Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
8bUUnhu0NB.exe

Overview

General Information

Sample name:8bUUnhu0NB.exe
renamed because original name is a hash value
Original sample name:ea4ac79e673549898d54762f2ebb2302.exe
Analysis ID:1635174
MD5:ea4ac79e673549898d54762f2ebb2302
SHA1:ecff793cd3647c6f5368033ada6a65229b9fe4b4
SHA256:b4ae32a0dfe1d99f5a3afed227708f46d176809e448908c892514dee402674db
Tags:exeRedLineStealeruser-abuse_ch
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected RedLine Stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 8bUUnhu0NB.exe (PID: 7584 cmdline: "C:\Users\user\Desktop\8bUUnhu0NB.exe" MD5: EA4AC79E673549898D54762F2EBB2302)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["104.219.239.239:1912"], "Bot Id": "Zilop", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
8bUUnhu0NB.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    8bUUnhu0NB.exeinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
    • 0x24cc3:$gen01: ChromeGetRoamingName
    • 0x24ce8:$gen02: ChromeGetLocalName
    • 0x24d2b:$gen03: get_UserDomainName
    • 0x28bc4:$gen04: get_encrypted_key
    • 0x27943:$gen05: browserPaths
    • 0x27c19:$gen06: GetBrowsers
    • 0x27501:$gen07: get_InstalledInputLanguages
    • 0x239cc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
    • 0x3018:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
    • 0x29006:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole
    • 0x290a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\
    • 0x296c4:$spe9: *wallet*
    • 0x219ea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
    • 0x21f14:$typ03: A937C899247696B6565665BE3BD09607F49A2042
    • 0x21fc1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
    • 0x21998:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
    • 0x219c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
    • 0x21b92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
    • 0x21de5:$typ11: 2A19BFD7333718195216588A698752C517111B02
    • 0x220d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
      dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000000.1162043998.0000000000ED2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000002.1310968398.0000000003382000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Process Memory Space: 8bUUnhu0NB.exe PID: 7584JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Process Memory Space: 8bUUnhu0NB.exe PID: 7584JoeSecurity_RedLineYara detected RedLine StealerJoe Security

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.0.8bUUnhu0NB.exe.ed0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    0.0.8bUUnhu0NB.exe.ed0000.0.unpackinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
                    • 0x24cc3:$gen01: ChromeGetRoamingName
                    • 0x24ce8:$gen02: ChromeGetLocalName
                    • 0x24d2b:$gen03: get_UserDomainName
                    • 0x28bc4:$gen04: get_encrypted_key
                    • 0x27943:$gen05: browserPaths
                    • 0x27c19:$gen06: GetBrowsers
                    • 0x27501:$gen07: get_InstalledInputLanguages
                    • 0x239cc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
                    • 0x3018:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
                    • 0x29006:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole
                    • 0x290a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\
                    • 0x296c4:$spe9: *wallet*
                    • 0x219ea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
                    • 0x21f14:$typ03: A937C899247696B6565665BE3BD09607F49A2042
                    • 0x21fc1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
                    • 0x21998:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
                    • 0x219c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
                    • 0x21b92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
                    • 0x21de5:$typ11: 2A19BFD7333718195216588A698752C517111B02
                    • 0x220d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-11T13:16:19.868877+010020432341A Network Trojan was detected104.219.239.2391912192.168.2.449719TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-11T13:16:19.765105+010020432311A Network Trojan was detected192.168.2.449719104.219.239.2391912TCP
                    2025-03-11T13:16:24.943251+010020432311A Network Trojan was detected192.168.2.449719104.219.239.2391912TCP
                    2025-03-11T13:16:25.222130+010020432311A Network Trojan was detected192.168.2.449719104.219.239.2391912TCP
                    2025-03-11T13:16:26.229844+010020432311A Network Trojan was detected192.168.2.449719104.219.239.2391912TCP
                    2025-03-11T13:16:26.351124+010020432311A Network Trojan was detected192.168.2.449719104.219.239.2391912TCP
                    2025-03-11T13:16:26.456143+010020432311A Network Trojan was detected192.168.2.449719104.219.239.2391912TCP
                    2025-03-11T13:16:26.563619+010020432311A Network Trojan was detected192.168.2.449719104.219.239.2391912TCP
                    2025-03-11T13:16:26.682941+010020432311A Network Trojan was detected192.168.2.449719104.219.239.2391912TCP
                    2025-03-11T13:16:27.252783+010020432311A Network Trojan was detected192.168.2.449719104.219.239.2391912TCP
                    2025-03-11T13:16:27.365015+010020432311A Network Trojan was detected192.168.2.449719104.219.239.2391912TCP
                    2025-03-11T13:16:27.474453+010020432311A Network Trojan was detected192.168.2.449719104.219.239.2391912TCP
                    2025-03-11T13:16:27.583197+010020432311A Network Trojan was detected192.168.2.449719104.219.239.2391912TCP
                    2025-03-11T13:16:27.867952+010020432311A Network Trojan was detected192.168.2.449719104.219.239.2391912TCP
                    2025-03-11T13:16:28.011860+010020432311A Network Trojan was detected192.168.2.449719104.219.239.2391912TCP
                    2025-03-11T13:16:28.120118+010020432311A Network Trojan was detected192.168.2.449719104.219.239.2391912TCP
                    2025-03-11T13:16:29.352231+010020432311A Network Trojan was detected192.168.2.449719104.219.239.2391912TCP
                    2025-03-11T13:16:29.357547+010020432311A Network Trojan was detected192.168.2.449719104.219.239.2391912TCP
                    2025-03-11T13:16:31.821681+010020432311A Network Trojan was detected192.168.2.449719104.219.239.2391912TCP
                    2025-03-11T13:16:31.966915+010020432311A Network Trojan was detected192.168.2.449719104.219.239.2391912TCP
                    2025-03-11T13:16:32.173091+010020432311A Network Trojan was detected192.168.2.449719104.219.239.2391912TCP
                    2025-03-11T13:16:32.322830+010020432311A Network Trojan was detected192.168.2.449719104.219.239.2391912TCP
                    2025-03-11T13:16:32.427021+010020432311A Network Trojan was detected192.168.2.449719104.219.239.2391912TCP
                    2025-03-11T13:16:32.536707+010020432311A Network Trojan was detected192.168.2.449719104.219.239.2391912TCP
                    2025-03-11T13:16:32.750494+010020432311A Network Trojan was detected192.168.2.449719104.219.239.2391912TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-11T13:16:25.226920+010020460561A Network Trojan was detected104.219.239.2391912192.168.2.449719TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-11T13:16:19.765105+010020460451A Network Trojan was detected192.168.2.449719104.219.239.2391912TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 8bUUnhu0NB.exeMalware Configuration Extractor: RedLine {"C2 url": ["104.219.239.239:1912"], "Bot Id": "Zilop", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
                    Multi AV Scanner detection for submitted file
                    Source: 8bUUnhu0NB.exeVirustotal: Detection: 85%Perma Link
                    Source: 8bUUnhu0NB.exeReversingLabs: Detection: 76%
                    Joe Sandbox ML detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: 8bUUnhu0NB.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 8bUUnhu0NB.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.4:49719 -> 104.219.239.239:1912
                    Source: Network trafficSuricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.4:49719 -> 104.219.239.239:1912
                    Source: Network trafficSuricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 104.219.239.239:1912 -> 192.168.2.4:49719
                    Source: Network trafficSuricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 104.219.239.239:1912 -> 192.168.2.4:49719
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 104.219.239.239:1912
                    Source: global trafficTCP traffic: 192.168.2.4:49719 -> 104.219.239.239:1912
                    Source: Joe Sandbox ViewASN Name: DATAWAGONUS DATAWAGONUS
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.239
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003572000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmp, 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmp, 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.000000000357E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmp, 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003572000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmp, 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.000000000357E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmp, 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmp, 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003500000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003500000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.00000000037FE000.00000004.00000800.00020000.00000000.sdmp, 8bUUnhu0NB.exe, 00000000.00000002.1312878181.000000000458D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                    Source: 8bUUnhu0NB.exeString found in binary or memory: https://api.ip.sb/ip
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.00000000037FE000.00000004.00000800.00020000.00000000.sdmp, 8bUUnhu0NB.exe, 00000000.00000002.1312878181.000000000458D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.00000000037FE000.00000004.00000800.00020000.00000000.sdmp, 8bUUnhu0NB.exe, 00000000.00000002.1312878181.000000000458D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.00000000037FE000.00000004.00000800.00020000.00000000.sdmp, 8bUUnhu0NB.exe, 00000000.00000002.1312878181.000000000458D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.00000000037FE000.00000004.00000800.00020000.00000000.sdmp, 8bUUnhu0NB.exe, 00000000.00000002.1312878181.000000000458D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.00000000037FE000.00000004.00000800.00020000.00000000.sdmp, 8bUUnhu0NB.exe, 00000000.00000002.1312878181.000000000458D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.00000000037FE000.00000004.00000800.00020000.00000000.sdmp, 8bUUnhu0NB.exe, 00000000.00000002.1312878181.000000000458D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.00000000037FE000.00000004.00000800.00020000.00000000.sdmp, 8bUUnhu0NB.exe, 00000000.00000002.1312878181.000000000458D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.00000000037FE000.00000004.00000800.00020000.00000000.sdmp, 8bUUnhu0NB.exe, 00000000.00000002.1312878181.000000000458D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.00000000037FE000.00000004.00000800.00020000.00000000.sdmp, 8bUUnhu0NB.exe, 00000000.00000002.1312878181.000000000458D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 8bUUnhu0NB.exe, type: SAMPLEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                    Source: 0.0.8bUUnhu0NB.exe.ed0000.0.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeCode function: 0_2_018BDC740_2_018BDC74
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310316289.000000000157E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 8bUUnhu0NB.exe
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs 8bUUnhu0NB.exe
                    Source: 8bUUnhu0NB.exe, 00000000.00000000.1162073113.0000000000F16000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs 8bUUnhu0NB.exe
                    Source: 8bUUnhu0NB.exeBinary or memory string: OriginalFilenameSteanings.exe8 vs 8bUUnhu0NB.exe
                    Source: 8bUUnhu0NB.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 8bUUnhu0NB.exe, type: SAMPLEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                    Source: 0.0.8bUUnhu0NB.exe.ed0000.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/1@0/1
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeFile created: C:\Users\user\AppData\Local\SystemCacheJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeMutant created: NULL
                    Source: 8bUUnhu0NB.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 8bUUnhu0NB.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: 8bUUnhu0NB.exeVirustotal: Detection: 85%
                    Source: 8bUUnhu0NB.exeReversingLabs: Detection: 76%
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: 8bUUnhu0NB.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: 8bUUnhu0NB.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: 8bUUnhu0NB.exeStatic PE information: 0xD22848DC [Tue Sep 23 12:17:32 2081 UTC]
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeMemory allocated: 1550000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeMemory allocated: 3270000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeMemory allocated: 3070000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeWindow / User API: threadDelayed 3232Jump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeWindow / User API: threadDelayed 6473Jump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exe TID: 7816Thread sleep time: -35048813740048126s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310389466.0000000001622000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeQueries volume information: C:\Users\user\Desktop\8bUUnhu0NB.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1317111153.000000000675C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 8bUUnhu0NB.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.8bUUnhu0NB.exe.ed0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1162043998.0000000000ED2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 8bUUnhu0NB.exe PID: 7584, type: MEMORYSTR
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumE#
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q1C:\Users\user\AppData\Roaming\Electrum\wallets\*
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: JaxxE#
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLR
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLR
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ExodusE#
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: qdC:\Users\user\AppData\Roaming\Binance
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q&%localappdata%\Coinomi\Coinomi\walletsLR
                    Source: 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                    Source: C:\Users\user\Desktop\8bUUnhu0NB.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                    Source: Yara matchFile source: 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1310968398.0000000003382000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 8bUUnhu0NB.exe PID: 7584, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 8bUUnhu0NB.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.8bUUnhu0NB.exe.ed0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1162043998.0000000000ED2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 8bUUnhu0NB.exe PID: 7584, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		231
                    Security Software Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop Protocol3
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                    Virtualization/Sandbox Evasion                    		Security Account Manager241
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Timestomp                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets113
                    System Information Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    8bUUnhu0NB.exe86%VirustotalBrowse
                    8bUUnhu0NB.exe76%ReversingLabsWin32.Trojan.RedLineStealz

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    104.219.239.239:19120%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    104.219.239.239:1912true
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/02/sc/sct8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://duckduckgo.com/ac/?q=8bUUnhu0NB.exe, 00000000.00000002.1310968398.00000000037FE000.00000004.00000800.00020000.00000000.sdmp, 8bUUnhu0NB.exe, 00000000.00000002.1312878181.000000000458D000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://tempuri.org/Entity/Id14ResponseD8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://tempuri.org/Entity/Id23ResponseD8bUUnhu0NB.exe, 00000000.00000002.1310968398.000000000357E000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id12Response8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id2Response8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha18bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id21Response8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://tempuri.org/Entity/Id98bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://tempuri.org/Entity/Id88bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://tempuri.org/Entity/Id6ResponseD8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://tempuri.org/Entity/Id58bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://tempuri.org/Entity/Id48bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://tempuri.org/Entity/Id78bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://tempuri.org/Entity/Id68bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://tempuri.org/Entity/Id19Response8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://tempuri.org/Entity/Id13ResponseD8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/fault8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://tempuri.org/Entity/Id15Response8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://tempuri.org/Entity/Id5ResponseD8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://tempuri.org/Entity/Id6Response8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://api.ip.sb/ip8bUUnhu0NB.exefalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/sc8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://tempuri.org/Entity/Id1ResponseD8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://tempuri.org/Entity/Id9Response8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmp, 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003500000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=8bUUnhu0NB.exe, 00000000.00000002.1310968398.00000000037FE000.00000004.00000800.00020000.00000000.sdmp, 8bUUnhu0NB.exe, 00000000.00000002.1312878181.000000000458D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://tempuri.org/Entity/Id208bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://tempuri.org/Entity/Id218bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://tempuri.org/Entity/Id228bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA18bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://tempuri.org/Entity/Id238bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmp, 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003572000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA18bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://tempuri.org/Entity/Id248bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://tempuri.org/Entity/Id24Response8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://tempuri.org/Entity/Id1Response8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://tempuri.org/Entity/Id21ResponseD8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/08/addressing8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/trust8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://tempuri.org/Entity/Id108bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://tempuri.org/Entity/Id118bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://tempuri.org/Entity/Id10ResponseD8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003572000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://tempuri.org/Entity/Id128bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://tempuri.org/Entity/Id16Response8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          http://tempuri.org/Entity/Id138bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmp, 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            http://tempuri.org/Entity/Id148bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              http://tempuri.org/Entity/Id158bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                http://tempuri.org/Entity/Id168bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://tempuri.org/Entity/Id178bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      http://tempuri.org/Entity/Id188bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        http://tempuri.org/Entity/Id5Response8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmp, 8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://gemini.google.com/app?q=8bUUnhu0NB.exe, 00000000.00000002.1310968398.00000000037FE000.00000004.00000800.00020000.00000000.sdmp, 8bUUnhu0NB.exe, 00000000.00000002.1312878181.000000000458D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            http://tempuri.org/Entity/Id198bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                http://tempuri.org/Entity/Id15ResponseD8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003382000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  http://tempuri.org/Entity/Id10Response8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/Renew8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      http://tempuri.org/Entity/Id11ResponseD8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        http://tempuri.org/Entity/Id8Response8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.08bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2006/02/addressingidentity8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                    http://tempuri.org/Entity/Id17ResponseD8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                      http://schemas.xmlsoap.org/soap/envelope/8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                        http://tempuri.org/Entity/Id8ResponseD8bUUnhu0NB.exe, 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          		high

                                                                                                                                                                                                                          World Map of Contacted IPs

                                                                                                                                                                                                                          • No. of IPs < 25%
                                                                                                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                                                                                                          • 75% < No. of IPs

                                                                                                                                                                                                                          Public IPs

                                                                                                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                          104.219.239.239
                                                                                                                                                                                                                          		unknownUnited States
                                                                                                                                                                                                                          		27176DATAWAGONUStrue

                                                                                                                                                                                                                          General Information

                                                                                                                                                                                                                          Joe Sandbox version:42.0.0 Malachite
                                                                                                                                                                                                                          Analysis ID:1635174
                                                                                                                                                                                                                          Start date and time:2025-03-11 13:15:22 +01:00
                                                                                                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                          Overall analysis duration:0h 4m 29s
                                                                                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                          Report type:full
                                                                                                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                          Number of analysed new started processes analysed:10
                                                                                                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                                                                                                          Technologies:
                                                                                                                                                                                                                          • HCA enabled
                                                                                                                                                                                                                          • EGA enabled
                                                                                                                                                                                                                          • AMSI enabled
                                                                                                                                                                                                                          Analysis Mode:default
                                                                                                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                                                                                                          Sample name:8bUUnhu0NB.exe
                                                                                                                                                                                                                          renamed because original name is a hash value
                                                                                                                                                                                                                          Original Sample Name:ea4ac79e673549898d54762f2ebb2302.exe
                                                                                                                                                                                                                          Detection:MAL
                                                                                                                                                                                                                          Classification:mal100.troj.spyw.evad.winEXE@1/1@0/1
                                                                                                                                                                                                                          EGA Information:
                                                                                                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                                                                                                          HCA Information:
                                                                                                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                                                                                                          • Number of executed functions: 14
                                                                                                                                                                                                                          • Number of non-executed functions: 1
                                                                                                                                                                                                                          Cookbook Comments:
                                                                                                                                                                                                                          • Found application associated with file extension: .exe

                                                                                                                                                                                                                          Warnings

                                                                                                                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                                                                                                                          • Excluded IPs from analysis (whitelisted): 2.16.185.191, 4.245.163.56, 4.175.87.197
                                                                                                                                                                                                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                                                                                                                                          Simulations

                                                                                                                                                                                                                          Behavior and APIs

                                                                                                                                                                                                                          TimeTypeDescription
                                                                                                                                                                                                                          08:16:26API Interceptor50x Sleep call for process: 8bUUnhu0NB.exe modified

                                                                                                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                                                                                                          IPs

                                                                                                                                                                                                                          No context

                                                                                                                                                                                                                          Domains

                                                                                                                                                                                                                          No context

                                                                                                                                                                                                                          ASNs

                                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                          DATAWAGONUShttps://uakronrobotics.com/?Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                          • 172.81.130.67
                                                                                                                                                                                                                          Order1.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 172.81.130.34
                                                                                                                                                                                                                          Owari.ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 104.224.1.59
                                                                                                                                                                                                                          Payment slip.vbsGet hashmaliciousDiscord Token StealerBrowse
                                                                                                                                                                                                                          • 172.81.130.34
                                                                                                                                                                                                                          PRODUCT LIST.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                          • 104.219.234.170
                                                                                                                                                                                                                          Zoom.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 172.81.130.139
                                                                                                                                                                                                                          Zoom.exeGet hashmaliciousPureCrypter, MicroClipBrowse
                                                                                                                                                                                                                          • 172.81.130.139
                                                                                                                                                                                                                          Payload 94.75 (3).225.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 172.81.131.156
                                                                                                                                                                                                                          mpsl.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 104.224.1.68
                                                                                                                                                                                                                          b39wW3jYKO.exeGet hashmaliciousStormKitty, XWormBrowse
                                                                                                                                                                                                                          • 104.219.239.11

                                                                                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                                                                                          No context

                                                                                                                                                                                                                          Dropped Files

                                                                                                                                                                                                                          No context

                                                                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8bUUnhu0NB.exe.log

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\8bUUnhu0NB.exe
                                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):3094
                                                                                                                                                                                                                          Entropy (8bit):5.33145931749415
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
                                                                                                                                                                                                                          MD5:3FD5C0634443FB2EF2796B9636159CB6
                                                                                                                                                                                                                          SHA1:366DDE94AEFCFFFAB8E03AD8B448E05D7489EB48
                                                                                                                                                                                                                          SHA-256:58307E94C67E2348F5A838DE4FF668983B38B7E9A3B1D61535D3A392814A57D6
                                                                                                                                                                                                                          SHA-512:8535E7C0777C6B0876936D84BDE2BDC59963CF0954D4E50D65808E6E806E8B131DF5DB8FA0E030FAE2702143A7C3A70698A2B9A80519C9E2FFC286A71F0B797C
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Reputation:high, very likely benign file
                                                                                                                                                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                                                                                          Static File Info

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Entropy (8bit):5.0814032092654156
                                                                                                                                                                                                                          TrID:
                                                                                                                                                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                                                                          • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                                                                          File name:8bUUnhu0NB.exe
                                                                                                                                                                                                                          File size:307'712 bytes
                                                                                                                                                                                                                          MD5:ea4ac79e673549898d54762f2ebb2302
                                                                                                                                                                                                                          SHA1:ecff793cd3647c6f5368033ada6a65229b9fe4b4
                                                                                                                                                                                                                          SHA256:b4ae32a0dfe1d99f5a3afed227708f46d176809e448908c892514dee402674db
                                                                                                                                                                                                                          SHA512:cf2af8cb3472ed5f975f4257e299e9f70fbbd8d367b2a6f55ec8da1a43cfca35caf95707748534cca5e56df224738832060f379b07157646fbcfe4bb674b40c1
                                                                                                                                                                                                                          SSDEEP:3072:icZqf7D34xp/0+mAGkyYaxQwgrRB1fA0PuTVAtkxzB3R0eqiOL2bBOA:icZqf7DIjnm2lB1fA0GTV8k38L
                                                                                                                                                                                                                          TLSH:5F645A5833E8C910DA7F4775D861D67093B0BCA3A552E70B4FC4ACAB3D32740EA51AB6
                                                                                                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H(...............0.................. ... ....@.. ....................... ............@................................

                                                                                                                                                                                                                          File Icon

                                                                                                                                                                                                                          Icon Hash:4d8ea38d85a38e6d

                                                                                                                                                                                                                          Static PE Info

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Entrypoint:0x43029e
                                                                                                                                                                                                                          Entrypoint Section:.text
                                                                                                                                                                                                                          Digitally signed:false
                                                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                                                          Subsystem:windows gui
                                                                                                                                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                          Time Stamp:0xD22848DC [Tue Sep 23 12:17:32 2081 UTC]
                                                                                                                                                                                                                          TLS Callbacks:
                                                                                                                                                                                                                          CLR (.Net) Version:
                                                                                                                                                                                                                          OS Version Major:4
                                                                                                                                                                                                                          OS Version Minor:0
                                                                                                                                                                                                                          File Version Major:4
                                                                                                                                                                                                                          File Version Minor:0
                                                                                                                                                                                                                          Subsystem Version Major:4
                                                                                                                                                                                                                          Subsystem Version Minor:0
                                                                                                                                                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                                                                          Entrypoint Preview

                                                                                                                                                                                                                          Instruction
                                                                                                                                                                                                                          jmp dword ptr [00402000h]
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                                                                          add byte ptr [eax], al

                                                                                                                                                                                                                          Data Directories

                                                                                                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x302440x57.text
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x320000x1c9c6.rsrc
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x500000xc.reloc
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                          Sections

                                                                                                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                          .text0x20000x2e2a40x2e4007054cbc8306d41f91c0f74d300c32651False0.4747677364864865data6.186354037751461IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                          .rsrc0x320000x1c9c60x1ca00a8cf3f8ff27a4a736ba8fb433d91107fFalse0.2380765556768559data2.615031395625776IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                          .reloc0x500000xc0x200ad0a6b4525092f96ee7808055cdae654False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                          Resources

                                                                                                                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                          RT_ICON0x322200x3d04PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9934058898847631
                                                                                                                                                                                                                          RT_ICON0x35f240x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m0.09013072282030049
                                                                                                                                                                                                                          RT_ICON0x4674c0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m0.13905290505432216
                                                                                                                                                                                                                          RT_ICON0x4a9740x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m0.17033195020746889
                                                                                                                                                                                                                          RT_ICON0x4cf1c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m0.2045028142589118
                                                                                                                                                                                                                          RT_ICON0x4dfc40x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m0.24645390070921985
                                                                                                                                                                                                                          RT_GROUP_ICON0x4e42c0x5adata0.7666666666666667
                                                                                                                                                                                                                          RT_VERSION0x4e4880x352data0.4447058823529412
                                                                                                                                                                                                                          RT_MANIFEST0x4e7dc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                                                                                          Imports

                                                                                                                                                                                                                          DLLImport
                                                                                                                                                                                                                          mscoree.dll_CorExeMain

                                                                                                                                                                                                                          Version Infos

                                                                                                                                                                                                                          DescriptionData
                                                                                                                                                                                                                          Translation0x0000 0x04b0
                                                                                                                                                                                                                          CommentsXHP Booster
                                                                                                                                                                                                                          CompanyName
                                                                                                                                                                                                                          FileDescriptionXHP
                                                                                                                                                                                                                          FileVersion12.9.1.22
                                                                                                                                                                                                                          InternalNameSteanings.exe
                                                                                                                                                                                                                          LegalCopyrightXHP Corporation Copyright 2021
                                                                                                                                                                                                                          LegalTrademarks
                                                                                                                                                                                                                          OriginalFilenameSteanings.exe
                                                                                                                                                                                                                          ProductNameXHP booster
                                                                                                                                                                                                                          ProductVersion12.9.1.22
                                                                                                                                                                                                                          Assembly Version1.1.21.1

                                                                                                                                                                                                                          Network Behavior

                                                                                                                                                                                                                          Suricata IDS Alerts

                                                                                                                                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                          2025-03-11T13:16:19.765105+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449719104.219.239.2391912TCP
                                                                                                                                                                                                                          2025-03-11T13:16:19.765105+01002046045ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)1192.168.2.449719104.219.239.2391912TCP
                                                                                                                                                                                                                          2025-03-11T13:16:19.868877+01002043234ET MALWARE Redline Stealer TCP CnC - Id1Response1104.219.239.2391912192.168.2.449719TCP
                                                                                                                                                                                                                          2025-03-11T13:16:24.943251+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449719104.219.239.2391912TCP
                                                                                                                                                                                                                          2025-03-11T13:16:25.222130+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449719104.219.239.2391912TCP
                                                                                                                                                                                                                          2025-03-11T13:16:25.226920+01002046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)1104.219.239.2391912192.168.2.449719TCP
                                                                                                                                                                                                                          2025-03-11T13:16:26.229844+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449719104.219.239.2391912TCP
                                                                                                                                                                                                                          2025-03-11T13:16:26.351124+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449719104.219.239.2391912TCP
                                                                                                                                                                                                                          2025-03-11T13:16:26.456143+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449719104.219.239.2391912TCP
                                                                                                                                                                                                                          2025-03-11T13:16:26.563619+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449719104.219.239.2391912TCP
                                                                                                                                                                                                                          2025-03-11T13:16:26.682941+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449719104.219.239.2391912TCP
                                                                                                                                                                                                                          2025-03-11T13:16:27.252783+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449719104.219.239.2391912TCP
                                                                                                                                                                                                                          2025-03-11T13:16:27.365015+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449719104.219.239.2391912TCP
                                                                                                                                                                                                                          2025-03-11T13:16:27.474453+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449719104.219.239.2391912TCP
                                                                                                                                                                                                                          2025-03-11T13:16:27.583197+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449719104.219.239.2391912TCP
                                                                                                                                                                                                                          2025-03-11T13:16:27.867952+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449719104.219.239.2391912TCP
                                                                                                                                                                                                                          2025-03-11T13:16:28.011860+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449719104.219.239.2391912TCP
                                                                                                                                                                                                                          2025-03-11T13:16:28.120118+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449719104.219.239.2391912TCP
                                                                                                                                                                                                                          2025-03-11T13:16:29.352231+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449719104.219.239.2391912TCP
                                                                                                                                                                                                                          2025-03-11T13:16:29.357547+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449719104.219.239.2391912TCP
                                                                                                                                                                                                                          2025-03-11T13:16:31.821681+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449719104.219.239.2391912TCP
                                                                                                                                                                                                                          2025-03-11T13:16:31.966915+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449719104.219.239.2391912TCP
                                                                                                                                                                                                                          2025-03-11T13:16:32.173091+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449719104.219.239.2391912TCP
                                                                                                                                                                                                                          2025-03-11T13:16:32.322830+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449719104.219.239.2391912TCP
                                                                                                                                                                                                                          2025-03-11T13:16:32.427021+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449719104.219.239.2391912TCP
                                                                                                                                                                                                                          2025-03-11T13:16:32.536707+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449719104.219.239.2391912TCP
                                                                                                                                                                                                                          2025-03-11T13:16:32.750494+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449719104.219.239.2391912TCP

                                                                                                                                                                                                                          Network Port Distribution

                                                                                                                                                                                                                          TCP Packets

                                                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                          Mar 11, 2025 13:16:19.244896889 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:19.249994993 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:19.250096083 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:19.259500980 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:19.264267921 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:19.713640928 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:19.765105009 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:19.769988060 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:19.868876934 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:19.923259020 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:24.943250895 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:24.947956085 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:25.048099041 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:25.048141956 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:25.048156977 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:25.048193932 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:25.048208952 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:25.048228025 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:25.048327923 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:25.048373938 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:25.222130060 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:25.226919889 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:26.220468044 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:26.229844093 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:26.240103960 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:26.339447975 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:26.351124048 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:26.355807066 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:26.454716921 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:26.456142902 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:26.460838079 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:26.559598923 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:26.563618898 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:26.568356991 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:26.673412085 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:26.682940960 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:26.687941074 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:26.687959909 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:26.688041925 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:26.688103914 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:26.791069984 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:26.845171928 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:27.252783060 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:27.257497072 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:27.361845970 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:27.365015030 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:27.369683981 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:27.471645117 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:27.474452972 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:27.479193926 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:27.578705072 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:27.583197117 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:27.587869883 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:27.686917067 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:27.740637064 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:27.867952108 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:27.872600079 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:27.971553087 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:28.011859894 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:28.016588926 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:28.115523100 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:28.120117903 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:28.124882936 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.239046097 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.287919044 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.352231026 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.357460022 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.357492924 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.357522011 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.357547045 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.357589006 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.357634068 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.357662916 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.357697010 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.357722044 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.357745886 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.357774019 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.357795000 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.357826948 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.357858896 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.357883930 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.357908010 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.357943058 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.357986927 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.358047962 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.358077049 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.358103991 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.358139038 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.358170986 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.358195066 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.358222961 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.358249903 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.358289003 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.358316898 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.363182068 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.363245010 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.363289118 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.363327026 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.363389015 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.363473892 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.363568068 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.364089966 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.364253044 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.368110895 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.368191004 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.368259907 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.368288040 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.368340015 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.368413925 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.368444920 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.368501902 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.368535995 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.368567944 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.368597031 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.368626118 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.368676901 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.368709087 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.368740082 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.368788004 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.368846893 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.368880033 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.368938923 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.368954897 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.368987083 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.369020939 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.369049072 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.369081020 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.369110107 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.369138956 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.369163036 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.369215012 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.369287014 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.369314909 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.369353056 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.369385958 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.369411945 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.369442940 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.369471073 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.369525909 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.369554996 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.369589090 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.369617939 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.369643927 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.369677067 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.369710922 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.369741917 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.369765043 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.369807005 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.369832993 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.369863033 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.369884014 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.369916916 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.369944096 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.369971991 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.370019913 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.370054960 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.370083094 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.370112896 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.370141983 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.370171070 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.370198011 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.370228052 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.370255947 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.370282888 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.370311022 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.370338917 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.370368004 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.370395899 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.370423079 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.370450974 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.370479107 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.370507002 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.375277996 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.375305891 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.375359058 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.375387907 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.375438929 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.375467062 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.375498056 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.375526905 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.375576019 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.375605106 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.375633001 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.375682116 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.375710011 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.375781059 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.375809908 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.375932932 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.376053095 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.376085997 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.376116037 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.376164913 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.376194000 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.376221895 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.376250029 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.376277924 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.376324892 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.376357079 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.376385927 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.376414061 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.376441956 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.376471043 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.376498938 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.376550913 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.376580000 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.376609087 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.376636982 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.376667023 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.376693964 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.376723051 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.376750946 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.376779079 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.376806021 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.376833916 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.376861095 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.376894951 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.376924992 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.376976013 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.377002954 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.377032042 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.377059937 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.377087116 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.377115011 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.377142906 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.377170086 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.377197981 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.377227068 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.377254963 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.377281904 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.377310038 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.377336979 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.377365112 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.377393961 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.377443075 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.377470970 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.377497911 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.377526999 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.377554893 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.377795935 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.377899885 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.382273912 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.382437944 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.382466078 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.382515907 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.382544994 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.382600069 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.382628918 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.382656097 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.382704973 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.382731915 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.382817984 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.382846117 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.382936954 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.382963896 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.383016109 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.383045912 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.383078098 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.383105993 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.383157969 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.383186102 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.383214951 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.383265018 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.383292913 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.383325100 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.383374929 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.383404970 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.383457899 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.383486032 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.383536100 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.383563995 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.383593082 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.383620977 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.383672953 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.383701086 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.383728981 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.383757114 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.383807898 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.383847952 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.383876085 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.383903980 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.383950949 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.383979082 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.384006977 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.384057045 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.384084940 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.384113073 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.384140015 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.384167910 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.384195089 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.384231091 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.384258032 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.384284973 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.384332895 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.384361029 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.384414911 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.384443045 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.384471893 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.384499073 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.384526968 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.384634018 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.384741068 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.384778976 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.384807110 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.384835958 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.384864092 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.384891987 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.384919882 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.384948015 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.384974957 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.385003090 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.385055065 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.385085106 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.385113955 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.385142088 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.385169983 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.385198116 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.385226011 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.385253906 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.385281086 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.385308981 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.385335922 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.385365009 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.385395050 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.385421991 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.385451078 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.385478973 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.385507107 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.385535955 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.385564089 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.385616064 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.385643959 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.385672092 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.385699987 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.385725975 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.385755062 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.385782957 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.385809898 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.385838985 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.385867119 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.385895967 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.385924101 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.385951042 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.385978937 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.386006117 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.386056900 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.386085987 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.386113882 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.386141062 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.390830994 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.390872955 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.390886068 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.390973091 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.390986919 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.391077042 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.391154051 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.391190052 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.391205072 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.391217947 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.391231060 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.391257048 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.391271114 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.391284943 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.391298056 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.391362906 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.391377926 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.391460896 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.391474962 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.391556978 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.391570091 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.391601086 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.391614914 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.391724110 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.391736984 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.391815901 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.391828060 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.391850948 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.391864061 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.391966105 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.391978025 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.392000914 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.392014027 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.392035961 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.392049074 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.392162085 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.392174959 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.392189980 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.392203093 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.392225981 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.392237902 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.392251015 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.432606936 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.432878971 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.433027983 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.433027983 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.433137894 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.450741053 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.451103926 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.451294899 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.451294899 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.451351881 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.456568956 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:29.494668007 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:30.321691990 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:30.366996050 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:31.821681023 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:31.826380014 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:31.930968046 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:31.966914892 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:31.971708059 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:32.081655025 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:32.126543045 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:32.173090935 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:32.177895069 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:32.177906036 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:32.177925110 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:32.177934885 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:32.177989960 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:32.177999973 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:32.178030968 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:32.178093910 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:32.178105116 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:32.178121090 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:32.178132057 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:32.178183079 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:32.178193092 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:32.178215981 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:32.278656006 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:32.322829962 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:32.327493906 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:32.426280975 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:32.427021027 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:32.431705952 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:32.534743071 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:32.536706924 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:32.541425943 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:32.649104118 CET191249719104.219.239.239192.168.2.4
                                                                                                                                                                                                                          Mar 11, 2025 13:16:32.688972950 CET497191912192.168.2.4104.219.239.239
                                                                                                                                                                                                                          Mar 11, 2025 13:16:32.750494003 CET497191912192.168.2.4104.219.239.239

                                                                                                                                                                                                                          Statistics

                                                                                                                                                                                                                          CPU Usage

                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                          Memory Usage

                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                                                                          System Behavior

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:0
                                                                                                                                                                                                                          Start time:08:16:17
                                                                                                                                                                                                                          Start date:11/03/2025
                                                                                                                                                                                                                          Path:C:\Users\user\Desktop\8bUUnhu0NB.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\8bUUnhu0NB.exe"
                                                                                                                                                                                                                          Imagebase:0xed0000
                                                                                                                                                                                                                          File size:307'712 bytes
                                                                                                                                                                                                                          MD5 hash:EA4AC79E673549898D54762F2EBB2302
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.1162043998.0000000000ED2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1310968398.0000000003306000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1310968398.0000000003382000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          Disassembly

                                                                                                                                                                                                                          Reset < >

                                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                                            Execution Coverage:7.5%
                                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                            Signature Coverage:0%
                                                                                                                                                                                                                            Total number of Nodes:40
                                                                                                                                                                                                                            Total number of Limit Nodes:3
                                                                                                                                                                                                                            execution_graph 16259 18bd0b8 16260 18bd0bd 16259->16260 16264 18bd289 16260->16264 16268 18bd298 16260->16268 16261 18bd1eb 16265 18bd298 16264->16265 16272 18bc9a0 16265->16272 16269 18bd29d 16268->16269 16270 18bc9a0 DuplicateHandle 16269->16270 16271 18bd2c6 16270->16271 16271->16261 16273 18bd300 DuplicateHandle 16272->16273 16275 18bd2c6 16273->16275 16275->16261 16276 18bad38 16277 18bad39 16276->16277 16281 18bae20 16277->16281 16286 18bae30 16277->16286 16278 18bad47 16283 18bae24 16281->16283 16282 18bae64 16282->16278 16283->16282 16284 18bb068 GetModuleHandleW 16283->16284 16285 18bb095 16284->16285 16285->16278 16288 18bae31 16286->16288 16287 18bae64 16287->16278 16288->16287 16289 18bb068 GetModuleHandleW 16288->16289 16290 18bb095 16289->16290 16290->16278 16291 18b4668 16292 18b4669 16291->16292 16293 18b4696 16292->16293 16295 18b47a0 16292->16295 16296 18b47a4 16295->16296 16300 18b48a1 16296->16300 16304 18b48b0 16296->16304 16302 18b48a4 16300->16302 16301 18b49b4 16301->16301 16302->16301 16308 18b4248 16302->16308 16306 18b48b1 16304->16306 16305 18b49b4 16305->16305 16306->16305 16307 18b4248 CreateActCtxA 16306->16307 16307->16305 16309 18b5940 CreateActCtxA 16308->16309 16311 18b5a03 16309->16311

                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                            Function 018BAE30 Relevance: 1.7, APIs: 1, Instructions: 209COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 319 18bae30-18bae3f 322 18bae6b-18bae6f 319->322 323 18bae41-18bae4e call 18b9838 319->323 325 18bae83-18baec4 322->325 326 18bae71-18bae7b 322->326 330 18bae50 323->330 331 18bae64 323->331 332 18baed1-18baedf 325->332 333 18baec6-18baece 325->333 326->325 384 18bae56 call 18bb0b8 330->384 385 18bae56 call 18bb0c8 330->385 331->322 334 18baf03-18baf05 332->334 335 18baee1-18baee6 332->335 333->332 337 18baf08-18baf0f 334->337 338 18baee8-18baeef call 18ba814 335->338 339 18baef1 335->339 336 18bae5c-18bae5e 336->331 340 18bafa0-18bafb7 336->340 342 18baf1c-18baf23 337->342 343 18baf11-18baf19 337->343 344 18baef3-18baf01 338->344 339->344 354 18bafb9-18bb018 340->354 345 18baf30-18baf39 call 18ba824 342->345 346 18baf25-18baf2d 342->346 343->342 344->337 352 18baf3b-18baf43 345->352 353 18baf46-18baf4b 345->353 346->345 352->353 355 18baf69-18baf76 353->355 356 18baf4d-18baf54 353->356 372 18bb01a 354->372 363 18baf99-18baf9f 355->363 364 18baf78-18baf96 355->364 356->355 357 18baf56-18baf66 call 18ba834 call 18ba844 356->357 357->355 364->363 373 18bb01c 372->373 374 18bb021-18bb024 372->374 375 18bb048-18bb060 373->375 376 18bb01e 373->376 377 18bb025-18bb046 374->377 379 18bb068-18bb093 GetModuleHandleW 375->379 380 18bb062-18bb065 375->380 376->377 378 18bb020 376->378 377->375 378->374 381 18bb09c-18bb0b0 379->381 382 18bb095-18bb09b 379->382 380->379 382->381 384->336 385->336
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 018BB086
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1310612353.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_18b0000_8bUUnhu0NB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: HandleModule
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 4139908857-0
                                                                                                                                                                                                                            • Opcode ID: b8334b37e591ce519f0428f6d3523b292f2ec1189de68d994b0fcd53b64ba501
                                                                                                                                                                                                                            • Instruction ID: 64e7ad8412a829cdf02477173f0a80a15d533248865058679d7f925b4f308cc9
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b8334b37e591ce519f0428f6d3523b292f2ec1189de68d994b0fcd53b64ba501
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 718126B0A00B058FE728DF69D0857AABBF1FB88304F00892ED15AD7B50D775E946CB95
                                                                                                                                                                                                                            Function 018B5935 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 386 18b5935-18b5936 387 18b5938-18b593a 386->387 388 18b593d 386->388 389 18b593c 387->389 390 18b5941-18b5a01 CreateActCtxA 387->390 388->390 389->388 392 18b5a0a-18b5a64 390->392 393 18b5a03-18b5a09 390->393 400 18b5a73-18b5a77 392->400 401 18b5a66-18b5a69 392->401 393->392 402 18b5a79-18b5a85 400->402 403 18b5a88 400->403 401->400 402->403 405 18b5a89 403->405 405->405
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • CreateActCtxA.KERNEL32(?), ref: 018B59F1
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1310612353.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_18b0000_8bUUnhu0NB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Create
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2289755597-0
                                                                                                                                                                                                                            • Opcode ID: ea7cd9755bb439c2f90961d118265a9e97a7a70cac79aadbf382769a86dbdb17
                                                                                                                                                                                                                            • Instruction ID: b78b67ffb055dfd8b784a87dfe52869ce1beb26f1cdb9f26acf28ec42cb84e86
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ea7cd9755bb439c2f90961d118265a9e97a7a70cac79aadbf382769a86dbdb17
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D141C0B1C00719CFEB24DFA9C884BDDBBB5BF49314F24805AD508AB251DB756945CF90
                                                                                                                                                                                                                            Function 018B4248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 406 18b4248-18b5a01 CreateActCtxA 410 18b5a0a-18b5a64 406->410 411 18b5a03-18b5a09 406->411 418 18b5a73-18b5a77 410->418 419 18b5a66-18b5a69 410->419 411->410 420 18b5a79-18b5a85 418->420 421 18b5a88 418->421 419->418 420->421 423 18b5a89 421->423 423->423
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • CreateActCtxA.KERNEL32(?), ref: 018B59F1
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1310612353.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_18b0000_8bUUnhu0NB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Create
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2289755597-0
                                                                                                                                                                                                                            • Opcode ID: e3e1b7baaedd0aca20c3c04f52ba1d228227914cbb43d7555fab11e2fee1e7f8
                                                                                                                                                                                                                            • Instruction ID: 8678596990b005c875f868fce1e7015a5ace95c2f0f94227ce3d95956788c8fa
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e3e1b7baaedd0aca20c3c04f52ba1d228227914cbb43d7555fab11e2fee1e7f8
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2F41C1B0C00718CFEB24DFA9C884BDDBBB5BF49314F60806AE408AB251D7B56945CF90
                                                                                                                                                                                                                            Function 018BC9A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 424 18bc9a0-18bd394 DuplicateHandle 427 18bd39d-18bd3ba 424->427 428 18bd396-18bd39c 424->428 428->427
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,018BD2C6,?,?,?,?,?), ref: 018BD387
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1310612353.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_18b0000_8bUUnhu0NB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: DuplicateHandle
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3793708945-0
                                                                                                                                                                                                                            • Opcode ID: a1d6fed68ba11eb704aedb7eb72a1e5fe160fb98d3a7f734d5fb1a040d587d51
                                                                                                                                                                                                                            • Instruction ID: 4fa25b84947802477236a486d333ffa36f7c628bc82f27023fa7bcdf709db1cb
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a1d6fed68ba11eb704aedb7eb72a1e5fe160fb98d3a7f734d5fb1a040d587d51
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0421E3B5901308EFDB10CF9AD984ADEBBF4EB48314F14841AE918A7311D379AA54CFA4
                                                                                                                                                                                                                            Function 018BD2F9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 431 18bd2f9-18bd2fe 432 18bd300-18bd304 431->432 433 18bd305-18bd394 DuplicateHandle 431->433 432->433 434 18bd39d-18bd3ba 433->434 435 18bd396-18bd39c 433->435 435->434
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,018BD2C6,?,?,?,?,?), ref: 018BD387
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1310612353.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_18b0000_8bUUnhu0NB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: DuplicateHandle
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3793708945-0
                                                                                                                                                                                                                            • Opcode ID: 3ea45ed62658ca94eda317f90745820996453ffce6f9db8a8ebce1ed0504f943
                                                                                                                                                                                                                            • Instruction ID: 376422324fa7e56407ec2c5621e489410d524705b00bfb7fb327c52ac4b62762
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3ea45ed62658ca94eda317f90745820996453ffce6f9db8a8ebce1ed0504f943
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DF21E3B5D01248EFDB10CF9AD584ADEBBF4EB48314F14801AE918A3311D379AA54CFA5
                                                                                                                                                                                                                            Function 018BB020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 438 18bb020-18bb060 442 18bb068-18bb093 GetModuleHandleW 438->442 443 18bb062-18bb065 438->443 444 18bb09c-18bb0b0 442->444 445 18bb095-18bb09b 442->445 443->442 445->444
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 018BB086
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1310612353.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_18b0000_8bUUnhu0NB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: HandleModule
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 4139908857-0
                                                                                                                                                                                                                            • Opcode ID: 70a3f74b968ba71f3e3a3a07096cc95fe86ab35d170338944be76114c3ef8abd
                                                                                                                                                                                                                            • Instruction ID: 903e5cd1e3143ca88ea3e220efd7f12ac1179f737a7d49bbd214db7520b6682d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 70a3f74b968ba71f3e3a3a07096cc95fe86ab35d170338944be76114c3ef8abd
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 18110FB6C00349CFDB20DF9AC444ADEFBF4AB88310F10841AD569A7310C37AA645CFA5
                                                                                                                                                                                                                            Function 014ED654 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1309791016.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_14ed000_8bUUnhu0NB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 4464c76a09696b7ba982adffd8e4149d775e24ee294e7c886e3fbcbff83c64f7
                                                                                                                                                                                                                            • Instruction ID: fb425f6befe7e61e1549bc6cf2e407b3a37e4db4469287306a9f81994e81e8c2
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4464c76a09696b7ba982adffd8e4149d775e24ee294e7c886e3fbcbff83c64f7
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 33212776900240DFDF059F94D9C4B1BBBA5FB88314F24866AE90D0B266C336D412CBA2
                                                                                                                                                                                                                            Function 014ED3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1309791016.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_14ed000_8bUUnhu0NB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: bb342118b03cee2b9a3786da6326164c4fbc9aadc874fb667043008f89dfa692
                                                                                                                                                                                                                            • Instruction ID: 103a700f0f66bb23205c156b2c8468e804445ca0c3326ee65ec5ecd47abd2f42
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bb342118b03cee2b9a3786da6326164c4fbc9aadc874fb667043008f89dfa692
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6F213672900204DFDB15DF44D9C4B56BBA5FB94315F20C57AE9090F266C336E456CAA2
                                                                                                                                                                                                                            Function 014FD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1310044892.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_14fd000_8bUUnhu0NB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: d99a8aa67964ae0ab6e8926121342af1e7cf1150fd70e6944af2d1ed2f93a073
                                                                                                                                                                                                                            • Instruction ID: 69b8d643b56ee537ec0f439b471de1c6d24201c238e236aa138ae9fe2a993415
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d99a8aa67964ae0ab6e8926121342af1e7cf1150fd70e6944af2d1ed2f93a073
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A52107B1904300DFDB15DF54D9C0B16BB65FB84318F24C56EEA0A4B3A6C336D447CA62
                                                                                                                                                                                                                            Function 014FD006 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1310044892.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_14fd000_8bUUnhu0NB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 7150253185d9d10a05eed74f5ab5ab5ac4f0fc37ca324d1395723f9238b0ae48
                                                                                                                                                                                                                            • Instruction ID: 3a113bd4c7d1bcc171d24f2128327057fbde71a5123ed8162512e9636b28d35d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7150253185d9d10a05eed74f5ab5ab5ac4f0fc37ca324d1395723f9238b0ae48
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4B217F755093808FDB16CF24D590716BF71EB46218F28C5EAD9498F7A7C33A980ACB62
                                                                                                                                                                                                                            Function 014ED64F Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1309791016.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_14ed000_8bUUnhu0NB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: c95ac238651e1933d6bee724ec991f797f043bce7f4f5fd6e0d8223ed76a3073
                                                                                                                                                                                                                            • Instruction ID: 70350eb1997274136c5ec4849bad7c1e376299fecc2620afb35dda3cb2a9d280
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c95ac238651e1933d6bee724ec991f797f043bce7f4f5fd6e0d8223ed76a3073
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D221C076844280DFCB16CF44D9C4B16BFB2FB88314F2486AAD9480B667C33AD426CB91
                                                                                                                                                                                                                            Function 014ED3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1309791016.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_14ed000_8bUUnhu0NB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: d9ad3efc35fa8b416f73e6fd9b5130605c5b10339b4c796a30493a3edbfb8fe1
                                                                                                                                                                                                                            • Instruction ID: cfc539a7b609b4e3ceef6ed43567db5c4d3d3dec4476376120afd59172d21e57
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d9ad3efc35fa8b416f73e6fd9b5130605c5b10339b4c796a30493a3edbfb8fe1
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7C11DF76804280CFDB12CF44D9C4B56BFB1FB94324F24C6AAD9090B667C33AE456CBA1
                                                                                                                                                                                                                            Function 014EDA09 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1309791016.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_14ed000_8bUUnhu0NB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 5170525a3235dd0a9d468c7e5162524de499ed32d49347da337bfb3ff5006541
                                                                                                                                                                                                                            • Instruction ID: beabbf85a27e44ffc36ccb2509217f859cfe98631a99cb61117b06070392126c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5170525a3235dd0a9d468c7e5162524de499ed32d49347da337bfb3ff5006541
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A101F73180D340DBF7204A95CC88767BFDCDF41625F08C45BED094F292D2359980CAB6
                                                                                                                                                                                                                            Function 014EDA08 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1309791016.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_14ed000_8bUUnhu0NB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 5df026e9f4965104987c931d0fde298395daf4ad7618c6517a5ad83c32f341e8
                                                                                                                                                                                                                            • Instruction ID: 895ed1b523f00521f3089e6289e70d8acf4104e0abfefe0191127bcb3e46a9c7
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5df026e9f4965104987c931d0fde298395daf4ad7618c6517a5ad83c32f341e8
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C3F0C272409340DEEB208A0ACC88B67FFDCEF40624F18C45BED084B293C2799944CAB1

                                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                                            Function 018BDC74 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.1310612353.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_18b0000_8bUUnhu0NB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 94c6129084c1c7416b346bd8e6f82d59a14f5a82577b4f5ce257f96076a8ea3d
                                                                                                                                                                                                                            • Instruction ID: 9353c9ef07a16f8df2c467bb98a2ff1018c345fecb5077f041762ee5ce7a9e60
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 94c6129084c1c7416b346bd8e6f82d59a14f5a82577b4f5ce257f96076a8ea3d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F3A16E36A1020A9FCF15DFB8C8805DEBBB2FF84304B15856AE905EB355DB75EA45CB80