Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
injectorQWEEX.exe

Overview

General Information

Sample name:injectorQWEEX.exe
(renamed file extension from bin to exe)
Original sample name:injectorQWEEX.bin
Analysis ID:1630529
MD5:d44daf1beea1a9ed0cc2eeacd2bfbd5c
SHA1:22e54e3272ada9a1546e80e10ff73425da5e1ab5
SHA256:b2fc6d0c50f49c03a0f7863ca82036d09a74a275080ae5aebe7131582a893612
Infos:

Detection

PureLog Stealer, RedLine, zgRAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Joe Sandbox ML detected suspicious sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64native
  • injectorQWEEX.exe (PID: 1304 cmdline: "C:\Users\user\Desktop\injectorQWEEX.exe" MD5: D44DAF1BEEA1A9ED0CC2EEACD2BFBD5C)
    • conhost.exe (PID: 7532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: RedLine

{"C2 url": "45.15.156.127:23000"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.25525253706.0000000001242000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
    00000000.00000002.25525253706.0000000001242000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000000.00000002.25524783931.0000000001051000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        00000000.00000002.25524783931.0000000001051000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          Process Memory Space: injectorQWEEX.exe PID: 1304JoeSecurity_RedLineYara detected RedLine StealerJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.injectorQWEEX.exe.1052998.1.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
              0.2.injectorQWEEX.exe.1052998.1.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                0.2.injectorQWEEX.exe.1052998.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.2.injectorQWEEX.exe.1052998.1.raw.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
                  • 0x3d3a7:$s1: file:///
                  • 0x3d2df:$s2: {11111-22222-10009-11112}
                  • 0x3d337:$s3: {11111-22222-50001-00000}
                  • 0x3880c:$s4: get_Module
                  • 0x38c76:$s5: Reverse
                  • 0x3b642:$s6: BlockCopy
                  • 0x39035:$s7: ReadByte
                  • 0x3d3b9:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
                  0.2.injectorQWEEX.exe.1240000.2.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                    Click to see the 7 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: injectorQWEEX.exe.1304.0.memstrminMalware Configuration Extractor: RedLine {"C2 url": "45.15.156.127:23000"}
                    Multi AV Scanner detection for submitted file
                    Source: injectorQWEEX.exeVirustotal: Detection: 47%Perma Link
                    Joe Sandbox ML detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                    Source: injectorQWEEX.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: injectorQWEEX.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb8 source: injectorQWEEX.exe, 00000000.00000003.24411418172.0000000001428000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25526698824.000000000142D000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24412348172.000000000142C000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409019947.0000000001428000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D18000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D15000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D57000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D57000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.ServiceModel.pdb969588382-3778222414-1001_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D18000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D15000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdbF source: injectorQWEEX.exe, 00000000.00000003.24411418172.0000000001428000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24412348172.000000000142C000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409019947.0000000001428000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb^I source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D57000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D57000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.ServiceModel.pdb source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D18000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D15000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: injectorQWEEX.exe, 00000000.00000003.24411418172.0000000001428000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25526698824.000000000142D000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24412348172.000000000142C000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409019947.0000000001428000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: applaunch.pdb source: injectorQWEEX.exe, 00000000.00000002.25545351239.0000000004541000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25545351239.000000000459D000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.25450375781.00000000045BE000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24698088273.00000000045BE000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D57000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D57000.00000004.00000800.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_00D36370 FindFirstFileExW,0_2_00D36370

                    Networking

                    barindex
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 45.15.156.127:23000
                    Source: global trafficTCP traffic: 192.168.11.20:49751 -> 45.15.156.127:23000
                    Source: Joe Sandbox ViewIP Address: 45.15.156.127 45.15.156.127
                    Source: Joe Sandbox ViewASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
                    Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faulth
                    Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                    Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                    Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                    Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                    Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                    Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                    Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                    Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                    Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                    Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                    Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003B1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/exa
                    Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003A92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/
                    Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field1
                    Source: injectorQWEEX.exe, 00000000.00000002.25529253904.000000000391B000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003B1E000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003A92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field1LR
                    Source: injectorQWEEX.exe, 00000000.00000002.25529253904.000000000391B000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003B1E000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003A92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field1Response
                    Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field1ResponsetYHq
                    Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field2
                    Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field2D
                    Source: injectorQWEEX.exe, 00000000.00000002.25529253904.000000000391B000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003B1E000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003A92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field2LR
                    Source: injectorQWEEX.exe, 00000000.00000002.25529253904.000000000391B000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003B1E000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003A92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field2Response
                    Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field2d
                    Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field2rm
                    Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field3
                    Source: injectorQWEEX.exe, 00000000.00000002.25529253904.000000000391B000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003B1E000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003A92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field3LR
                    Source: injectorQWEEX.exe, 00000000.00000002.25529253904.000000000391B000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003B1E000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003A92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field3Response
                    Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field3nm
                    Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                    Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.injectorQWEEX.exe.1240000.2.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.injectorQWEEX.exe.1052998.1.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, Strings.csLarge array initialization: Strings: array initializer size 6160
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_00D2C4D00_2_00D2C4D0
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_00D288900_2_00D28890
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_00D274B00_2_00D274B0
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_00D2EC500_2_00D2EC50
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_00D1A8400_2_00D1A840
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_00D260300_2_00D26030
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_00D2B0300_2_00D2B030
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_00D25C200_2_00D25C20
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_00D2A1E00_2_00D2A1E0
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_00D295E00_2_00D295E0
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_00D19DB00_2_00D19DB0
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_00D3D1510_2_00D3D151
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_00D2B6C00_2_00D2B6C0
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_00D2BA900_2_00D2BA90
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_00D156B00_2_00D156B0
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_00D276600_2_00D27660
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_00D1DA100_2_00D1DA10
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_00D253D00_2_00D253D0
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_00D26BC00_2_00D26BC0
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_00D29B100_2_00D29B10
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_00D24B100_2_00D24B10
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_00D267300_2_00D26730
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_00D2E7300_2_00D2E730
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_00D28F200_2_00D28F20
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_00D263200_2_00D26320
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_033408700_2_03340870
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_033408800_2_03340880
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_033476680_2_03347668
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_0334765A0_2_0334765A
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_069475B80_2_069475B8
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_0694A3F80_2_0694A3F8
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_0694A3EA0_2_0694A3EA
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_069481F80_2_069481F8
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: String function: 00D2FDB0 appears 33 times
                    Source: injectorQWEEX.exe, 00000000.00000002.25545351239.0000000004541000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapplaunch.exeT vs injectorQWEEX.exe
                    Source: injectorQWEEX.exe, 00000000.00000002.25524783931.00000000010D5000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGristles.exe" vs injectorQWEEX.exe
                    Source: injectorQWEEX.exe, 00000000.00000002.25545351239.000000000459D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapplaunch.exeT vs injectorQWEEX.exe
                    Source: injectorQWEEX.exe, 00000000.00000003.25450375781.00000000045BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapplaunch.exeT vs injectorQWEEX.exe
                    Source: injectorQWEEX.exe, 00000000.00000002.25526194072.00000000013BD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs injectorQWEEX.exe
                    Source: injectorQWEEX.exe, 00000000.00000002.25525360540.00000000012C6000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGristles.exe" vs injectorQWEEX.exe
                    Source: injectorQWEEX.exe, 00000000.00000003.24698088273.00000000045BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapplaunch.exeT vs injectorQWEEX.exe
                    Source: injectorQWEEX.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.injectorQWEEX.exe.1240000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.injectorQWEEX.exe.1052998.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: injectorQWEEX.exeStatic PE information: Section: .reloc IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    Source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, Strings.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, --.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, --.csCryptographic APIs: 'CreateDecryptor'
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@2/0@0/1
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7532:304:WilStaging_02
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7532:120:WilError_03
                    Source: injectorQWEEX.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: injectorQWEEX.exeVirustotal: Detection: 47%
                    Source: unknownProcess created: C:\Users\user\Desktop\injectorQWEEX.exe "C:\Users\user\Desktop\injectorQWEEX.exe"
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeSection loaded: edgegdi.dllJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeSection loaded: mswsock.dllJump to behavior
                    Source: injectorQWEEX.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Source: injectorQWEEX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb8 source: injectorQWEEX.exe, 00000000.00000003.24411418172.0000000001428000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25526698824.000000000142D000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24412348172.000000000142C000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409019947.0000000001428000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D18000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D15000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D57000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D57000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.ServiceModel.pdb969588382-3778222414-1001_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D18000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D15000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdbF source: injectorQWEEX.exe, 00000000.00000003.24411418172.0000000001428000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24412348172.000000000142C000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409019947.0000000001428000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb^I source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D57000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D57000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.ServiceModel.pdb source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D18000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D15000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: injectorQWEEX.exe, 00000000.00000003.24411418172.0000000001428000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25526698824.000000000142D000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24412348172.000000000142C000.00000004.00000020.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409019947.0000000001428000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: applaunch.pdb source: injectorQWEEX.exe, 00000000.00000002.25545351239.0000000004541000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25545351239.000000000459D000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.25450375781.00000000045BE000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24698088273.00000000045BE000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D57000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D57000.00000004.00000800.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, --.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                    Source: injectorQWEEX.exeStatic PE information: real checksum: 0xe574a should be: 0xf2fa3
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_00D3D861 push ecx; ret 0_2_00D3D874
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_0334F4F0 push esp; retf 0_2_0334F4F1
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_0694DEC8 push es; retf 0_2_0694DF7C
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_06946A60 push es; retn 0004h0_2_06946FB0
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_0694F280 push es; ret 0_2_0694F290
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_06946FA0 push es; retn 0004h0_2_06946FB0
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_06941C10 push es; ret 0_2_06941C20
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_06941BB0 push es; ret 0_2_06941BE0
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_06941BF0 push es; ret 0_2_06941C00
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_0694E88A push eax; ret 0_2_0694E891
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeMemory allocated: 3340000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeMemory allocated: 3540000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeMemory allocated: 3480000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeWindow / User API: threadDelayed 9986Jump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeAPI coverage: 7.5 %
                    Source: C:\Users\user\Desktop\injectorQWEEX.exe TID: 1080Thread sleep count: 9986 > 30Jump to behavior
                    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_00D36370 FindFirstFileExW,0_2_00D36370
                    Source: injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe
                    Source: injectorQWEEX.exe, 00000000.00000002.25546885364.0000000005D57000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000003.24409635498.0000000005D57000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlliis
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_00D33BE6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00D33BE6
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_00D385F3 GetProcessHeap,0_2_00D385F3
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeProcess token adjusted: DebugJump to behavior
                    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_00D2FCEC SetUnhandledExceptionFilter,0_2_00D2FCEC
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_00D2F6B2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00D2F6B2
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_00D33BE6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00D33BE6
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_00D2FB90 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00D2FB90
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_00D2FDF5 cpuid 0_2_00D2FDF5
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeCode function: 0_2_00D2FA77 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00D2FA77
                    Source: C:\Users\user\Desktop\injectorQWEEX.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.injectorQWEEX.exe.1240000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.injectorQWEEX.exe.1052998.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.25525253706.0000000001242000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.25524783931.0000000001051000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.injectorQWEEX.exe.1240000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.injectorQWEEX.exe.1052998.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.25525253706.0000000001242000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.25524783931.0000000001051000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: injectorQWEEX.exe PID: 1304, type: MEMORYSTR
                    Yara detected zgRAT
                    Source: Yara matchFile source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.injectorQWEEX.exe.1240000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.injectorQWEEX.exe.1052998.1.unpack, type: UNPACKEDPE

                    Remote Access Functionality

                    barindex
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.injectorQWEEX.exe.1240000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.injectorQWEEX.exe.1052998.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.25525253706.0000000001242000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.25524783931.0000000001051000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.injectorQWEEX.exe.1240000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.injectorQWEEX.exe.1052998.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.25525253706.0000000001242000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.25524783931.0000000001051000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: injectorQWEEX.exe PID: 1304, type: MEMORYSTR
                    Yara detected zgRAT
                    Source: Yara matchFile source: 0.2.injectorQWEEX.exe.1052998.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.injectorQWEEX.exe.1240000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.injectorQWEEX.exe.1052998.1.unpack, type: UNPACKEDPE

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                    DLL Side-Loading                    		1
                    Process Injection                    		2
                    Virtualization/Sandbox Evasion                    		OS Credential Dumping1
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		LSASS Memory121
                    Security Software Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                    Process Injection                    		Security Account Manager2
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                    Deobfuscate/Decode Files or Information                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                    Obfuscated Files or Information                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Software Packing                    		Cached Domain Credentials23
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    injectorQWEEX.exe48%VirustotalBrowse

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    45.15.156.127:230000%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    45.15.156.127:23000true
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://tempuri.org/example/Field2dinjectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://tempuri.org/example/Field2rminjectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://api.ip.sb/ipinjectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgementinjectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousinjectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://tempuri.org/example/Field1injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/soap/envelope/injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/example/Field2injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/example/Field3injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/example/injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003A92000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2004/08/addressing/faulthinjectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://tempuri.org/example/Field3nminjectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedinjectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://tempuri.org/example/Field1LRinjectorQWEEX.exe, 00000000.00000002.25529253904.000000000391B000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003B1E000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003A92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://tempuri.org/example/Field1ResponsetYHqinjectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://tempuri.org/example/Field3LRinjectorQWEEX.exe, 00000000.00000002.25529253904.000000000391B000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003B1E000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003A92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://tempuri.org/example/Field2LRinjectorQWEEX.exe, 00000000.00000002.25529253904.000000000391B000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003B1E000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003A92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://tempuri.org/example/Field2DinjectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponseinjectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2004/08/addressinginjectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceinjectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://tempuri.org/exainjectorQWEEX.exe, 00000000.00000002.25529253904.0000000003B1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://discord.com/api/v9/users/injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2005/02/rminjectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://tempuri.org/example/Field1ResponseinjectorQWEEX.exe, 00000000.00000002.25529253904.000000000391B000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003B1E000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003A92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://tempuri.org/example/Field2ResponseinjectorQWEEX.exe, 00000000.00000002.25529253904.000000000391B000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003B1E000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003A92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessageinjectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://tempuri.org/example/Field3ResponseinjectorQWEEX.exe, 00000000.00000002.25529253904.000000000391B000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003B1E000.00000004.00000800.00020000.00000000.sdmp, injectorQWEEX.exe, 00000000.00000002.25529253904.0000000003A92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceinjectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/soap/actor/nextinjectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsinjectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyinjectorQWEEX.exe, 00000000.00000002.25529253904.0000000003541000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high

                                                                                      World Map of Contacted IPs

                                                                                      • No. of IPs < 25%
                                                                                      • 25% < No. of IPs < 50%
                                                                                      • 50% < No. of IPs < 75%
                                                                                      • 75% < No. of IPs

                                                                                      Public IPs

                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                      45.15.156.127
                                                                                      		unknownRussian Federation
                                                                                      		39493RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUtrue

                                                                                      General Information

                                                                                      Joe Sandbox version:42.0.0 Malachite
                                                                                      Analysis ID:1630529
                                                                                      Start date and time:2025-03-06 01:31:32 +01:00
                                                                                      Joe Sandbox product:CloudBasic
                                                                                      Overall analysis duration:0h 7m 12s
                                                                                      Hypervisor based Inspection enabled:false
                                                                                      Report type:full
                                                                                      Cookbook file name:default.jbs
                                                                                      Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                                      Number of analysed new started processes analysed:3
                                                                                      Number of new started drivers analysed:0
                                                                                      Number of existing processes analysed:0
                                                                                      Number of existing drivers analysed:0
                                                                                      Number of injected processes analysed:0
                                                                                      Technologies:
                                                                                      • HCA enabled
                                                                                      • EGA enabled
                                                                                      • AMSI enabled
                                                                                      Analysis Mode:default
                                                                                      Analysis stop reason:Timeout
                                                                                      Sample name:injectorQWEEX.exe
                                                                                      (renamed file extension from bin to exe)
                                                                                      Original Sample Name:injectorQWEEX.bin
                                                                                      Detection:MAL
                                                                                      Classification:mal100.troj.evad.winEXE@2/0@0/1
                                                                                      EGA Information:
                                                                                      • Successful, ratio: 100%
                                                                                      HCA Information:
                                                                                      • Successful, ratio: 90%
                                                                                      • Number of executed functions: 90
                                                                                      • Number of non-executed functions: 47

                                                                                      Warnings

                                                                                      • Exclude process from analysis (whitelisted): dllhost.exe
                                                                                      • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                      Simulations

                                                                                      Behavior and APIs

                                                                                      No simulations

                                                                                      Joe Sandbox View / Context

                                                                                      IPs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      45.15.156.127build.exeGet hashmaliciousPureLog Stealer, RedLine, zgRATBrowse
                                                                                        file.exeGet hashmaliciousPureLog Stealer, RedLine, zgRATBrowse
                                                                                          doingCTIrocks_crypted.exeGet hashmaliciousRedLineBrowse
                                                                                            GbZkRO8wav.exeGet hashmaliciousRedLineBrowse
                                                                                              lnker.lnkGet hashmaliciousRedLineBrowse
                                                                                                driver.exeGet hashmaliciousRedLineBrowse
                                                                                                  Eclipse.exeGet hashmaliciousAsyncRAT, PureLog Stealer, RHADAMANTHYS, RedLine, XWorm, zgRATBrowse
                                                                                                    7bXVSwc9dp.exeGet hashmaliciousPureLog Stealer, RedLine, zgRATBrowse
                                                                                                      SecuriteInfo.com.Trojan.Agent.446.6903.exeGet hashmaliciousRedLineBrowse
                                                                                                        axfdj9gfw.exeGet hashmaliciousRedLineBrowse

                                                                                                          Domains

                                                                                                          No context

                                                                                                          ASNs

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUspc.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                          • 78.25.186.83
                                                                                                          splmpsl.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 78.25.174.64
                                                                                                          sora.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                          • 78.25.186.82
                                                                                                          Fantazy.ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 78.25.187.199
                                                                                                          loligang.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                          • 217.196.110.143
                                                                                                          LMm6yxQtcf.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                                          • 5.42.92.0
                                                                                                          stage-0.bin.exeGet hashmaliciousGCleanerBrowse
                                                                                                          • 5.42.65.115
                                                                                                          yakuza.ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 5.42.81.47
                                                                                                          1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                          • 45.15.158.112
                                                                                                          QmFIR949GC.exeGet hashmaliciousRedLineBrowse
                                                                                                          • 5.42.92.74

                                                                                                          JA3 Fingerprints

                                                                                                          No context

                                                                                                          Dropped Files

                                                                                                          No context

                                                                                                          Created / dropped Files

                                                                                                          No created / dropped files found

                                                                                                          Static File Info

                                                                                                          General

                                                                                                          File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                          Entropy (8bit):5.760055303303282
                                                                                                          TrID:
                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                          File name:injectorQWEEX.exe
                                                                                                          File size:934'664 bytes
                                                                                                          MD5:d44daf1beea1a9ed0cc2eeacd2bfbd5c
                                                                                                          SHA1:22e54e3272ada9a1546e80e10ff73425da5e1ab5
                                                                                                          SHA256:b2fc6d0c50f49c03a0f7863ca82036d09a74a275080ae5aebe7131582a893612
                                                                                                          SHA512:b54f8231e974942dded54c3e79c9799b9b2cc519bc799f60f16173e6af8cb8443326b8efb35c5cf0a71459c3b2f2e0a8954d543e63b95a744824d6a4781607d9
                                                                                                          SSDEEP:6144:zHRz7kru9osRQqaO16636YZE9sOjftfzgvbLn03pRrx5t6Fx9r+BWH:zHRkruzaqbF36Y+X7gvH0NX6X9FH
                                                                                                          TLSH:D615E72A59A18781D7F2DEF2FF02D2A2CC600E55092978C2107EAD113FBD7C59662E1F
                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........,l."..}k!Fl..UX._.].W.?P...!._..1-.Gg.....!....B<.....1.........H..r>....x..C..V<...7..>.....m[..vJc........PE..L....R.f...

                                                                                                          File Icon

                                                                                                          Icon Hash:90cececece8e8eb0

                                                                                                          Static PE Info

                                                                                                          General

                                                                                                          Entrypoint:0x41f6a8
                                                                                                          Entrypoint Section:.text
                                                                                                          Digitally signed:false
                                                                                                          Imagebase:0x400000
                                                                                                          Subsystem:windows cui
                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                          Time Stamp:0x661552DF [Tue Apr 9 14:38:23 2024 UTC]
                                                                                                          TLS Callbacks:
                                                                                                          CLR (.Net) Version:
                                                                                                          OS Version Major:6
                                                                                                          OS Version Minor:0
                                                                                                          File Version Major:6
                                                                                                          File Version Minor:0
                                                                                                          Subsystem Version Major:6
                                                                                                          Subsystem Version Minor:0
                                                                                                          Import Hash:512b765c31a25017956fa9f4e97cb280

                                                                                                          Entrypoint Preview

                                                                                                          Instruction
                                                                                                          call 00007FA47911C5DCh
                                                                                                          jmp 00007FA47911C039h
                                                                                                          push ebp
                                                                                                          mov ebp, esp
                                                                                                          push 00000000h
                                                                                                          call dword ptr [0042E050h]
                                                                                                          push dword ptr [ebp+08h]
                                                                                                          call dword ptr [0042E04Ch]
                                                                                                          push C0000409h
                                                                                                          call dword ptr [0042E000h]
                                                                                                          push eax
                                                                                                          call dword ptr [0042E054h]
                                                                                                          pop ebp
                                                                                                          ret
                                                                                                          push ebp
                                                                                                          mov ebp, esp
                                                                                                          sub esp, 00000324h
                                                                                                          push 00000017h
                                                                                                          call dword ptr [0042E058h]
                                                                                                          test eax, eax
                                                                                                          je 00007FA47911C1C7h
                                                                                                          push 00000002h
                                                                                                          pop ecx
                                                                                                          int 29h
                                                                                                          mov dword ptr [004E2AB8h], eax
                                                                                                          mov dword ptr [004E2AB4h], ecx
                                                                                                          mov dword ptr [004E2AB0h], edx
                                                                                                          mov dword ptr [004E2AACh], ebx
                                                                                                          mov dword ptr [004E2AA8h], esi
                                                                                                          mov dword ptr [004E2AA4h], edi
                                                                                                          mov word ptr [004E2AD0h], ss
                                                                                                          mov word ptr [004E2AC4h], cs
                                                                                                          mov word ptr [004E2AA0h], ds
                                                                                                          mov word ptr [004E2A9Ch], es
                                                                                                          mov word ptr [004E2A98h], fs
                                                                                                          mov word ptr [004E2A94h], gs
                                                                                                          pushfd
                                                                                                          pop dword ptr [004E2AC8h]
                                                                                                          mov eax, dword ptr [ebp+00h]
                                                                                                          mov dword ptr [004E2ABCh], eax
                                                                                                          mov eax, dword ptr [ebp+04h]
                                                                                                          mov dword ptr [004E2AC0h], eax
                                                                                                          lea eax, dword ptr [ebp+08h]
                                                                                                          mov dword ptr [004E2ACCh], eax
                                                                                                          mov eax, dword ptr [ebp-00000324h]
                                                                                                          mov dword ptr [004E2A08h], 00010001h

                                                                                                          Data Directories

                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xe69c00x490.reloc
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xe40000x1bb0.reloc
                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xe09700x1c.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xe08b00x40.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x2e0000x144.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                          Sections

                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                          .text0x10000x2cc330x2ce00b4b2b081585a241bb2d7651dc086f338False0.4371518105849582data6.630422795643705IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                          .rdata0x2e0000xb3d160xb3e00a7cf734e68283842a03da3401141de32False0.20539029925295343data5.067017537648892IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                          .data0xe20000x16340xa006786cc10c58411a044b5ef5f478aa4ebFalse0.17734375data2.3900382569267067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                          .reloc0xe40000x1bb00x1c0047ea251e016a565ea04ca6795fd0e530False0.7868303571428571data6.633302097796085IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                          .reloc0xe60000x10000xd0899697656d12293398a5cea0a221f3f25False0.3869904076738609data4.674874952161441IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                          Imports

                                                                                                          DLLImport
                                                                                                          KERNEL32.dllGetCurrentProcess, GetModuleHandleA, K32GetModuleInformation, CreateFileA, CreateFileMappingA, MapViewOfFile, VirtualProtect, CloseHandle, FreeLibrary, VirtualAlloc, VirtualAllocEx, LoadLibraryA, GetProcAddress, lstrlenW, CreateThread, Sleep, WaitForSingleObject, FreeConsole, GetCurrentThreadId, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, WriteConsoleW, RaiseException, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, EncodePointer, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, CompareStringW, LCMapStringW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetFileType, GetStringTypeW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, SetFilePointerEx, CreateFileW, DecodePointer
                                                                                                          ntdll.dllAdjustElement, StreamlineOperation, ReconstructInstrument, ReconstructComponent, ImproveOperation, EnhanceResource, InnovatePart, OverhaulPart, InnovateOperation, ModifyConfiguration, ImproveResource, OverhaulPart, ReconstructLayer, StreamlineResource, ImproveResource, RefinePart, ReconfigureEndpoint, ImproveComponent, ReconfigureUnit, BuildPart, ReconstructUnit, InnovateResource, AdjustOperation, DeactivateLayer, PersonalizeFramework, DeactivateComponent, ImproveEndpoint, ModernizeEndpoint, ImproveOperation, InnovateConfiguration, StreamlineOperation, ModifyProtocol, StreamlineElement, OverhaulInstrument, ModifyConfiguration, ReconstructObject, AdjustComponent, RefinePart, ImproveConfiguration, ImproveOperation, RefinePart, ReconstructPart, EnhanceResource, ModifyDesire, UpdateLayer, StreamlineCapability, ReconfigureLayer, ImproveProtocol, BuildElement, ReconstructObject, ModifyConfiguration, ReconstructPart, ModifyOperation, AdjustElement, ModernizePart, StreamlineArtifact

                                                                                                          Network Behavior

                                                                                                          Network Port Distribution

                                                                                                          TCP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Mar 6, 2025 01:33:46.260256052 CET4975123000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:33:46.568438053 CET230004975145.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:33:47.075937986 CET4975123000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:33:47.383599997 CET230004975145.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:33:47.888261080 CET4975123000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:33:48.199728012 CET230004975145.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:33:48.700661898 CET4975123000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:33:49.011476994 CET230004975145.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:33:49.513227940 CET4975123000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:33:49.821636915 CET230004975145.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:33:49.941736937 CET4975223000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:33:50.250056028 CET230004975245.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:33:50.762712002 CET4975223000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:33:51.070544004 CET230004975245.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:33:51.575184107 CET4975223000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:33:51.883517981 CET230004975245.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:33:52.387331963 CET4975223000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:33:52.702047110 CET230004975245.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:33:53.215501070 CET4975223000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:33:53.523829937 CET230004975245.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:33:53.924940109 CET4975323000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:33:54.233541965 CET230004975345.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:33:54.746382952 CET4975323000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:33:55.054595947 CET230004975345.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:33:55.558792114 CET4975323000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:33:55.867587090 CET230004975345.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:33:56.370901108 CET4975323000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:33:56.679347038 CET230004975345.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:33:57.183269024 CET4975323000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:33:57.491744041 CET230004975345.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:33:57.501349926 CET4975423000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:33:57.810534954 CET230004975445.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:33:58.323811054 CET4975423000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:33:58.632894039 CET230004975445.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:33:59.135880947 CET4975423000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:33:59.444493055 CET230004975445.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:33:59.948056936 CET4975423000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:00.256937027 CET230004975445.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:00.760404110 CET4975423000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:01.069154024 CET230004975445.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:01.076314926 CET4975523000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:01.384622097 CET230004975545.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:01.885286093 CET4975523000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:02.193361998 CET230004975545.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:02.697544098 CET4975523000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:03.006416082 CET230004975545.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:03.509993076 CET4975523000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:03.818763018 CET230004975545.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:04.322390079 CET4975523000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:04.631614923 CET230004975545.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:04.640007019 CET4975623000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:04.948561907 CET230004975645.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:05.462654114 CET4975623000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:05.771481037 CET230004975645.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:06.274727106 CET4975623000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:06.582602978 CET230004975645.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:07.087049007 CET4975623000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:07.395421982 CET230004975645.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:07.899501085 CET4975623000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:08.207469940 CET230004975645.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:08.214624882 CET4975723000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:08.523180962 CET230004975745.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:09.024108887 CET4975723000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:09.332771063 CET230004975745.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:09.836525917 CET4975723000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:10.145358086 CET230004975745.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:10.648780107 CET4975723000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:10.957269907 CET230004975745.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:11.461056948 CET4975723000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:11.769469976 CET230004975745.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:11.776958942 CET4975823000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:12.085585117 CET230004975845.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:12.585844040 CET4975823000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:12.894085884 CET230004975845.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:13.398382902 CET4975823000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:13.706990004 CET230004975845.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:14.210572004 CET4975823000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:14.521014929 CET230004975845.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:15.022748947 CET4975823000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:15.331090927 CET230004975845.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:15.338243961 CET4975923000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:15.647948027 CET230004975945.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:16.163234949 CET4975923000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:16.471645117 CET230004975945.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:16.975425005 CET4975923000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:17.283730030 CET230004975945.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:17.787990093 CET4975923000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:18.096535921 CET230004975945.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:18.600076914 CET4975923000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:18.908483982 CET230004975945.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:18.918813944 CET4976023000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:19.230405092 CET230004976045.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:19.740609884 CET4976023000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:20.049590111 CET230004976045.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:20.552793026 CET4976023000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:20.861399889 CET230004976045.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:21.365062952 CET4976023000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:21.674352884 CET230004976045.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:22.177522898 CET4976023000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:22.486278057 CET230004976045.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:22.560453892 CET4976223000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:22.868495941 CET230004976245.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:23.380611897 CET4976223000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:23.689790964 CET230004976245.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:24.192766905 CET4976223000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:24.504163027 CET230004976245.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:25.004925013 CET4976223000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:25.313411951 CET230004976245.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:25.817457914 CET4976223000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:26.126030922 CET230004976245.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:26.133785963 CET4976323000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:26.442600965 CET230004976345.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:26.957633018 CET4976323000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:27.266216993 CET230004976345.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:27.769889116 CET4976323000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:28.080929041 CET230004976345.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:28.582110882 CET4976323000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:28.890399933 CET230004976345.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:29.394423962 CET4976323000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:29.703129053 CET230004976345.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:29.710443020 CET4976423000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:30.018903017 CET230004976445.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:30.519543886 CET4976423000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:30.829497099 CET230004976445.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:31.331607103 CET4976423000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:31.640170097 CET230004976445.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:32.143891096 CET4976423000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:32.453941107 CET230004976445.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:32.956324100 CET4976423000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:33.265652895 CET230004976445.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:33.273041964 CET4976523000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:33.581975937 CET230004976545.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:34.096537113 CET4976523000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:34.405142069 CET230004976545.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:34.909143925 CET4976523000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:35.217994928 CET230004976545.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:35.721128941 CET4976523000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:36.029512882 CET230004976545.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:36.533641100 CET4976523000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:36.842446089 CET230004976545.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:36.851358891 CET4976623000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:37.159831047 CET230004976645.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:37.673986912 CET4976623000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:37.982647896 CET230004976645.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:38.486550093 CET4976623000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:38.794600964 CET230004976645.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:39.298604012 CET4976623000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:39.607988119 CET230004976645.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:40.110812902 CET4976623000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:40.420121908 CET230004976645.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:40.427316904 CET4976723000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:40.735925913 CET230004976745.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:41.251363993 CET4976723000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:41.559858084 CET230004976745.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:42.063805103 CET4976723000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:42.371995926 CET230004976745.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:42.875745058 CET4976723000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:43.184511900 CET230004976745.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:43.688237906 CET4976723000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:43.997178078 CET230004976745.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:44.004745960 CET4976823000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:44.313281059 CET230004976845.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:44.828603029 CET4976823000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:45.136734009 CET230004976845.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:45.640805960 CET4976823000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:45.949681997 CET230004976845.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:46.453304052 CET4976823000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:46.761913061 CET230004976845.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:47.265655041 CET4976823000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:47.575424910 CET230004976845.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:47.583117962 CET4976923000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:47.892446041 CET230004976945.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:48.405926943 CET4976923000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:48.714700937 CET230004976945.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:49.218274117 CET4976923000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:49.527512074 CET230004976945.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:50.030436993 CET4976923000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:50.340220928 CET230004976945.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:50.842875957 CET4976923000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:51.151645899 CET230004976945.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:51.219878912 CET4977023000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:51.528294086 CET230004977045.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:52.030190945 CET4977023000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:52.338699102 CET230004977045.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:52.842597008 CET4977023000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:53.151701927 CET230004977045.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:53.654572010 CET4977023000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:53.962963104 CET230004977045.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:54.467040062 CET4977023000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:54.776451111 CET230004977045.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:54.783474922 CET4977123000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:55.091953039 CET230004977145.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:55.607589960 CET4977123000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:55.916030884 CET230004977145.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:56.419600964 CET4977123000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:56.734586000 CET230004977145.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:57.247637987 CET4977123000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:57.555887938 CET230004977145.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:58.060122967 CET4977123000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:58.368673086 CET230004977145.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:58.378025055 CET4977223000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:58.686469078 CET230004977245.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:34:59.200356007 CET4977223000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:34:59.513046026 CET230004977245.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:00.028145075 CET4977223000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:00.337341070 CET230004977245.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:00.840883017 CET4977223000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:01.149610043 CET230004977245.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:01.652838945 CET4977223000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:01.961571932 CET230004977245.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:01.969779015 CET4977323000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:02.278867006 CET230004977345.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:02.793298960 CET4977323000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:03.102046967 CET230004977345.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:03.605487108 CET4977323000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:03.913990021 CET230004977345.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:04.417901993 CET4977323000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:04.726490021 CET230004977345.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:05.230334997 CET4977323000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:05.539526939 CET230004977345.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:05.547405005 CET4977423000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:05.855709076 CET230004977445.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:06.370517969 CET4977423000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:06.678921938 CET230004977445.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:07.183111906 CET4977423000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:07.490928888 CET230004977445.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:07.995122910 CET4977423000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:08.303610086 CET230004977445.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:08.807487965 CET4977423000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:09.115925074 CET230004977445.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:09.122904062 CET4977523000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:09.427083015 CET230004977545.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:09.932416916 CET4977523000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:10.239869118 CET230004977545.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:10.744447947 CET4977523000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:11.048676014 CET230004977545.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:11.557010889 CET4977523000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:11.861144066 CET230004977545.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:12.369311094 CET4977523000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:12.674632072 CET230004977545.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:12.682158947 CET4977623000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:12.991143942 CET230004977645.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:13.494066954 CET4977623000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:13.805493116 CET230004977645.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:14.306312084 CET4977623000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:14.614883900 CET230004977645.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:15.118457079 CET4977623000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:15.426928997 CET230004977645.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:15.931277037 CET4977623000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:16.240864038 CET230004977645.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:16.249454021 CET4977723000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:16.558924913 CET230004977745.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:17.071135998 CET4977723000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:17.381014109 CET230004977745.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:17.883709908 CET4977723000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:18.192285061 CET230004977745.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:18.695780039 CET4977723000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:19.004160881 CET230004977745.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:19.508104086 CET4977723000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:19.816724062 CET230004977745.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:19.825490952 CET4977823000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:20.133706093 CET230004977845.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:20.648551941 CET4977823000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:20.958523035 CET230004977845.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:21.460784912 CET4977823000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:21.768950939 CET230004977845.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:22.273370028 CET4977823000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:22.581733942 CET230004977845.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:23.085429907 CET4977823000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:23.394407988 CET230004977845.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:23.402196884 CET4977923000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:23.710877895 CET230004977945.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:24.225843906 CET4977923000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:24.534132004 CET230004977945.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:25.038089991 CET4977923000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:25.347310066 CET230004977945.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:25.850707054 CET4977923000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:26.159225941 CET230004977945.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:26.662862062 CET4977923000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:26.971196890 CET230004977945.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:26.981538057 CET4978023000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:27.290307045 CET230004978045.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:27.803096056 CET4978023000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:28.111787081 CET230004978045.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:28.615571022 CET4978023000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:28.924285889 CET230004978045.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:29.427684069 CET4978023000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:29.736465931 CET230004978045.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:30.240358114 CET4978023000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:30.549597979 CET230004978045.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:30.556804895 CET4978123000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:30.867064953 CET230004978145.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:31.380728006 CET4978123000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:31.689551115 CET230004978145.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:32.192981005 CET4978123000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:32.501247883 CET230004978145.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:33.005029917 CET4978123000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:33.313497066 CET230004978145.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:33.817389965 CET4978123000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:34.126672983 CET230004978145.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:34.133903027 CET4978223000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:34.442348003 CET230004978245.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:34.957901001 CET4978223000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:35.275947094 CET230004978245.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:35.785742044 CET4978223000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:36.094522953 CET230004978245.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:36.598464012 CET4978223000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:36.907161951 CET230004978245.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:37.410634041 CET4978223000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:37.719089031 CET230004978245.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:37.801599979 CET4978323000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:38.110846996 CET230004978345.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:38.613250017 CET4978323000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:38.922041893 CET230004978345.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:39.425482988 CET4978323000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:39.734322071 CET230004978345.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:40.237984896 CET4978323000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:40.548976898 CET230004978345.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:41.057332039 CET4978323000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:41.365833998 CET230004978345.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:41.374358892 CET4978423000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:41.682560921 CET230004978445.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:42.190685034 CET4978423000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:42.498558998 CET230004978445.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:43.003106117 CET4978423000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:43.311523914 CET230004978445.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:43.815067053 CET4978423000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:44.123574018 CET230004978445.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:44.627376080 CET4978423000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:44.936410904 CET230004978445.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:44.943337917 CET4978523000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:45.251214981 CET230004978545.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:45.752166986 CET4978523000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:46.060405016 CET230004978545.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:46.564440012 CET4978523000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:46.872437954 CET230004978545.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:47.376776934 CET4978523000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:47.685388088 CET230004978545.15.156.127192.168.11.20
                                                                                                          Mar 6, 2025 01:35:48.189074039 CET4978523000192.168.11.2045.15.156.127
                                                                                                          Mar 6, 2025 01:35:48.496948957 CET230004978545.15.156.127192.168.11.20

                                                                                                          Statistics

                                                                                                          CPU Usage

                                                                                                          Click to jump to process

                                                                                                          Memory Usage

                                                                                                          Click to jump to process

                                                                                                          High Level Behavior Distribution

                                                                                                          Click to dive into process behavior distribution

                                                                                                          Behavior

                                                                                                          Click to jump to process

                                                                                                          System Behavior

                                                                                                          General

                                                                                                          Target ID:0
                                                                                                          Start time:19:33:38
                                                                                                          Start date:05/03/2025
                                                                                                          Path:C:\Users\user\Desktop\injectorQWEEX.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Users\user\Desktop\injectorQWEEX.exe"
                                                                                                          Imagebase:0xd10000
                                                                                                          File size:934'664 bytes
                                                                                                          MD5 hash:D44DAF1BEEA1A9ED0CC2EEACD2BFBD5C
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.25525253706.0000000001242000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.25525253706.0000000001242000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.25524783931.0000000001051000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.25524783931.0000000001051000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          Reputation:low
                                                                                                          Has exited:false

                                                                                                          General

                                                                                                          Target ID:1
                                                                                                          Start time:19:33:38
                                                                                                          Start date:05/03/2025
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff60fc60000
                                                                                                          File size:875'008 bytes
                                                                                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          Disassembly

                                                                                                          Reset < >