Loading ...

Play interactive tourEdit tour

Analysis Report kMroyG6lXZ.exe

Overview

General Information

Sample Name:kMroyG6lXZ.exe
Analysis ID:399804
MD5:9ce4c8a45c002bb230764b42b9211086
SHA1:435e3955dfcfb36e60ab31bdd309bf72ab5de377
SHA256:a0faa82eeb65dec2d55e0041f18eb27652dafd93dc25e105927303e277cd8df6
Tags:exeRedLineStealer
Infos:

Most interesting Screenshot:

Detection

RedLine
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • kMroyG6lXZ.exe (PID: 4944 cmdline: 'C:\Users\user\Desktop\kMroyG6lXZ.exe' MD5: 9CE4C8A45C002BB230764B42B9211086)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": "bumblebee2021.store:80|trusmileveneers.store:80|lazerprojekt.store:80", "Bot Id": "118"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.490258905.00000000021AC000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    00000000.00000003.224645228.0000000000724000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000000.00000002.490498068.00000000023B0000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.491643531.0000000003505000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.490137711.0000000002170000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.3.kMroyG6lXZ.exe.7242d0.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              0.2.kMroyG6lXZ.exe.21ed976.5.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                0.2.kMroyG6lXZ.exe.23b0000.6.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.2.kMroyG6lXZ.exe.21eca8e.4.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    0.2.kMroyG6lXZ.exe.3523550.9.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      Click to see the 13 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.3.kMroyG6lXZ.exe.7242d0.1.raw.unpackMalware Configuration Extractor: RedLine {"C2 url": "bumblebee2021.store:80|trusmileveneers.store:80|lazerprojekt.store:80", "Bot Id": "118"}
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: bumblebee2021.storeVirustotal: Detection: 10%Perma Link
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: kMroyG6lXZ.exeVirustotal: Detection: 28%Perma Link
                      Source: kMroyG6lXZ.exeReversingLabs: Detection: 36%
                      Machine Learning detection for sampleShow sources
                      Source: kMroyG6lXZ.exeJoe Sandbox ML: detected

                      Compliance:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeUnpacked PE file: 0.2.kMroyG6lXZ.exe.400000.0.unpack
                      Source: kMroyG6lXZ.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                      Source: Binary string: _.pdb source: kMroyG6lXZ.exe, 00000000.00000002.490258905.00000000021AC000.00000004.00000001.sdmp
                      Source: Binary string: System.ServiceModel.pdbH source: kMroyG6lXZ.exe, 00000000.00000002.489292260.0000000000777000.00000004.00000001.sdmp
                      Source: Binary string: System.ServiceModel.pdb source: kMroyG6lXZ.exe, 00000000.00000002.489292260.0000000000777000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: kMroyG6lXZ.exe, 00000000.00000002.488981394.000000000070D000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: kMroyG6lXZ.exe, 00000000.00000002.488981394.000000000070D000.00000004.00000001.sdmp
                      Source: unknownDNS traffic detected: query: bumblebee2021.store replaycode: Name error (3)
                      Source: unknownDNS traffic detected: queries for: bumblebee2021.store
                      Source: kMroyG6lXZ.exe, 00000000.00000002.490688944.0000000002501000.00000004.00000001.sdmpString found in binary or memory: http://bumblebee2021.store
                      Source: kMroyG6lXZ.exe, 00000000.00000002.490778554.0000000002558000.00000004.00000001.sdmpString found in binary or memory: http://bumblebee2021.store(hr
                      Source: kMroyG6lXZ.exe, 00000000.00000002.490688944.0000000002501000.00000004.00000001.sdmp, kMroyG6lXZ.exe, 00000000.00000002.490752046.000000000254E000.00000004.00000001.sdmpString found in binary or memory: http://bumblebee2021.store//
                      Source: kMroyG6lXZ.exe, 00000000.00000002.490752046.000000000254E000.00000004.00000001.sdmpString found in binary or memory: http://bumblebee2021.store4
                      Source: kMroyG6lXZ.exe, 00000000.00000002.490688944.0000000002501000.00000004.00000001.sdmpString found in binary or memory: http://bumblebee2021.store:80//
                      Source: kMroyG6lXZ.exe, 00000000.00000002.490688944.0000000002501000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                      Source: kMroyG6lXZ.exe, 00000000.00000002.490688944.0000000002501000.00000004.00000001.sdmp, kMroyG6lXZ.exe, 00000000.00000002.490778554.0000000002558000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                      Source: kMroyG6lXZ.exe, 00000000.00000002.490688944.0000000002501000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                      Source: kMroyG6lXZ.exe, 00000000.00000002.490688944.0000000002501000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                      Source: kMroyG6lXZ.exe, 00000000.00000002.490688944.0000000002501000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                      Source: kMroyG6lXZ.exe, 00000000.00000002.490688944.0000000002501000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: kMroyG6lXZ.exe, 00000000.00000002.490688944.0000000002501000.00000004.00000001.sdmp, kMroyG6lXZ.exe, 00000000.00000002.490778554.0000000002558000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/
                      Source: kMroyG6lXZ.exe, 00000000.00000002.490688944.0000000002501000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/0
                      Source: kMroyG6lXZ.exe, 00000000.00000002.490752046.000000000254E000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetArguments
                      Source: kMroyG6lXZ.exe, 00000000.00000002.490688944.0000000002501000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetArgumentsResponse
                      Source: kMroyG6lXZ.exe, 00000000.00000002.490688944.0000000002501000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
                      Source: kMroyG6lXZ.exe, 00000000.00000002.490688944.0000000002501000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
                      Source: kMroyG6lXZ.exe, 00000000.00000002.490688944.0000000002501000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyScanRequest
                      Source: kMroyG6lXZ.exe, 00000000.00000002.490688944.0000000002501000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyScanRequestResponse
                      Source: kMroyG6lXZ.exe, 00000000.00000002.490688944.0000000002501000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
                      Source: kMroyG6lXZ.exe, 00000000.00000002.490688944.0000000002501000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
                      Source: kMroyG6lXZ.exe, 00000000.00000002.490258905.00000000021AC000.00000004.00000001.sdmpString found in binary or memory: https://api.ip.sb/geoipAppData
                      Source: kMroyG6lXZ.exe, 00000000.00000002.490258905.00000000021AC000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org
                      Source: kMroyG6lXZ.exe, 00000000.00000002.490258905.00000000021AC000.00000004.00000001.sdmpString found in binary or memory: https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy
                      Source: kMroyG6lXZ.exe, 00000000.00000002.490258905.00000000021AC000.00000004.00000001.sdmpString found in binary or memory: https://ipinfo.io/ip%appdata%
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_00408C600_2_00408C60
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_0040DC110_2_0040DC11
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_00407C3F0_2_00407C3F
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_00418CCC0_2_00418CCC
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_00406CA00_2_00406CA0
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_004028B00_2_004028B0
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_0041A4BE0_2_0041A4BE
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_004182440_2_00418244
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_004016500_2_00401650
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_00402F200_2_00402F20
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_004193C40_2_004193C4
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_004187880_2_00418788
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_00402F890_2_00402F89
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_00402B900_2_00402B90
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_004073A00_2_004073A0
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_004370400_2_00437040
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_00437C300_2_00437C30
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_00439D7C0_2_00439D7C
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_0043792B0_2_0043792B
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_004365D10_2_004365D1
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_00436AFC0_2_00436AFC
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_004376B00_2_004376B0
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_0043570B0_2_0043570B
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_02082B000_2_02082B00
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_020878560_2_02087856
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_020818A00_2_020818A0
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_020831700_2_02083170
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_020989D80_2_020989D8
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_020831D90_2_020831D9
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_0208DE610_2_0208DE61
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_02087E8F0_2_02087E8F
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_02088EB00_2_02088EB0
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_02086EF00_2_02086EF0
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_0209A70E0_2_0209A70E
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_02098F1C0_2_02098F1C
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_020877C20_2_020877C2
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_020984940_2_02098494
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_02082DE00_2_02082DE0
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_022ADB280_2_022ADB28
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_022AF4D00_2_022AF4D0
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_022ACDF00_2_022ACDF0
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: String function: 0040E1D8 appears 44 times
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: String function: 0208E428 appears 44 times
                      Source: kMroyG6lXZ.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: kMroyG6lXZ.exeBinary or memory string: OriginalFilename vs kMroyG6lXZ.exe
                      Source: kMroyG6lXZ.exe, 00000000.00000002.490258905.00000000021AC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePristane.exe4 vs kMroyG6lXZ.exe
                      Source: kMroyG6lXZ.exe, 00000000.00000002.490258905.00000000021AC000.00000004.00000001.sdmpBinary or memory string: OriginalFilename_.dll4 vs kMroyG6lXZ.exe
                      Source: kMroyG6lXZ.exe, 00000000.00000002.495636457.00000000058F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs kMroyG6lXZ.exe
                      Source: kMroyG6lXZ.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: kMroyG6lXZ.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal96.troj.spyw.evad.winEXE@1/0@103/1
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCommand line argument: 08A0_2_00413780
                      Source: kMroyG6lXZ.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: kMroyG6lXZ.exeVirustotal: Detection: 28%
                      Source: kMroyG6lXZ.exeReversingLabs: Detection: 36%
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                      Source: Binary string: _.pdb source: kMroyG6lXZ.exe, 00000000.00000002.490258905.00000000021AC000.00000004.00000001.sdmp
                      Source: Binary string: System.ServiceModel.pdbH source: kMroyG6lXZ.exe, 00000000.00000002.489292260.0000000000777000.00000004.00000001.sdmp
                      Source: Binary string: System.ServiceModel.pdb source: kMroyG6lXZ.exe, 00000000.00000002.489292260.0000000000777000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: kMroyG6lXZ.exe, 00000000.00000002.488981394.000000000070D000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: kMroyG6lXZ.exe, 00000000.00000002.488981394.000000000070D000.00000004.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeUnpacked PE file: 0.2.kMroyG6lXZ.exe.400000.0.unpack .text:ER;.data:W;.tls:W;.new:R;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeUnpacked PE file: 0.2.kMroyG6lXZ.exe.400000.0.unpack
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                      Source: kMroyG6lXZ.exeStatic PE information: section name: .new
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_0041C40C push cs; iretd 0_2_0041C4E2
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_00423149 push eax; ret 0_2_00423179
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_0041C50E push cs; iretd 0_2_0041C4E2
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_004231C8 push eax; ret 0_2_00423179
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_0040E21D push ecx; ret 0_2_0040E230
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_0041C6BE push ebx; ret 0_2_0041C6BF
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_0209C10E push ebx; ret 0_2_0209C10F
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_0209BE5C push cs; iretd 0_2_0209BF32
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_0209BF5E push cs; iretd 0_2_0209BF32
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_0208E46D push ecx; ret 0_2_0208E480
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.72713604414
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exe TID: 5900Thread sleep count: 80 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exe TID: 5900Thread sleep time: -80000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeLast function: Thread delayed
                      Source: kMroyG6lXZ.exe, 00000000.00000002.495636457.00000000058F0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: kMroyG6lXZ.exe, 00000000.00000002.495636457.00000000058F0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: kMroyG6lXZ.exe, 00000000.00000002.495636457.00000000058F0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: kMroyG6lXZ.exe, 00000000.00000002.489327919.0000000000784000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: kMroyG6lXZ.exe, 00000000.00000002.495636457.00000000058F0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040CE09
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_0208092B mov eax, dword ptr fs:[00000030h]0_2_0208092B
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_02080D90 mov eax, dword ptr fs:[00000030h]0_2_02080D90
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_0040ADB0 GetProcessHeap,HeapFree,0_2_0040ADB0
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040CE09
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040E61C
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00416F6A
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_004123F1 SetUnhandledExceptionFilter,0_2_004123F1
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_0208D059 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0208D059
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_0208E86C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0208E86C
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_020971BA __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_020971BA
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_02092641 SetUnhandledExceptionFilter,0_2_02092641
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: kMroyG6lXZ.exe, 00000000.00000002.489438816.0000000000C70000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: kMroyG6lXZ.exe, 00000000.00000002.489438816.0000000000C70000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: kMroyG6lXZ.exe, 00000000.00000002.489438816.0000000000C70000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
                      Source: kMroyG6lXZ.exe, 00000000.00000002.489438816.0000000000C70000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
                      Source: kMroyG6lXZ.exe, 00000000.00000002.489438816.0000000000C70000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: GetLocaleInfoA,0_2_00417A20
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: MapViewOfFile,RaiseException,LCMapStringA,GetLocaleInfoW,RegCreateKeyW,0_2_00433B40
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: GetLocaleInfoA,0_2_02097C70
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeCode function: 0_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00412A15
                      Source: C:\Users\user\Desktop\kMroyG6lXZ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected RedLine StealerShow sources
                      Source: Yara matchFile source: 00000000.00000002.490258905.00000000021AC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.224645228.0000000000724000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.490498068.00000000023B0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.491643531.0000000003505000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.490137711.0000000002170000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kMroyG6lXZ.exe PID: 4944, type: MEMORY
                      Source: Yara matchFile source: 0.3.kMroyG6lXZ.exe.7242d0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.kMroyG6lXZ.exe.21ed976.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.kMroyG6lXZ.exe.23b0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.kMroyG6lXZ.exe.21eca8e.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.kMroyG6lXZ.exe.3523550.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.kMroyG6lXZ.exe.23b0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.kMroyG6lXZ.exe.21eca8e.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.kMroyG6lXZ.exe.3523550.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.kMroyG6lXZ.exe.3505530.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.kMroyG6lXZ.exe.21ed976.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.kMroyG6lXZ.exe.7242d0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.kMroyG6lXZ.exe.3506418.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.kMroyG6lXZ.exe.3506418.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.kMroyG6lXZ.exe.3505530.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.kMroyG6lXZ.exe.2170000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.kMroyG6lXZ.exe.2170ee8.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.kMroyG6lXZ.exe.2170ee8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.kMroyG6lXZ.exe.2170000.3.raw.unpack, type: UNPACKEDPE
                      Found many strings related to Crypto-Wallets (likely being stolen)Show sources
                      Source: kMroyG6lXZ.exe, 00000000.00000002.490258905.00000000021AC000.00000004.00000001.sdmpString found in binary or memory: ElectrumRule
                      Source: kMroyG6lXZ.exe, 00000000.00000002.490258905.00000000021AC000.00000004.00000001.sdmpString found in binary or memory: JaxxRule
                      Source: kMroyG6lXZ.exe, 00000000.00000002.490258905.00000000021AC000.00000004.00000001.sdmpString found in binary or memory: Exodus+\Exodus\exodus.wallet
                      Source: kMroyG6lXZ.exe, 00000000.00000002.490258905.00000000021AC000.00000004.00000001.sdmpString found in binary or memory: Ethereum#\Ethereum\wallets
                      Source: kMroyG6lXZ.exe, 00000000.00000002.490258905.00000000021AC000.00000004.00000001.sdmpString found in binary or memory: ExodusRule
                      Source: kMroyG6lXZ.exe, 00000000.00000002.490258905.00000000021AC000.00000004.00000001.sdmpString found in binary or memory: EthereumRule
                      Source: kMroyG6lXZ.exe, 00000000.00000002.490258905.00000000021AC000.00000004.00000001.sdmpString found in binary or memory: set_UseMachineKeyStore

                      Remote Access Functionality:

                      barindex
                      Yara detected RedLine StealerShow sources
                      Source: Yara matchFile source: 00000000.00000002.490258905.00000000021AC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.224645228.0000000000724000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.490498068.00000000023B0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.491643531.0000000003505000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.490137711.0000000002170000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kMroyG6lXZ.exe PID: 4944, type: MEMORY
                      Source: Yara matchFile source: 0.3.kMroyG6lXZ.exe.7242d0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.kMroyG6lXZ.exe.21ed976.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.kMroyG6lXZ.exe.23b0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.kMroyG6lXZ.exe.21eca8e.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.kMroyG6lXZ.exe.3523550.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.kMroyG6lXZ.exe.23b0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.kMroyG6lXZ.exe.21eca8e.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.kMroyG6lXZ.exe.3523550.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.kMroyG6lXZ.exe.3505530.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.kMroyG6lXZ.exe.21ed976.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.kMroyG6lXZ.exe.7242d0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.kMroyG6lXZ.exe.3506418.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.kMroyG6lXZ.exe.3506418.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.kMroyG6lXZ.exe.3505530.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.kMroyG6lXZ.exe.2170000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.kMroyG6lXZ.exe.2170ee8.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.kMroyG6lXZ.exe.2170ee8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.kMroyG6lXZ.exe.2170000.3.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsCommand and Scripting Interpreter2Path InterceptionProcess Injection1Virtualization/Sandbox Evasion1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySecurity Software Discovery31Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing22Cached Domain CredentialsSystem Information Discovery23VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files