.org/Entity/Id60%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%URL Reputationsafe
                  http://tempuri.org/Entity/Id19Response0%URL Reputationsafe
                  http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat0%URL Reputationsafe
                  http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey0%URL Reputationsafe
                  http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%URL Reputationsafe
                  http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%URL Reputationsafe
                  https://api.ip.sb/ip0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/04/sc0%URL Reputationsafe
                  http://tempuri.org/Entity/Id1ResponseD0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel0%URL Reputationsafe
                  http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id200%URL Reputationsafe
                  http://tempuri.org/Entity/Id210%URL Reputationsafe
                  http://tempuri.org/Entity/Id220%URL Reputationsafe
                  http://tempuri.org/Entity/Id14ResponseD0%Avira URL Cloudsafe
                  http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA10%URL Reputationsafe
                  http://tempuri.org/Entity/Id230%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA10%URL Reputationsafe
                  http://tempuri.org/Entity/Id240%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue0%URL Reputationsafe
                  http://tempuri.org/Entity/Id24Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego0%URL Reputationsafe
                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%URL Reputationsafe
                  http://tempuri.org/Entity/Id6ResponseD0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/04/trust0%URL Reputationsafe
                  http://tempuri.org/Entity/Id100%URL Reputationsafe
                  http://tempuri.org/Entity/Id110%URL Reputationsafe
                  http://tempuri.org/Entity/Id120%URL Reputationsafe
                  http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel0%URL Reputationsafe
                  http://tempuri.org/Entity/Id130%URL Reputationsafe
                  http://purl.oen0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id140%URL Reputationsafe
                  http://tempuri.org/Entity/Id150%URL Reputationsafe
                  http://tempuri.org/Entity/Id160%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce0%URL Reputationsafe
                  http://tempuri.org/Entity/Id13ResponseD0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id170%URL Reputationsafe
                  http://tempuri.org/Entity/Id180%URL Reputationsafe
                  http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id190%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%URL Reputationsafe
                  http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id5ResponseD0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/Renew0%URL Reputationsafe
                  http://tempuri.org/Entity/Id8Response0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey0%URL Reputationsafe
                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.00%URL Reputationsafe
                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2006/02/addressingidentity0%URL Reputationsafe
                  http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey0%URL Reputationsafe
                  http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA10%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust0%URL Reputationsafe
                  http://tempuri.org/Entity/Id21ResponseD0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id10ResponseD0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextcClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/02/sc/sctcClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkcClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id14ResponseDcClRqPh29S.exe, 00000000.00000002.2234102970.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 2%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://tempuri.org/Entity/Id23ResponseDcClRqPh29S.exe, 00000000.00000002.2234102970.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinarycClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id12ResponsecClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id2ResponsecClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id21ResponsecClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapcClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id9cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDcClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id8cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id6ResponseDcClRqPh29S.exe, 00000000.00000002.2234102970.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://tempuri.org/Entity/Id5cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/PreparecClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id4cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id7cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://purl.oencClRqPh29S.exe, 00000000.00000002.2233628001.00000000013BE000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://tempuri.org/Entity/Id6cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretcClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id19ResponsecClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmp, cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licensecClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssuecClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedcClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequencecClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id13ResponseDcClRqPh29S.exe, 00000000.00000002.2234102970.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/faultcClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2004/10/wsatcClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeycClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id15ResponsecClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id5ResponseDcClRqPh29S.exe, 00000000.00000002.2234102970.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 2%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namecClRqPh29S.exe, 00000000.00000002.2234102970.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewcClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegistercClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id6ResponsecClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeycClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://api.ip.sb/ipcClRqPh29S.exefalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2004/04/sccClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id1ResponseDcClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCcClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelcClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id9ResponsecClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id20cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002F22000.00000004.00000800.00020000.00000000.sdmp, cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id21cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id22cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id23cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmp, cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id24cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssuecClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id24ResponsecClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id1ResponsecClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedcClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlycClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplaycClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegocClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinarycClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCcClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeycClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id21ResponseDcClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2004/08/addressingcClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssuecClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletioncClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2004/04/trustcClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id10cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id11cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id10ResponseDcClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://tempuri.org/Entity/Id12cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id16ResponsecClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponsecClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelcClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id13cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id14cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id15cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id16cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/02/trust/NoncecClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id17cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id18cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id5ResponsecClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id19cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnscClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id15ResponseDcClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://tempuri.org/Entity/Id10ResponsecClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/02/trust/RenewcClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id11ResponseDcClRqPh29S.exe, 00000000.00000002.2234102970.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://tempuri.org/Entity/Id8ResponsecClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeycClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDcClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTcClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2006/02/addressingidentitycClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id17ResponseDcClRqPh29S.exe, 00000000.00000002.2234102970.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 2%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/soap/envelope/cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id8ResponseDcClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 2%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeycClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1cClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/02/trustcClRqPh29S.exe, 00000000.00000002.2234102970.0000000002EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  185.215.113.67
                  		unknownPortugal
                  		206894WHOLESALECONNECTIONSNLtrue

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1472618
                  Start date and time:2024-07-13 06:20:07 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 4m 49s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:5
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:cClRqPh29S.exe
                  renamed because original name is a hash value
                  Original Sample Name:a20fc3377c07aa683a47397f9f5ff355.exe
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winEXE@1/1@0/1
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 16
                  • Number of non-executed functions: 1
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  00:21:09API Interceptor21x Sleep call for process: cClRqPh29S.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  185.215.113.67oMHveSc3hh.exeGet hashmaliciousAmadey RaccoonBrowse
                  • 185.215.113.67/4dcYcWsw3/index.php
                  0KuDEDABFO.exeGet hashmaliciousAmadey RaccoonBrowse
                  • 185.215.113.67/4dcYcWsw3/index.php
                  miOnrvnXK0.exeGet hashmaliciousAmadey RaccoonBrowse
                  • 185.215.113.67/4dcYcWsw3/index.php
                  Rh74sODsWE.exeGet hashmaliciousAmadey RaccoonBrowse
                  • 185.215.113.67/4dcYcWsw3/index.php
                  dSQUdo6EjO.exeGet hashmaliciousAmadey RaccoonBrowse
                  • 185.215.113.67/4dcYcWsw3/index.php
                  usVhwck8lN.exeGet hashmaliciousAmadey RaccoonBrowse
                  • 185.215.113.67/4dcYcWsw3/index.php
                  SecuriteInfo.com.W32.AIDetect.malware1.20102.exeGet hashmaliciousAmadeyBrowse
                  • 185.215.113.67/4dcYcWsw3/index.php
                  MR98F1zzeo.exeGet hashmaliciousAmadey Raccoon VidarBrowse
                  • 185.215.113.67/4dcYcWsw3/index.php
                  8f5718a6042061b23a4e42ee5cd8112946c135dc9d0c2.exeGet hashmaliciousAmadeyBrowse
                  • 185.215.113.67/4dcYcWsw3/index.php
                  fC4T1vVs24.exeGet hashmaliciousAmadeyBrowse
                  • umbrelladownload.uno/gp6GbqVce/index.php

                  Domains

                  No context

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  WHOLESALECONNECTIONSNLdlcdkJcbbV.exeGet hashmaliciousLummaC, RedLineBrowse
                  • 185.215.113.67
                  file.exeGet hashmaliciousPython Stealer, Amadey, LummaC Stealer, Mars Stealer, Monster Stealer, PureLog Stealer, RedLineBrowse
                  • 185.215.113.67
                  setup.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, SmokeLoader, StealcBrowse
                  • 185.215.113.67
                  setup.exeGet hashmaliciousRedLineBrowse
                  • 185.215.113.67
                  1Vkf7silOj.exeGet hashmaliciousLummaC, Amadey, Mars Stealer, PureLog Stealer, RedLine, SmokeLoader, StealcBrowse
                  • 185.215.113.67
                  hsRju5CPK2.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, zgRATBrowse
                  • 185.215.113.67
                  mCTacyNuyM.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLineBrowse
                  • 185.215.113.67
                  yWny5Jds8b.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RedLineBrowse
                  • 185.215.113.67
                  file.exeGet hashmaliciousLummaC, Python Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, SmokeLoaderBrowse
                  • 185.215.113.67
                  setup.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLineBrowse
                  • 185.215.113.67

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cClRqPh29S.exe.log

                  Download File
                  Process:C:\Users\user\Desktop\cClRqPh29S.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):3094
                  Entropy (8bit):5.33145931749415
                  Encrypted:false
                  SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
                  MD5:3FD5C0634443FB2EF2796B9636159CB6
                  SHA1:366DDE94AEFCFFFAB8E03AD8B448E05D7489EB48
                  SHA-256:58307E94C67E2348F5A838DE4FF668983B38B7E9A3B1D61535D3A392814A57D6
                  SHA-512:8535E7C0777C6B0876936D84BDE2BDC59963CF0954D4E50D65808E6E806E8B131DF5DB8FA0E030FAE2702143A7C3A70698A2B9A80519C9E2FFC286A71F0B797C
                  Malicious:true
                  Reputation:high, very likely benign file
                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):5.0308036644272365
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  • Win32 Executable (generic) a (10002005/4) 49.78%
                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                  • Win16/32 Executable Delphi generic (2074/23) 0.01%
                  • Generic Win/DOS Executable (2004/3) 0.01%
                  File name:cClRqPh29S.exe
                  File size:304'128 bytes
                  MD5:a20fc3377c07aa683a47397f9f5ff355
                  SHA1:13160e27dcea48dc9c5393948b7918cb2fcdd759
                  SHA256:f7891ca59e0907217db3eeafbe751e2d184317a871450b5ec401217a12df9d33
                  SHA512:dcdba7203efeea40366375fb54123b11bba972552795c64cbe912bef137698d308ea8e370732e5a65cba5687fbe6095bd53e5e1e49e3a6d8cf6912ebb61da254
                  SSDEEP:3072:zqFFrqwIOG/Zyzca1p8oT4ipvJYThdNS8TZ0fHIAcZqf7D34deqiOLCbBO9:OBIOG6h4Pdg8TZixcZqf7DInL
                  TLSH:7A545B1833E89910E67F4B799470D67093B5EC12A853E31E5ED0AC6B3D36B80EA157F2
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................................@................................

                  File Icon

                  Icon Hash:4d8ea38d85a38e6d

                  Static PE Info

                  General

                  Entrypoint:0x429fe2
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Time Stamp:0x91D7AA1C [Mon Jul 15 19:01:48 2047 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                  Entrypoint Preview

                  Instruction
                  jmp dword ptr [00402000h]
                  popad
                  add byte ptr [ebp+00h], dh
                  je 00007FDFACBD2BC2h
                  outsd
                  add byte ptr [esi+00h], ah
                  imul eax, dword ptr [eax], 006C006Ch
                  xor eax, 59007400h
                  add byte ptr [edi+00h], dl
                  push edx
                  add byte ptr [ecx+00h], dh
                  popad
                  add byte ptr [edi+00h], dl
                  push esi
                  add byte ptr [edi+00h], ch
                  popad
                  add byte ptr [ebp+00h], ch
                  push 61006800h
                  add byte ptr [ebp+00h], ch
                  dec edx
                  add byte ptr [eax], bh
                  add byte ptr [edi+00h], dl
                  push edi
                  add byte ptr [ecx], bh
                  add byte ptr [ecx+00h], bh
                  bound eax, dword ptr [eax]
                  xor al, byte ptr [eax]
                  insb
                  add byte ptr [eax+00h], bl
                  pop ecx
                  add byte ptr [edi+00h], dl
                  js 00007FDFACBD2BC2h
                  jnc 00007FDFACBD2BC2h
                  pop edx
                  add byte ptr [eax+00h], bl
                  push ecx
                  add byte ptr [ebx+00h], cl
                  popad
                  add byte ptr [edi+00h], dl
                  dec edx
                  add byte ptr [ebp+00h], dh
                  pop edx
                  add byte ptr [edi+00h], dl
                  jo 00007FDFACBD2BC2h
                  imul eax, dword ptr [eax], 5Ah
                  add byte ptr [ebp+00h], ch
                  jo 00007FDFACBD2BC2h
                  je 00007FDFACBD2BC2h
                  bound eax, dword ptr [eax]
                  push edi
                  add byte ptr [eax+eax+77h], dh
                  add byte ptr [ecx+00h], bl
                  xor al, byte ptr [eax]
                  xor eax, 63007300h
                  add byte ptr [edi+00h], al
                  push esi
                  add byte ptr [ecx+00h], ch
                  popad
                  add byte ptr [edx], dh
                  add byte ptr [eax+00h], bh
                  je 00007FDFACBD2BC2h
                  bound eax, dword ptr [eax]
                  insd
                  add byte ptr [eax+eax+76h], dh
                  add byte ptr [edx+00h], bl
                  push edi
                  add byte ptr [ecx], bh
                  add byte ptr [eax+00h], dh
                  popad
                  add byte ptr [edi+00h], al
                  cmp dword ptr [eax], eax
                  insd
                  add byte ptr [edx+00h], bl
                  push edi
                  add byte ptr [esi+00h], cl
                  cmp byte ptr [eax], al
                  push esi
                  add byte ptr [eax+00h], cl
                  dec edx
                  add byte ptr [esi+00h], dh
                  bound eax, dword ptr [eax]
                  insd
                  add byte ptr [eax+00h], bh
                  jo 00007FDFACBD2BC2h
                  bound eax, dword ptr [eax]
                  insd
                  add byte ptr [ebx+00h], dh

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x29f900x4f.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x300000x1c9cc.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x4e0000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x29f740x1c.text
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000x2cfc80x2d000bf0a57ae8ac44afb9d6dd8f019c6c956False0.46185438368055554data6.170736584923635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rsrc0x300000x1c9cc0x1cc0035ae33fc7b2b8f2ee7b2edb10459f472False0.23725373641304348data2.6060193957043305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x4e0000xc0x4000113d364b2da82c57188eaf2e130ebc5False0.025390625data0.05585530805374581IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_ICON0x301a00x3d04PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9934058898847631
                  RT_ICON0x33eb40x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m0.09013072282030049
                  RT_ICON0x446ec0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m0.13905290505432216
                  RT_ICON0x489240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m0.17033195020746889
                  RT_ICON0x4aedc0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m0.2045028142589118
                  RT_ICON0x4bf940x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m0.24645390070921985
                  RT_GROUP_ICON0x4c40c0x5adata0.7666666666666667
                  RT_VERSION0x4c4780x352data0.4388235294117647
                  RT_MANIFEST0x4c7dc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                  Imports

                  DLLImport
                  mscoree.dll_CorExeMain

                  Network Behavior

                  Snort IDS Alerts

                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                  07/13/24-06:20:59.595805TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)4970940960192.168.2.6185.215.113.67
                  07/13/24-06:20:59.841358TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response4096049709185.215.113.67192.168.2.6
                  07/13/24-06:21:12.381393TCP2043231ET TROJAN Redline Stealer TCP CnC Activity4970940960192.168.2.6185.215.113.67
                  07/13/24-06:21:05.149119TCP2046056ET TROJAN Redline Stealer/MetaStealer Family Activity (Response)4096049709185.215.113.67192.168.2.6

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 13, 2024 06:20:57.896271944 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:20:57.901180983 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:20:57.901304960 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:20:57.909914017 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:20:57.914743900 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:20:59.555799961 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:20:59.555826902 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:20:59.555854082 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:20:59.555907965 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:20:59.555986881 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:20:59.555986881 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:20:59.555986881 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:20:59.595804930 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:20:59.600804090 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:20:59.841357946 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:20:59.881469965 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:04.900294065 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:04.905488968 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:05.149118900 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:05.149144888 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:05.149162054 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:05.149177074 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:05.149194002 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:05.149207115 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:05.149282932 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:05.149283886 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:05.149283886 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:05.298445940 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:05.350202084 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:05.439054966 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:05.450099945 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:05.690511942 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:05.727493048 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:05.732351065 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:05.972547054 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:05.977258921 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:05.982589960 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:06.222491026 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:06.254352093 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:06.259253025 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:06.515913963 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:06.569031000 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:06.625118017 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:06.630022049 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:06.877084017 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:06.928189993 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:06.954260111 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:06.959284067 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:06.959297895 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:06.959311008 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:06.959321976 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:06.959331989 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:06.959363937 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:06.959367037 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:06.959376097 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:06.959414959 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:06.959427118 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:06.959438086 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:06.959553003 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:06.963985920 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:06.964215040 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:06.964270115 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:06.964282036 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:06.964416027 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:06.964445114 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:06.964457035 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:07.349138975 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:07.354104996 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:07.359044075 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:07.359059095 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:07.359103918 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:07.359168053 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:07.359263897 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:07.359277010 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:07.749231100 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:07.761244059 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:07.769265890 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.009493113 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.046905994 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:08.051675081 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.297218084 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.350063086 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:08.350696087 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:08.355463982 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.595520973 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.647114992 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:08.678201914 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:08.685265064 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.685276985 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.685333014 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:08.685384035 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.685391903 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.685400963 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.685419083 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:08.685446978 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:08.685513973 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.685523033 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.685529947 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.685538054 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.685581923 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:08.691874981 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.691884995 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.691941023 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:08.692028999 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.692038059 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.692092896 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:08.692174911 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.692188025 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.692194939 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.692202091 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.692214966 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:08.692246914 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.692255020 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.692260981 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:08.692310095 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:08.692384005 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.692433119 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:08.692471981 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.692483902 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.692492962 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.692517042 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:08.692565918 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:08.698781013 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.698790073 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.698844910 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:08.698869944 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.698878050 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.698884964 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.698899031 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.698906898 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.698914051 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.698918104 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.698925018 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.698942900 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:08.699003935 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:08.699064970 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.699073076 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.699075937 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.699079037 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.699083090 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.699090004 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.699096918 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.699112892 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:08.699165106 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.699199915 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.699208021 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.699214935 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.699290991 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.699299097 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.699306011 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.699315071 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.699421883 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.699429989 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.699433088 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.699435949 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.699439049 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.699445963 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.699512005 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:08.699544907 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.699553967 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.699568033 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.699577093 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.699584961 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.699599981 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.699608088 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.699647903 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:08.699722052 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.699731112 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.699743032 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.699750900 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.699758053 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.699773073 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.699779987 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.705553055 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.705569029 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.705698013 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.705705881 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.705713034 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.705719948 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.705779076 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.705787897 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.705795050 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.705801964 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.705809116 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.705837965 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.705936909 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.705945015 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.705955029 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.705964088 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.705971003 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.705986977 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.705995083 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.706110001 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.706119061 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.706263065 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.706271887 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.706376076 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.706383944 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.706387043 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.706389904 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.706393003 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.706396103 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.706398964 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.706507921 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.706516027 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.706522942 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.706530094 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.706538916 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.706631899 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.706640005 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.706646919 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.706655025 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.706712008 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.706722021 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.706729889 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.706737995 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.706744909 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.706748962 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:08.706837893 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.706845999 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.706854105 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.706866980 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.706871033 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:08.706979036 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.706986904 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.707103968 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.707112074 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.707118988 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.707127094 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.707201958 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.707211018 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.707217932 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.707226038 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.707232952 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.707241058 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.707412958 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.707422018 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.707427979 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.707436085 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.707443953 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.707451105 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.707467079 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.707473993 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.707480907 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.707488060 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.707495928 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.707503080 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.707510948 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.707518101 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.707561970 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.707570076 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.707582951 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.707591057 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.707597971 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.707686901 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.707695007 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.707703114 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.707715988 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.712434053 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.712441921 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.712661982 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:08.712790012 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:08.713740110 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.713749886 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.713875055 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.713882923 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.713890076 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.713989019 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.713995934 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714003086 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714010954 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714018106 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714025021 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714118004 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714127064 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714133978 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714142084 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714148998 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714157104 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714159966 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714173079 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714179993 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714183092 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714250088 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714257956 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714265108 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714378119 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714385986 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714400053 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714409113 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714416027 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714492083 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714499950 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714512110 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714519978 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714528084 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714534998 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714544058 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714618921 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714626074 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714632988 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714642048 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714648962 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714658022 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714776039 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714783907 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714791059 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714797974 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714801073 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714939117 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.714946985 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.715055943 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.715064049 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.715073109 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.715080023 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.715087891 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.715312958 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:08.715440989 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:08.717766047 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.717775106 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.717787027 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.717879057 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.717978954 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.717986107 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.718108892 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.718116999 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.718435049 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.718442917 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.719177008 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.719188929 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.719471931 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.719480038 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.719945908 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.720091105 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.720572948 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.720750093 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.721183062 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.721190929 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.721636057 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.721812010 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.722117901 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.722440958 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723025084 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723077059 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723086119 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723093033 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723100901 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723109007 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723117113 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723124027 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723154068 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723161936 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723169088 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723176003 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723184109 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723191023 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723197937 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723206043 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723213911 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723221064 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723228931 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723236084 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723243952 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723252058 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723258972 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723267078 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723275900 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723287106 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723295927 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723303080 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723309994 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723318100 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723325968 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723332882 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723340988 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723361015 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723368883 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723376036 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723383904 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723392010 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723400116 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723407030 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723413944 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723421097 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723428965 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723436117 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723443985 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723449945 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723458052 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723464966 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723472118 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723479986 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723494053 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723500967 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723507881 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723515987 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723522902 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723531008 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723539114 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723614931 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723623037 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723630905 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723639965 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723648071 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723706007 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:08.723752975 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723783970 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723790884 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723800898 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723854065 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:08.723922014 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.723929882 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.724064112 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.724071980 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.724078894 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.724087000 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.724198103 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.724205971 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.724212885 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.724220991 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.724227905 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.724312067 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.724319935 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.724327087 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.724334955 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.724349022 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.724355936 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.724499941 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.724709034 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:08.724836111 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:08.731045961 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.731055021 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.731067896 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.731075048 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.731189013 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.731195927 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.731340885 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.731502056 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.731508970 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.731519938 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.731632948 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.731641054 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.731653929 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.731663942 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.731762886 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.731770992 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.731784105 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.731791973 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.731911898 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.731920004 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.732060909 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.732069016 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.732177973 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.732186079 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.732449055 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.732614994 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.732734919 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.732743025 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.732745886 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.732748985 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.732758045 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.732772112 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.732884884 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.732892990 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.732901096 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.732903957 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.732913017 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.732919931 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.732935905 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.732943058 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.733031034 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.733037949 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.733046055 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.733053923 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.733350039 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.733357906 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.733371019 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.733377934 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.733483076 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.733496904 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.733510971 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.733517885 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.733530045 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.733606100 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.733613968 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.733625889 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.733633995 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.733642101 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.733783007 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.733793020 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.733874083 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:08.733903885 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.733911037 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.733918905 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.733926058 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.733999968 CEST4970940960192.168.2.6185.215.113.67
                  Jul 13, 2024 06:21:08.734040022 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.734046936 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.734055042 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.734061956 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.734159946 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.734183073 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.734189987 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.734198093 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.734204054 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.734211922 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.734407902 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.734416008 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.734422922 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.734430075 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.734505892 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.734513044 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.734519958 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.734527111 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.734534979 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.734541893 CEST4096049709185.215.113.67192.168.2.6
                  Jul 13, 2024 06:21:08.734651089 CEST4096049709