Edit tour

Windows Analysis Report
8v0aSYe34Q

Overview

General Information

Sample Name:	8v0aSYe34Q (renamed file extension from none to exe)
Analysis ID:	620525
MD5:	859e6cf84ff73e9a9921fb829c3a386e
SHA1:	5bbc936fdb82ed3e57c1ae2f4a0cbfab459883b7
SHA256:	cad1b58e38cfc1e0a0431fa9aae253a1626b4e4e3a6cbc6a8f119cd4959f6410
Tags:	32exetrojan
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Found malware configuration

Multi AV Scanner detection for submitted file

Detected unpacking (changes PE section rights)

Snort IDS alert for network traffic

Tries to steal Crypto Currency Wallets

Tries to evade debugger and weak emulator (self modifying code)

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

.NET source code contains method to dynamically call methods (often used by packers)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Found many strings related to Crypto-Wallets (likely being stolen)

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Yara detected Credential Stealer

Contains functionality for execution timing, often used to detect debuggers

Entry point lies outside standard sections

Contains long sleeps (>= 3 min)

Enables debug privileges

Is looking for software installed on the system

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Detected TCP or UDP traffic on non-standard ports

Binary contains a suspicious time stamp

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Found large amount of non-executed APIs

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

8v0aSYe34Q.exe (PID: 6260 cmdline: "C:\Users\user\Desktop\8v0aSYe34Q.exe" MD5: 859E6CF84FF73E9A9921FB829C3A386E)

cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": "51.79.188.112:7110", "Bot Id": "KOL"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.323258581.0000000003300000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 8v0aSYe34Q.exe PID: 6260	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: 8v0aSYe34Q.exe PID: 6260	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ETPRO TROJAN Redline Stealer TCP CnC Activity - Source IP: 192.168.2.3 - Destination IP: 51.79.188.112

Timestamp:	05/04/22-21:09:50.022363 05/04/22-21:09:50.022363
SID:	2850286
Source Port:	49748
Destination Port:	7110
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Redline Stealer TCP CnC Activity - Source IP: 192.168.2.3 - Destination IP: 51.79.188.112

Timestamp:	05/04/22-21:09:31.442963 05/04/22-21:09:31.442963
SID:	2850286
Source Port:	49748
Destination Port:	7110
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Redline Stealer TCP CnC - Id1Response - Source IP: 51.79.188.112 - Destination IP: 192.168.2.3

Timestamp:	05/04/22-21:09:31.611126 05/04/22-21:09:31.611126
SID:	2850353
Source Port:	7110
Destination Port:	49748
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init - Source IP: 192.168.2.3 - Destination IP: 51.79.188.112

Timestamp:	05/04/22-21:09:28.360368 05/04/22-21:09:28.360368
SID:	2850027
Source Port:	49748
Destination Port:	7110
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Redline Stealer TCP CnC Activity - Source IP: 192.168.2.3 - Destination IP: 51.79.188.112

Timestamp:	05/04/22-21:09:40.013577 05/04/22-21:09:40.013577
SID:	2850286
Source Port:	49748
Destination Port:	7110
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 8v0aSYe34Q.exe.6260.0.memstrmin

Malware Configuration Extractor: RedLine {"C2 url": "51.79.188.112:7110", "Bot Id": "KOL"}

Multi AV Scanner detection for submitted file

Source: 8v0aSYe34Q.exe

Virustotal: Detection: 41%

Perma Link

Machine Learning detection for sample

Source: 8v0aSYe34Q.exe

Joe Sandbox ML: detected

Source: 0.3.8v0aSYe34Q.exe.2a70000.0.unpack

Avira: Label: TR/Patched.Ren.Gen

Source: 8v0aSYe34Q.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 8v0aSYe34Q.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then mov edx, dword ptr [ebp+08h]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then mov al, byte ptr [ecx]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then mov edx, dword ptr [ebp+08h]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then mov ax, word ptr [ecx]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then call 00988EE3h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then push dword ptr [ebp+14h]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then push dword ptr [ebp+14h]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then push eax
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then cmp eax, dword ptr [edx+013407D8h]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then cmp eax, dword ptr [edx+01340684h]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then call 02A31ABAh
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then add edi, 04h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then cmp eax, dword ptr [edx+0133E7A0h]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then cmp eax, dword ptr [edx+0133E808h]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then cmp eax, dword ptr [edx+0133E788h]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then cmp eax, dword ptr [edx+0133E7FCh]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then lea edx, dword ptr [ebp-04h]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then mov ecx, 0000003Ch
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then lea eax, dword ptr [ebp-64h]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then mov ecx, 00000005h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then mov eax, dword ptr [ebp+10h]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then mov ecx, 00000005h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then push dword ptr [ebp+10h]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then mov esi, eax
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then mov ebx, dword ptr [edx+000002ECh]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then test dword ptr [esi+08h], 00000080h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then mov edx, dword ptr [esi]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then jmp 02A280C7h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then jmp 02A280C7h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then jmp 02A280C7h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then jmp 02A280C7h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then cmp eax, 00000104h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then mov eax, dword ptr [ebp-0000020Ch]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then xor edi, edi
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then jmp 02A280C7h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then add edi, 04h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then jmp 02A280C7h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then jmp 02A280C7h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then jmp 02A280C7h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then jmp 02A280C7h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then jmp 02A280C7h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then push dword ptr [ebp+1Ch]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then cmp al, 7Ah
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then sub al, 20h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then push dword ptr [ebp+24h]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then cmp eax, 00000104h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then mov eax, dword ptr [ebp-00000108h]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then xor edi, edi
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then mov edi, dword ptr [esi+000002FDh]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then add edi, 04h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then jmp 02A27F7Eh
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then push dword ptr [ebp+1Ch]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then jmp 02A27F7Eh
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then push 00008000h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then jmp 02A27F7Eh
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then call 02A3167Ah
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then cmp eax, 000000C6h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then cmp word ptr [edi+eax*2-02h], 005Ch
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then call 02A31E64h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then inc dword ptr [ebp-04h]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then cmp eax, 7Ah
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then sub eax, 20h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then cmp eax, 7Ah
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then sub eax, 20h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then push dword ptr [ebp+24h]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then push dword ptr [ebp+0Ch]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then jmp 02A27F7Eh
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then jmp 02A27F7Eh
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then jmp 02A27F7Eh
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then test edx, edx
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then add edi, 08h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then push dword ptr [ebp+0Ch]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then jmp 02A27F7Eh
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then jmp 02A27F7Eh
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then mov edx, dword ptr [ebp+08h]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then jmp 02A27F7Eh
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then jmp 02A27F7Eh
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then jmp 02A27F7Eh
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then jmp 02A27D70h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then jmp 02A27D70h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then jmp 02A27D70h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then mov esi, eax
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then jmp 02A27D70h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then jmp 02A27D70h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then push dword ptr [ebp+20h]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then jmp 02A27D70h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then jmp 02A27D70h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then test dword ptr [esi], 00000004h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then cmp word ptr [esi+06h], cx
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then lea eax, dword ptr [esi+0000010Ch]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then add esi, 0000041Ch
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then jmp 02A30503h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then test dword ptr [esi], 00000004h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then cmp word ptr [esi+06h], cx
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then mov eax, dword ptr [ebp-08h]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then cmp edx, dword ptr [esi+0000119Eh]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then cmp ecx, dword ptr [esi+0000118Eh]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then mov eax, esi
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then mov edx, dword ptr [ebp+08h]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then mov esi, eax
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then mov esi, eax
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then push dword ptr [ebp+20h]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then mov esi, eax
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then jmp 02A27D70h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then jmp 02A27D70h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then jmp 02A27D70h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then jmp 02A27D70h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then mov eax, dword ptr [ebp-08h]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then mov edx, dword ptr [ebp+08h]
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then jmp 02A27D70h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then jmp 02A27D70h
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 4x nop then jmp 02A27D70h

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2850027 ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init 192.168.2.3:49748 -> 51.79.188.112:7110
Source: Traffic	Snort IDS: 2850286 ETPRO TROJAN Redline Stealer TCP CnC Activity 192.168.2.3:49748 -> 51.79.188.112:7110
Source: Traffic	Snort IDS: 2850353 ETPRO MALWARE Redline Stealer TCP CnC - Id1Response 51.79.188.112:7110 -> 192.168.2.3:49748

Source: Joe Sandbox View

ASN Name: OVHFR OVHFR

Source: global traffic

TCP traffic: 192.168.2.3:49748 -> 51.79.188.112:7110

Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.188.112

Source: 8v0aSYe34Q.exe, 00000000.00000002.325424837.00000000036BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"DivX Web Player","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"Facebook Video","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"Chrome PDF Viewer","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"Chrome PDF Plugin","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"Google Earth","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"Google Talk","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"IBMJava*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
Source: 8v0aSYe34Q.exe, 00000000.00000002.324935951.0000000003633000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: l9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)

Source: 8v0aSYe34Q.exe, 00000000.00000002.324935951.0000000003633000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: 8v0aSYe34Q.exe, 00000000.00000002.325424837.00000000036BD000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.324935951.0000000003633000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: 8v0aSYe34Q.exe, 00000000.00000002.324935951.0000000003633000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://forms.rea
Source: 8v0aSYe34Q.exe, 00000000.00000002.324935951.0000000003633000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
Source: 8v0aSYe34Q.exe, 00000000.00000002.325424837.00000000036BD000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.324935951.0000000003633000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
Source: 8v0aSYe34Q.exe, 00000000.00000002.324935951.0000000003633000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: 8v0aSYe34Q.exe, 00000000.00000003.321186796.0000000007FE1000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000003.321205863.0000000007FF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ns.ado/1
Source: 8v0aSYe34Q.exe, 00000000.00000003.321186796.0000000007FE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.c/g
Source: 8v0aSYe34Q.exe, 00000000.00000003.321186796.0000000007FE1000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000003.321205863.0000000007FF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.cobj
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: 8v0aSYe34Q.exe, 00000000.00000002.324935951.0000000003633000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://service.r
Source: 8v0aSYe34Q.exe, 00000000.00000002.324935951.0000000003633000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
Source: 8v0aSYe34Q.exe, 00000000.00000002.324935951.0000000003633000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://support.a
Source: 8v0aSYe34Q.exe, 00000000.00000002.324935951.0000000003633000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://support.apple.com/kb/HT203092
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: 8v0aSYe34Q.exe, 00000000.00000002.323258581.0000000003300000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: 8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: 8v0aSYe34Q.exe, 00000000.00000002.323258581.0000000003300000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: 8v0aSYe34Q.exe, 00000000.00000002.324935951.0000000003633000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: 8v0aSYe34Q.exe, 00000000.00000002.324935951.0000000003633000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
Source: 8v0aSYe34Q.exe, 00000000.00000002.326273315.00000000044CA000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.323963390.00000000034B0000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.324020976.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.326129696.0000000004459000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.323759201.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: 8v0aSYe34Q.exe, 00000000.00000002.326273315.00000000044CA000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.323963390.00000000034B0000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.324020976.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.326129696.0000000004459000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.323759201.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 8v0aSYe34Q.exe, 00000000.00000002.326273315.00000000044CA000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.323963390.00000000034B0000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.324020976.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.326129696.0000000004459000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.323759201.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 8v0aSYe34Q.exe, 00000000.00000002.326273315.00000000044CA000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.323963390.00000000034B0000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.324020976.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.326129696.0000000004459000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.323759201.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 8v0aSYe34Q.exe, 00000000.00000002.326273315.00000000044CA000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.323963390.00000000034B0000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.324020976.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.326129696.0000000004459000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.323759201.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 8v0aSYe34Q.exe, 00000000.00000002.324935951.0000000003633000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://get.adob
Source: 8v0aSYe34Q.exe, 00000000.00000002.324935951.0000000003633000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://helpx.ad
Source: 8v0aSYe34Q.exe, 00000000.00000002.326273315.00000000044CA000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.323963390.00000000034B0000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.324020976.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.326129696.0000000004459000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 8v0aSYe34Q.exe, 00000000.00000002.326273315.00000000044CA000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.323963390.00000000034B0000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.324020976.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.326129696.0000000004459000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 8v0aSYe34Q.exe, 00000000.00000002.325424837.00000000036BD000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.324935951.0000000003633000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: 8v0aSYe34Q.exe, 00000000.00000002.325424837.00000000036BD000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.324935951.0000000003633000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: 8v0aSYe34Q.exe, 00000000.00000002.324935951.0000000003633000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: 8v0aSYe34Q.exe, 00000000.00000002.324935951.0000000003633000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
Source: 8v0aSYe34Q.exe, 00000000.00000002.324935951.0000000003633000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
Source: 8v0aSYe34Q.exe, 00000000.00000002.324935951.0000000003633000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: 8v0aSYe34Q.exe, 00000000.00000002.325424837.00000000036BD000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.324935951.0000000003633000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: 8v0aSYe34Q.exe, 00000000.00000002.324935951.0000000003633000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: 8v0aSYe34Q.exe, 00000000.00000002.325424837.00000000036BD000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.324935951.0000000003633000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: 8v0aSYe34Q.exe, 00000000.00000002.326273315.00000000044CA000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.323963390.00000000034B0000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.324020976.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.326129696.0000000004459000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.323759201.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: 8v0aSYe34Q.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_009890CD
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_009841FA
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_00986245
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_009893C5
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_0098F425
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_0098D465
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_0098E585
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_009895A7
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_009898F0
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_0098C9B5
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_0098D9A5
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_00984A28
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_0098FB55
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_00984B7B
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_00985B69
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_0098EC65
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_0098FEC5
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_0098DF95
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_0098CFC5
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_02A36E66
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_02A36FEC
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_02A36DE3
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_02A21D1D
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_02C639F3
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_02C60EE0
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_02C613C0
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_02C62305
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_02C61051
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_02C61060
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_02C641EA
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_02C616DE

Source: 8v0aSYe34Q.exe, 00000000.00000003.245209972.0000000002A70000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLocalESPC.dll0 vs 8v0aSYe34Q.exe
Source: 8v0aSYe34Q.exe, 00000000.00000002.321909581.0000000000928000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLocalESPC.dll0 vs 8v0aSYe34Q.exe
Source: 8v0aSYe34Q.exe, 00000000.00000002.323258581.0000000003300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamechrome.exe< vs 8v0aSYe34Q.exe
Source: 8v0aSYe34Q.exe, 00000000.00000002.323258581.0000000003300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 8v0aSYe34Q.exe
Source: 8v0aSYe34Q.exe, 00000000.00000002.323258581.0000000003300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: l,\\StringFileInfo\\040904B0\\OriginalFilename vs 8v0aSYe34Q.exe
Source: 8v0aSYe34Q.exe, 00000000.00000002.323258581.0000000003300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs 8v0aSYe34Q.exe
Source: 8v0aSYe34Q.exe, 00000000.00000002.323258581.0000000003300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIEXPLORE.EXED vs 8v0aSYe34Q.exe
Source: 8v0aSYe34Q.exe	Binary or memory string: OriginalFilenameLocalESPC.dll0 vs 8v0aSYe34Q.exe

Source: 8v0aSYe34Q.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 8v0aSYe34Q.exe

Static PE information: Section: .idata ZLIB complexity 0.999341974703

Source: 8v0aSYe34Q.exe

Virustotal: Detection: 41%

Source: C:\Users\user\Desktop\8v0aSYe34Q.exe

File read: C:\Users\user\Desktop\8v0aSYe34Q.exe

Jump to behavior

Source: C:\Users\user\Desktop\8v0aSYe34Q.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\8v0aSYe34Q.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\8v0aSYe34Q.exe

File created: C:\Users\user\AppData\Local\Yandex

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/1@0/1

Source: C:\Users\user\Desktop\8v0aSYe34Q.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: 0.2.8v0aSYe34Q.exe.8f0000.0.unpack, d2RM8Ss9rk1K6t7xJf/JnIhxPM5YjxNHakKb1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.8v0aSYe34Q.exe.8f0000.0.unpack, d2RM8Ss9rk1K6t7xJf/JnIhxPM5YjxNHakKb1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.8v0aSYe34Q.exe.8f0000.0.unpack, d2RM8Ss9rk1K6t7xJf/JnIhxPM5YjxNHakKb1.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 8v0aSYe34Q.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\8v0aSYe34Q.exe

Unpacked PE file: 0.2.8v0aSYe34Q.exe.8f0000.0.unpack .didata:ER;.itext:W;.rsrc:R;.idata:EW; vs .didata:ER;.itext:W;.rsrc:R;

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.8v0aSYe34Q.exe.8f0000.0.unpack, d2RM8Ss9rk1K6t7xJf/JnIhxPM5YjxNHakKb1.cs

.Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)

Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_00980154 push ebp; iretd
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_00988DC9 pushfd ; ret
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_0098AE08 push 0000006Ah; retf
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_0098AE70 push 0000006Ah; retf
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_0098AE72 push 0000006Ah; retf
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_02A2190B push ecx; iretd
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_02A217D0 push ecx; iretd
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Code function: 0_2_02A2773E push ecx; retf

Source: 8v0aSYe34Q.exe

Static PE information: section name: .didata

Source: initial sample

Static PE information: section where entry point is pointing to: .idata

Source: 8v0aSYe34Q.exe

Static PE information: 0xC25F582D [Wed May 3 09:13:17 2073 UTC]

Source: initial sample

Static PE information: section name: .idata entropy: 7.99680274273

Source: 0.2.8v0aSYe34Q.exe.8f0000.0.unpack, SystemCollectionsSpecializedBitVectorSectionx.cs	High entropy of concatenated method names: 'get_RowLength', '.ctor', 'GatherValue', 'UuuXRs0d0U', 'ReadContextTable', 'DDcXcZGNrM', 'ReadContextValue', 'RYbXYqudwo', 'Count', 'LDuX6i36c9'
Source: 0.2.8v0aSYe34Q.exe.8f0000.0.unpack, SystemSecurityCryptographyXCertificatesXDistinguishedNameZ.cs	High entropy of concatenated method names: 't46GjOBSH', 'WriteLine', 'Lnv2R1Yzs7ViwbS51UW', 'Gfh8fnN1laf5s6DPiC4', 'u3wqHbNYCKr0n6ktoGU', 'sI4iqtNNOLNGg9GJTfl', 'YB6EIXNhNCvMaxruJcs', 'pl87QWNeLh6oSjoLQR1', 'vLQhZONovQmiCZyyKQd', 'GBC8fRNIUOjO1FVtBja'
Source: 0.2.8v0aSYe34Q.exe.8f0000.0.unpack, SystemNetSecuritySecureChannelUnmanagedCertificateContextr.cs	High entropy of concatenated method names: 'CreateBind', 'GetProcessors', 'GetGraphicCards', 'GetBrowsers', 'GetSerialNumber', 'ListOfProcesses', 'GetVs', 'GetProcessesByName', 'ListOfPrograms', 'AvailableLanguages'
Source: 0.2.8v0aSYe34Q.exe.8f0000.0.unpack, dnlibDotNetScopeTypeC.cs	High entropy of concatenated method names: 'Check', '.cctor', 'XSRS0PIyAoUvQqs1NJ3', 'X4JYHqIrPWxeQZOTA2E', 'zgcOxoISqwX9xRteaFM', 'T9NDKTIFVpdbXmbZfSi', 'kWTb3VITuIlmPcV294j', 'l8ldqLIde51c4Geb5XM', 'i4sb1QIplHoSXFxwM3B', 'y5NIJqIny5KsIPMITIu'
Source: 0.2.8v0aSYe34Q.exe.8f0000.0.unpack, SystemDataSqlClientSqlColumnEncryptionCertificateStoreProviderz.cs	High entropy of concatenated method names: 'DomainExists', 'PreCheck', 'GwrnKPIAxyriy8KFhZt', 'vWTumeIURQumSL90oAn', 'KQ8GZKIiq71h6YXMIwv', 'JfL2uuICgixDmv7EMXJ', 'Vw3YldI9Ptu8M3IotOM', 'VsKqveIsNMIGXoMmYHD', 'VLU0rVI7M1LoWNekMw0', 'v06LxbIlagsdDlhQnWf'
Source: 0.2.8v0aSYe34Q.exe.8f0000.0.unpack, SystemComponentModelINestedContainerm.cs	High entropy of concatenated method names: '.ctor', 'BXNnXxCex', 'D_1', 'D_2', 'D_3', 'D_4', 'D_5', 'D_6', 'D_7', 'Decrypt'
Source: 0.2.8v0aSYe34Q.exe.8f0000.0.unpack, SystemIOCompressionInflaterI.cs	High entropy of concatenated method names: '.ctor', 'Id1', 'RequestConnection', 'Id3', 'Id4', 'Id5', 'Id6', 'Id7', 'Id8', 'Id9'
Source: 0.2.8v0aSYe34Q.exe.8f0000.0.unpack, dnlibDotNetMDTableInfoK.cs	High entropy of concatenated method names: 'FindPaths', 'ChromeGetName', 'ChromeGetRoamingName', 'ChromeGetLocalName', '.ctor', 'alhTxCBQkYt4yQFSgrf', 'SdIAvcBky8LwkmKh5ek', 'kslZlpBJZjQlccWLFAd', 'PGOrQ1Bu81Baa9a17jk', 'gp3HBcBDnyPFXt4pkXV'
Source: 0.2.8v0aSYe34Q.exe.8f0000.0.unpack, dWcgGrX6nSDTyJq6ILi/Yq6DuSXYlD6qd4Uplg9.cs	High entropy of concatenated method names: 'U1pZvQGY4dfZr', 'uDfZvQG3IPkpQ', '.ctor', '.cctor', 'ESbtqu89h7UBdRmhOYb', 'A96Dlp8sL1sNiTvoDqn', 'MvvXQN87ZQIHDwf1FLq', 'jlRZKL8lpEM0yvWnSCE', 'mnxm3R8Z5ywFbDpHUat'
Source: 0.2.8v0aSYe34Q.exe.8f0000.0.unpack, SystemNetDownloadProgressChangedEventHandlerh.cs	High entropy of concatenated method names: '.ctor', 'Dispose', '.cctor', 'wAQDPEBraRxHL6i7YCu', 'WZCOiXBShu7vlfRajfc', 'mfMaTQBFCV6xjyyvL7f', 'qNPbT2BTJis3Z3UN0fL', 'H9vMr6BdESZpNeQZI5H', 'xSStErBnAG1YH1Sbaqb', 'wIOJvKByg5Noyy6FbEO'
Source: 0.2.8v0aSYe34Q.exe.8f0000.0.unpack, dnlibDotNetFileAttributesI.cs	High entropy of concatenated method names: 'GetWindowsScreenScalingFactor', 'MonitorSize', 'GetImageBase', 'EwjXUoIsb2', 'vALpaUIapxZ2dfiLDu7', 'ic6TpWItkseR7S1de6R', 'Nmq2fJIRxQLodg2PAxu', 'cojUbAIGaf9X1oVLG3n', 'L0apKqIjg7QDrOXZuba', 'PMRVeKI5MXnTBKCeUny'
Source: 0.2.8v0aSYe34Q.exe.8f0000.0.unpack, dnlibDotNetGenericArgumentsStackW.cs	High entropy of concatenated method names: 'Enum', 'iAlW3KqQH', 'tbVFK738y', '.ctor', 'UqWnKlfNRqZAqqgQeL', 'P37GH8K2XD2eeEX54v', 'JkRk75vWpiaBIiqYhB', 'oEvP6PpItvcUVD6RKR', 'oNi4b8n9A8oDQ3buMT', 'Iuo14xye64IqZJjrZl'
Source: 0.2.8v0aSYe34Q.exe.8f0000.0.unpack, SystemSecurityCryptographyXCertificatesXChainV.cs	High entropy of concatenated method names: 'ReadFile', 'ReadFileAsText', 'Ms2wAmIoR4fo0Q0gYTZ', 'LQp2IRIIYvG4jDG9Qjl', 'iSLA7nI0yLakKlrbxBH', 'G8cmtIIB7l6JYWLtchD', 'LuMJbZIm3svAiLDGUEo', 'H9aBUVIhXfikPFBY43k', 'HorkXmIeVks4cl53qIn'
Source: 0.2.8v0aSYe34Q.exe.8f0000.0.unpack, SystemIOErrorEventArgsB.cs	High entropy of concatenated method names: 'get_PassedPaths', 'set_PassedPaths', 'Id2', 'Id3', '.ctor', 'mckDbDeg1kOL8CqgRiQ', 'QLdJjdeiql6Ke3gKegE', 'AsFTTheCZkLesNRGnL0', 'elBSaseAhRuIg7FbLUM', 'SqPjTaeU7Dhug0QF99O'
Source: 0.2.8v0aSYe34Q.exe.8f0000.0.unpack, SystemNetUnsafeNclNativeMethodsHttpApiHTTPREQUESTH.cs	High entropy of concatenated method names: '.ctor', 'Invoker', 'sdfk8h34', 'Visible', 'asdk9y3', 'kadsoji83', 'kkdhfakdasd', 'sdfm83kjasd', 'sdfkas83', 'gkdsi8y234'
Source: 0.2.8v0aSYe34Q.exe.8f0000.0.unpack, SystemNetUnsafeNclNativeMethodsHttpApiHTTPAPIVERSIONU.cs	High entropy of concatenated method names: 'Id2', 'Id3', '.ctor', 'tvjxd0eNdAsFVKok5iu', 'gDHUaAehKYQw7Kr7241', 'RatgaXee9OUVOppSQls', 'uyjFNQeoQyPUab8hLYl', 'CFVn85eI3u23BZxBy7V', 'clUMFhe0ZJUqAuTHbsD', 'rBYTTke1wyflBmZVeOX'
Source: 0.2.8v0aSYe34Q.exe.8f0000.0.unpack, SystemDiagnosticsEventLogPermissionAccessJ.cs	High entropy of concatenated method names: 'Export', 'Bn0IKDPfv', 'GeckoRoamingName', 'GeckoLocalName', 'AFKqOrHueX88AdxqfF', 'wpOW4v4fs3frbCOCMF', 'oinWTrkw7pfnnaApP4', 'SScJDVJ9bIW9bvJ5q3', 'RKT7fYLlsmQIQ6CKJU', 't3bbxoMxvDh2nodi8f'
Source: 0.2.8v0aSYe34Q.exe.8f0000.0.unpack, SystemNetCacheWinInetCacheFILETIMEU.cs	High entropy of concatenated method names: 'RPWXN27PZh', 'GetDefaultIPv4Address', 'voEX5rQlTW', 'rLrB0D0B7vyuN3TYp2g', 'TLEP3Q0mLnMjgYdlW3T', 'tUGHjm0IedBvsYwxvQJ', 'fxvwr000yOuVlZJwEU0', 'LdLtim0P2aSvuFF3uDm', 'RveisZ08ZCY5A3QqmKJ', 'm2L2fU0VdEiv9WJsVCI'
Source: 0.2.8v0aSYe34Q.exe.8f0000.0.unpack, SystemSecurityAuthenticationExtendedProtectionTokenBindingTypeP.cs	High entropy of concatenated method names: 'IsValidAction', 'Process', '.ctor', 'MusZOGocWRVeOt3UBge', 'JviwrWoOBYbYMTCEYGP', 'Spqc4DowPIoWqMrEGWu', 'EjlnQ7oagWMg60LoOM4', 'tJAqitot7KM21BiS3CT', 'AoSwVCoRJrV6JI0EyfS', 'Op1v7joGWUFSC16KNyN'
Source: 0.2.8v0aSYe34Q.exe.8f0000.0.unpack, dnlibDotNetMethodSigd.cs	High entropy of concatenated method names: 'IsValidAction', 'Process', '.ctor', 'UEkkMvofd0xLReJCvYO', 'zYV6mmoKlkBhJNkevZj', 'Q9QnbnovGKsI6KEeqsl', 'MoF1cvoppsgeCmc2mDi', 'SP8bydone4GjlOw76R2', 'iUva6royyZQw9KsVM7g', 'rUs1iKor0ThYsSV0vVe'
Source: 0.2.8v0aSYe34Q.exe.8f0000.0.unpack, SystemNetMailSmtpFailedRecipientsExceptionU.cs	High entropy of concatenated method names: 'IsValidAction', 'Process', '.ctor', 'KqoyPkoA8OCVb1lE6QI', 'zyyI0joUpBf3fOHNdpn', 'xJK4Muo9AjSO2Yr9vKy', 'dHQ7p7osygZ7wIhsVRV', 'XKCdlFo725ZuWv5YuIx', 'Dhoxa2ol7WE95yo6QjJ', 'rJpicuoZ3BeuEKIPVhD'
Source: 0.2.8v0aSYe34Q.exe.8f0000.0.unpack, SystemNetUnsafeNclNativeMethodsOSSOCKSOCKETADDRESSLISTP.cs	High entropy of concatenated method names: 'Xor', 'HMflbGGqQ', 'UGg0RGv06', 'Read', 't0qgOhYnbKKpFt7f8bU', 'v8EeDoYyK9HgcA7xexm', 'i6ARvIYrkJRev9Tpwla', 'GA8mA1YSAslMRR8rWf7', 'cZrPbeYvHS60Iudbaw2', 'gYLumpYp2gun6YX9gjs'
Source: 0.2.8v0aSYe34Q.exe.8f0000.0.unpack, MicrosoftWinSafeHandlesSafeXChainHandlec.cs	High entropy of concatenated method names: 'GetDecoded', 'DecryptBlob', 'GetMd5Hash', 'auRAUZrLT', 'MIf2kSYlIGlSgVf1KJW', 'L9vIFZYZxrrhncQccsW', 'DQdvoBYbhWFn5q0MvJI', 'gLLYphY6Rk6vyYsDGCS', 'pAspNlYsvglP0VjkHIM', 'jLx9iwY7PrnSBtxupTK'
Source: 0.2.8v0aSYe34Q.exe.8f0000.0.unpack, d2RM8Ss9rk1K6t7xJf/JnIhxPM5YjxNHakKb1.cs	High entropy of concatenated method names: '.cctor', 'hWqZvQsGdJiPM', 'Gmr7Q75kU1', 'ade7vTyq9Y', 'O8B7yZbtPA', 'xZr7JBXHNW', 'LHe7gc32Xk', 'SAn727kIJS', 'cFs74cdK1h', 'bRd7B44y1U'
Source: 0.2.8v0aSYe34Q.exe.8f0000.0.unpack, TXKxJauPEmi4IVWux1/q14RLa1YmZJG3riIu9.cs	High entropy of concatenated method names: 'vmmZvQss7AeWA', '.ctor', '.cctor', 'PebPUZPL5TvDpkYniRl', 'Gaw0OhPMMkC1TkXG8DA', 'K6qIrOPHT8nZiNuDKGf', 'xTkluqP4NBcIOyL3J0V', 'cdq74ZP5vKMhQy5tVre', 'DbRnVSP2RXeahYoAmKY', 'xeaVImPkTkycMhNw9ng'
Source: 0.2.8v0aSYe34Q.exe.8f0000.0.unpack, SystemNetConfigurationConnectionManagementElementR.cs	High entropy of concatenated method names: 'S??n', 'IsaXrOjuD', 'Wt8DriAc1', 'VSY7T7uRN', 'q4IHaLOL2', 'ReadRawData', 'ReadKey', 'MakeTries', 'AHhWm70N8ZlSoRckip', 'ioX4EfBBuoUlJLsYwg'

Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Special instruction interceptor: First address: 000000000099334E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Special instruction interceptor: First address: 0000000002A2AF65 instructions caused by: Self-modifying code

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\8v0aSYe34Q.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\8v0aSYe34Q.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Source: C:\Users\user\Desktop\8v0aSYe34Q.exe TID: 5848	Thread sleep time: -16602069666338586s >= -30000s
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe TID: 6288	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\8v0aSYe34Q.exe

Code function: 0_2_009933D3 rdtsc

Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\8v0aSYe34Q.exe

Registry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Window / User API: threadDelayed 4882
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Window / User API: threadDelayed 2669

Source: C:\Users\user\Desktop\8v0aSYe34Q.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\8v0aSYe34Q.exe

API coverage: 8.6 %

Source: C:\Users\user\Desktop\8v0aSYe34Q.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\8v0aSYe34Q.exe

Code function: 0_2_009933D3 rdtsc

Source: C:\Users\user\Desktop\8v0aSYe34Q.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\8v0aSYe34Q.exe

Code function: 0_2_0097E484 LdrInitializeThunk,

Source: C:\Users\user\Desktop\8v0aSYe34Q.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Queries volume information: C:\Users\user\Desktop\8v0aSYe34Q.exe VolumeInformation
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Queries volume information: C:\Users\user\Desktop\8v0aSYe34Q.exe VolumeInformation
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Queries volume information: C:\Users\user\Desktop\8v0aSYe34Q.exe VolumeInformation
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Queries volume information: C:\Users\user\Desktop\8v0aSYe34Q.exe VolumeInformation
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Queries volume information: C:\Users\user\Desktop\8v0aSYe34Q.exe VolumeInformation
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation

Source: C:\Users\user\Desktop\8v0aSYe34Q.exe

Code function: 0_2_00993399 cpuid

Source: C:\Users\user\Desktop\8v0aSYe34Q.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8v0aSYe34Q.exe PID: 6260, type: MEMORYSTR

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 8v0aSYe34Q.exe, 00000000.00000002.323258581.0000000003300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum\wallets
Source: 8v0aSYe34Q.exe, 00000000.00000002.323258581.0000000003300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: l1C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: 8v0aSYe34Q.exe, 00000000.00000002.323258581.0000000003300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: l-cjelfplplebdjjenllpjcblmjkfcffne\|JaxxxLiberty
Source: 8v0aSYe34Q.exe, 00000000.00000002.323258581.0000000003300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: 8v0aSYe34Q.exe, 00000000.00000002.323258581.0000000003300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum\wallets
Source: 8v0aSYe34Q.exe, 00000000.00000002.323258581.0000000003300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: 8v0aSYe34Q.exe, 00000000.00000002.323258581.0000000003300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum\wallets
Source: 8v0aSYe34Q.exe, 00000000.00000002.323258581.0000000003300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: l5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
Source: 8v0aSYe34Q.exe, 00000000.00000002.321843794.00000000008F3000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Users\user\Desktop\8v0aSYe34Q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Source: Yara match	File source: 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.323258581.0000000003300000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8v0aSYe34Q.exe PID: 6260, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8v0aSYe34Q.exe PID: 6260, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	221 Windows Management Instrumentation	Path Interception	Path Interception	1 Masquerading	1 OS Credential Dumping	33 Security Software Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	11 Process Discovery	Remote Desktop Protocol	3 Data from Local System	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	231 Virtualization/Sandbox Evasion	Security Account Manager	231 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	233 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	23 Software Packing	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Timestomp	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
8v0aSYe34Q.exe	42%	Virustotal		Browse
8v0aSYe34Q.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.8v0aSYe34Q.exe.8f0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File
0.3.8v0aSYe34Q.exe.2a70000.0.unpack	100%	Avira	TR/Patched.Ren.Gen		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://service.r	0%	URL Reputation	safe
http://tempuri.org/Entity/Id12Response	0%	URL Reputation	safe
http://tempuri.org/	0%	URL Reputation	safe
http://tempuri.org/Entity/Id2Response	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://tempuri.org/Entity/Id21Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id9	0%	URL Reputation	safe
http://tempuri.org/Entity/Id8	0%	URL Reputation	safe
http://tempuri.org/Entity/Id5	0%	URL Reputation	safe
http://tempuri.org/Entity/Id4	0%	URL Reputation	safe
http://tempuri.org/Entity/Id7	0%	URL Reputation	safe
http://tempuri.org/Entity/Id6	0%	URL Reputation	safe
http://tempuri.org/Entity/Id19Response	0%	URL Reputation	safe
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	0%	URL Reputation	safe
http://tempuri.org/Entity/Id15Response	0%	URL Reputation	safe
http://support.a	0%	URL Reputation	safe
http://tempuri.org/Entity/Id6Response	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
http://ns.adobe.cobj	0%	URL Reputation	safe
http://tempuri.org/Entity/Id9Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id20	0%	URL Reputation	safe
http://tempuri.org/Entity/Id21	0%	URL Reputation	safe
http://tempuri.org/Entity/Id22	0%	URL Reputation	safe
http://tempuri.org/Entity/Id23	0%	URL Reputation	safe
http://tempuri.org/Entity/Id24	0%	URL Reputation	safe
http://tempuri.org/Entity/Id24Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id1Response	0%	URL Reputation	safe
http://forms.rea	0%	URL Reputation	safe
http://tempuri.org/Entity/Id10	0%	URL Reputation	safe
http://tempuri.org/Entity/Id11	0%	URL Reputation	safe
http://tempuri.org/Entity/Id12	0%	URL Reputation	safe
http://tempuri.org/Entity/Id16Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id13	0%	URL Reputation	safe
http://tempuri.org/Entity/Id14	0%	URL Reputation	safe
http://tempuri.org/Entity/Id15	0%	URL Reputation	safe
http://tempuri.org/Entity/Id16	0%	URL Reputation	safe
http://tempuri.org/Entity/Id17	0%	URL Reputation	safe
http://tempuri.org/Entity/Id18	0%	URL Reputation	safe
http://tempuri.org/Entity/Id5Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id19	0%	URL Reputation	safe
http://tempuri.org/Entity/Id10Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id8Response	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	8v0aSYe34Q.exe, 00000000.00000002.326273315.00000000044CA000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.323963390.00000000034B0000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.324020976.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.326129696.0000000004459000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.323759201.000000000348D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://service.r	8v0aSYe34Q.exe, 00000000.00000002.324935951.0000000003633000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	8v0aSYe34Q.exe, 00000000.00000002.326273315.00000000044CA000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.323963390.00000000034B0000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.324020976.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.326129696.0000000004459000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.323759201.000000000348D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id12Response	8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id2Response	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ns.adobe.c/g	8v0aSYe34Q.exe, 00000000.00000003.321186796.0000000007FE1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id21Response	8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id9	8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id8	8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id5	8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id4	8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id7	8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id6	8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=plugin_real	8v0aSYe34Q.exe, 00000000.00000002.324935951.0000000003633000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id19Response	8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	8v0aSYe34Q.exe, 00000000.00000002.324935951.0000000003633000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=plugin_pdf	8v0aSYe34Q.exe, 00000000.00000002.324935951.0000000003633000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id15Response	8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
http://forms.real.com/real/realone/download.html?type=rpsp_us	8v0aSYe34Q.exe, 00000000.00000002.324935951.0000000003633000.00000004.00000800.00020000.00000000.sdmp	false		high
http://support.a	8v0aSYe34Q.exe, 00000000.00000002.324935951.0000000003633000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id6Response	8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ip.sb/ip	8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe	8v0aSYe34Q.exe, 00000000.00000002.325424837.00000000036BD000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.324935951.0000000003633000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=plugin_quicktime	8v0aSYe34Q.exe, 00000000.00000002.324935951.0000000003633000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ns.adobe.cobj	8v0aSYe34Q.exe, 00000000.00000003.321186796.0000000007FE1000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000003.321205863.0000000007FF3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/sc	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id9Response	8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	8v0aSYe34Q.exe, 00000000.00000002.326273315.00000000044CA000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.323963390.00000000034B0000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.324020976.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.326129696.0000000004459000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.323759201.000000000348D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id20	8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id21	8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id22	8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id23	8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id24	8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id24Response	8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id1Response	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=plugin_shockwave	8v0aSYe34Q.exe, 00000000.00000002.325424837.00000000036BD000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.324935951.0000000003633000.00000004.00000800.00020000.00000000.sdmp	false		high
http://forms.rea	8v0aSYe34Q.exe, 00000000.00000002.324935951.0000000003633000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/trust	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id10	8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id11	8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id12	8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id16Response	8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id13	8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id14	8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id15	8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id16	8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id17	8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id18	8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id5Response	8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id19	8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id10Response	8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id8Response	8v0aSYe34Q.exe, 00000000.00000002.323045583.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.google.com/chrome/?p=plugin_wmp	8v0aSYe34Q.exe, 00000000.00000002.324935951.0000000003633000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/answer/6258784	8v0aSYe34Q.exe, 00000000.00000002.325424837.00000000036BD000.00000004.00000800.00020000.00000000.sdmp, 8v0aSYe34Q.exe, 00000000.00000002.324935951.0000000003633000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	8v0aSYe34Q.exe, 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
51.79.188.112	unknown	Canada		16276	OVHFR	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	620525
Start date and time: 04/05/202221:08:13	2022-05-04 21:08:13 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 10s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	8v0aSYe34Q (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/1@0/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 97% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
TCP Packets have been reduced to 100
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:09:44	API Interceptor	43x Sleep call for process: 8v0aSYe34Q.exe modified

Process:	C:\Users\user\Desktop\8v0aSYe34Q.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2932
Entropy (8bit):	5.334469918014252
Encrypted:	false
SSDEEP:	48:MxHKXeHKlEHU0YHKhQnouHIWUfHK7HKhBHKdHKB1AHKzvQTHmtHoxHImHKAHK1HQ:iqXeqm00YqhQnouOq7qLqdqUqzcGtIx1
MD5:	1A2F6CD1E6D92B812BD9E50C66E2388A
SHA1:	E510A412B93B0D48BB5AB666E1AA4DB4A8895C0B
SHA-256:	6C3E43210F51DD3BC1878E67EA7631D5B1DA1883037776EC5BC445E892F4E0B8
SHA-512:	1C24378C6635563DB5B5617DC42ED5F303DF456E0FCDD4F880B6FFA2B80AB4369549671300D5F9C2A089DCB1F485D408C50931CA9A72295FD7E57E44373D5DFD
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.943516994761011
TrID:	Win32 Executable (generic) a (10002005/4) 99.98% DOS Executable Generic (2002/1) 0.02%
File name:	8v0aSYe34Q.exe
File size:	796304
MD5:	859e6cf84ff73e9a9921fb829c3a386e
SHA1:	5bbc936fdb82ed3e57c1ae2f4a0cbfab459883b7
SHA256:	cad1b58e38cfc1e0a0431fa9aae253a1626b4e4e3a6cbc6a8f119cd4959f6410
SHA512:	bae39f648487e4ac364152cf18061d28d834f11ea27027075ebc41508d0850fd5416b0fcfdfedbc66afc4c734bb969625046cb8f18523e437f49fb6edecc1a4c
SSDEEP:	24576:6QwJUPvfQ9Lu9lokWwq4uHopxqqYMEeq:6QwauQvWwq4wopVYME3
TLSH:	0305232635DBC53BE7906A384DADE6CADB24FD839C066B477390332CD572BA12E05781
File Content Preview:	MZ>........M.=.A....CJR.2.c...P........VC..#0.ph.!E....N.........Q.............................................................................................................................................................................................

File Icon


Icon Hash:	30e0c4c45efc7038

Static PE Info

General

Entrypoint:	0x48e000
Entrypoint Section:	.idata
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0xC25F582D [Wed May 3 09:13:17 2073 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2d99dbf9a3c1158012345d1eb4ef7fac

Entrypoint Preview

Instruction
jmp 00007FC83CC2C246h
push 504B2040h
jmp 00007FC83CC2C243h
xor eax, ebp
sbb byte ptr [eax], al
add byte ptr [eax], al
jmp 00007FC83CC2C246h
sbb dword ptr [ecx+ebp*2-7CFE1466h], esi
xor eax, eax
jns 00007FC83CC2C245h
call far 04EBh : 6C719F46h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x37000	0x1dc	.itext
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x38000	0x55a54	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.didata	0x1000	0x36000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x37000	0x1000	0x200	False	0.509765625	data	3.64540996605	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x38000	0x55a54	0x55a54	False	0.801895075313	data	7.82839756911	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x8e000	0x18000	0x175fd	False	0.999341974703	DOS executable (COM)	7.99680274273	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
PKGDEF	0x38100	0x4edf	data	English	United States
PKGDEF	0x3d008	0x4f92	data	English	United States
PKGDEF	0x41fc4	0x4edf	data	English	United States
PNG	0x46ef8	0xe4a	data	English	United States
PNG	0x47d6c	0x166	data	English	United States
REGISTRY	0x47f30	0x2c	data	English	United States
REGISTRY	0x47f84	0xc5	data	English	United States
TEXTFILE	0x480c4	0x1152	data	English	United States
TYPELIB	0x4926c	0x23e4	data	English	United States
WEVT_TEMPLATE	0x4b6b0	0x129e	data	English	United States
RT_CURSOR	0x4ca68	0x134	data	English	United States
RT_CURSOR	0x4cbc4	0x134	data	English	United States
RT_CURSOR	0x4cd20	0x134	data	English	United States
RT_CURSOR	0x4ce7c	0x134	data	English	United States
RT_CURSOR	0x4cfd8	0x134	data	English	United States
RT_CURSOR	0x4d134	0x134	data	English	United States
RT_CURSOR	0x4d290	0xb4	data	English	United States
RT_CURSOR	0x4d36c	0x134	data	English	United States
RT_CURSOR	0x4d4c8	0xb4	data	English	United States
RT_CURSOR	0x4d5a4	0x134	data	English	United States
RT_CURSOR	0x4d700	0x2ec	data	English	United States
RT_CURSOR	0x4da14	0x2ec	data	English	United States
RT_CURSOR	0x4dd28	0x134	data	English	United States
RT_CURSOR	0x4de84	0x134	data	English	United States
RT_CURSOR	0x4dfe0	0x134	data	English	United States
RT_CURSOR	0x4e13c	0x134	data	English	United States
RT_CURSOR	0x4e298	0x134	data	English	United States
RT_CURSOR	0x4e3f4	0x134	data	English	United States
RT_CURSOR	0x4e550	0x134	data	English	United States
RT_CURSOR	0x4e6ac	0x134	data	English	United States
RT_CURSOR	0x4e808	0x134	data	English	United States
RT_CURSOR	0x4e964	0x134	data	English	United States
RT_CURSOR	0x4eac0	0x134	data	English	United States
RT_CURSOR	0x4ec1c	0x134	data	English	United States
RT_CURSOR	0x4ed78	0x134	data	English	United States
RT_CURSOR	0x4eed4	0x134	data	English	United States
RT_CURSOR	0x4f030	0x134	data	English	United States
RT_CURSOR	0x4f18c	0x134	data	English	United States
RT_BITMAP	0x4f418	0x50	data	English	United States
RT_BITMAP	0x4f490	0x50	data	English	United States
RT_BITMAP	0x4f508	0x50	data	English	United States
RT_BITMAP	0x4f580	0x50	data	English	United States
RT_BITMAP	0x4f5f8	0x46	data	English	United States
RT_BITMAP	0x4f668	0x42	data	English	United States
RT_BITMAP	0x4f6d4	0x46	data	English	United States
RT_BITMAP	0x4f744	0x42	data	English	United States
RT_BITMAP	0x4f7b0	0xe8	data	English	United States
RT_BITMAP	0x4f8c0	0x168	data	English	United States
RT_BITMAP	0x4fa50	0xc0	data	English	United States
RT_BITMAP	0x4fb38	0xc0	data	English	United States
RT_BITMAP	0x4fc20	0x1228	data	English	United States
RT_BITMAP	0x50e70	0xc28	data	English	United States
RT_BITMAP	0x51ac0	0xc2a	data	English	United States
RT_BITMAP	0x52714	0x928	data	English	United States
RT_BITMAP	0x53064	0x32a	data	English	United States
RT_BITMAP	0x533b8	0x628	data	English	United States
RT_BITMAP	0x53a08	0xe8	data	English	United States
RT_BITMAP	0x53b18	0x32a	data	English	United States
RT_BITMAP	0x53e6c	0xe8	data	English	United States
RT_BITMAP	0x53f7c	0x32a	data	English	United States
RT_BITMAP	0x542d0	0xe8	data	English	United States
RT_BITMAP	0x543e0	0xe8	data	English	United States
RT_BITMAP	0x544f0	0x54	data	English	United States
RT_BITMAP	0x5456c	0x2c728	data	English	United States
RT_BITMAP	0x80cbc	0x228	data	English	United States
RT_BITMAP	0x80f0c	0x228	data	English	United States
RT_BITMAP	0x8115c	0x228	data	English	United States
RT_BITMAP	0x813ac	0x5c	data	English	United States
RT_BITMAP	0x81430	0x5c	data	English	United States
RT_BITMAP	0x814b4	0x328	data	English	United States
RT_BITMAP	0x81804	0x328	data	English	United States
RT_BITMAP	0x81b54	0x32a	data	English	United States
RT_BITMAP	0x81ea8	0x58	data	English	United States
RT_BITMAP	0x81f28	0xf28	data	English	United States
RT_ICON	0x82ea0	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x870f0	0x4b8	data	English	United States
RT_ICON	0x875d0	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_STRING	0x87ac0	0x1aa	data	English	United States
RT_STRING	0x87c94	0x214	data	English	United States
RT_STRING	0x87ed0	0x270	data	English	United States
RT_STRING	0x88168	0x216	data	English	United States
RT_STRING	0x883a8	0x282	data	English	United States
RT_STRING	0x88654	0x2b8	data	English	United States
RT_STRING	0x88934	0x236	data	English	United States
RT_STRING	0x88b94	0x296	data	English	United States
RT_STRING	0x88e54	0xa6	data	English	United States
RT_STRING	0x88f24	0x50	data	English	United States
RT_FONTDIR	0x88fc8	0x9b	data	English	United States
RT_FONT	0x890a4	0x377c	data	English	United States
RT_RCDATA	0x8c868	0x26c	data	English	United States
RT_RCDATA	0x8cafc	0x137	data
RT_MESSAGETABLE	0x8cc74	0x24	data	English	United States
RT_GROUP_CURSOR	0x8cda0	0x14	data	English	United States
RT_GROUP_CURSOR	0x8cddc	0x14	data	English	United States
RT_GROUP_CURSOR	0x8ce18	0x14	data	English	United States
RT_GROUP_CURSOR	0x8ce54	0x14	data	English	United States
RT_GROUP_CURSOR	0x8ce90	0x14	data	English	United States
RT_GROUP_CURSOR	0x8cecc	0x22	data	English	United States
RT_GROUP_CURSOR	0x8cf18	0x22	data	English	United States
RT_GROUP_CURSOR	0x8cf64	0x14	data	English	United States
RT_GROUP_CURSOR	0x8cfa0	0x14	data	English	United States
RT_GROUP_CURSOR	0x8cfdc	0x14	data	English	United States
RT_GROUP_CURSOR	0x8d018	0x14	data	English	United States
RT_GROUP_CURSOR	0x8d054	0x14	data	English	United States
RT_GROUP_CURSOR	0x8d090	0x14	data	English	United States
RT_GROUP_CURSOR	0x8d0cc	0x14	data	English	United States
RT_GROUP_CURSOR	0x8d108	0x14	data	English	United States
RT_GROUP_CURSOR	0x8d144	0x14	data	English	United States
RT_GROUP_CURSOR	0x8d180	0x14	data	English	United States
RT_GROUP_CURSOR	0x8d1bc	0x14	data	English	United States
RT_GROUP_CURSOR	0x8d1f8	0x14	data	English	United States
RT_GROUP_CURSOR	0x8d234	0x14	data	English	United States
RT_GROUP_CURSOR	0x8d270	0x14	data	English	United States
RT_GROUP_CURSOR	0x8d2ac	0x14	data	English	United States
RT_GROUP_CURSOR	0x8d2e8	0x14	data	English	United States
RT_GROUP_CURSOR	0x8d324	0x14	data	English	United States
RT_GROUP_CURSOR	0x8d360	0x14	data	English	United States
RT_GROUP_CURSOR	0x8d39c	0x14	data	English	United States
RT_GROUP_ICON	0x8d400	0x14	data	English	United States
RT_GROUP_ICON	0x8d43c	0x14	data	English	United States
RT_GROUP_ICON	0x8d478	0x14	data	English	United States
RT_VERSION	0x8d4cc	0x3c8	data	English	United States
RT_MANIFEST	0x8d8d4	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
kernel32.dll	GetModuleHandleW
user32.dll	GetDlgItem
advapi32.dll	RegQueryValueA
shell32.dll	ShellAboutW
mscoree.dll	_CorExeMain
comctl32.dll	CreateStatusWindowA

Version Infos

Description	Data
LegalCopyright	Luxe USA Corporation. All rights reserved.
InternalName	LocalESPC
FileVersion	14.00.24325.1
CompanyName	Luxe USA Corp.
LegalTrademarks	Luxe is a registered trademark of USA Corporation.
ProductName	PREfast
ProductVersion	14.00.24325.1
FileDescription	PREfast LocalESPC analysis defect module
OriginalFilename	LocalESPC.dll
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/04/22-21:09:50.022363 05/04/22-21:09:50.022363	TCP	2850286	ETPRO TROJAN Redline Stealer TCP CnC Activity	49748	7110	192.168.2.3	51.79.188.112
05/04/22-21:09:31.442963 05/04/22-21:09:31.442963	TCP	2850286	ETPRO TROJAN Redline Stealer TCP CnC Activity	49748	7110	192.168.2.3	51.79.188.112
05/04/22-21:09:31.611126 05/04/22-21:09:31.611126	TCP	2850353	ETPRO MALWARE Redline Stealer TCP CnC - Id1Response	7110	49748	51.79.188.112	192.168.2.3
05/04/22-21:09:28.360368 05/04/22-21:09:28.360368	TCP	2850027	ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init	49748	7110	192.168.2.3	51.79.188.112
05/04/22-21:09:40.013577 05/04/22-21:09:40.013577	TCP	2850286	ETPRO TROJAN Redline Stealer TCP CnC Activity	49748	7110	192.168.2.3	51.79.188.112

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2022 21:09:27.983628035 CEST	49748	7110	192.168.2.3	51.79.188.112
May 4, 2022 21:09:28.151108027 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:28.151228905 CEST	49748	7110	192.168.2.3	51.79.188.112
May 4, 2022 21:09:28.360368013 CEST	49748	7110	192.168.2.3	51.79.188.112
May 4, 2022 21:09:28.529398918 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:28.654592991 CEST	49748	7110	192.168.2.3	51.79.188.112
May 4, 2022 21:09:31.442962885 CEST	49748	7110	192.168.2.3	51.79.188.112
May 4, 2022 21:09:31.611125946 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:31.654844999 CEST	49748	7110	192.168.2.3	51.79.188.112
May 4, 2022 21:09:40.013576984 CEST	49748	7110	192.168.2.3	51.79.188.112
May 4, 2022 21:09:40.183541059 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:40.183610916 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:40.183640957 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:40.183903933 CEST	49748	7110	192.168.2.3	51.79.188.112
May 4, 2022 21:09:40.287007093 CEST	49748	7110	192.168.2.3	51.79.188.112
May 4, 2022 21:09:47.554285049 CEST	49748	7110	192.168.2.3	51.79.188.112
May 4, 2022 21:09:47.722445965 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:47.722492933 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:47.722520113 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:47.722548008 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:47.722678900 CEST	49748	7110	192.168.2.3	51.79.188.112
May 4, 2022 21:09:47.722764969 CEST	49748	7110	192.168.2.3	51.79.188.112
May 4, 2022 21:09:47.722790956 CEST	49748	7110	192.168.2.3	51.79.188.112
May 4, 2022 21:09:47.890304089 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:47.890353918 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:47.890372992 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:47.890389919 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:47.890491009 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:47.890640974 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:47.890671015 CEST	49748	7110	192.168.2.3	51.79.188.112
May 4, 2022 21:09:47.890743971 CEST	49748	7110	192.168.2.3	51.79.188.112
May 4, 2022 21:09:47.890763044 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:47.890789986 CEST	49748	7110	192.168.2.3	51.79.188.112
May 4, 2022 21:09:47.890810013 CEST	49748	7110	192.168.2.3	51.79.188.112
May 4, 2022 21:09:47.890844107 CEST	49748	7110	192.168.2.3	51.79.188.112
May 4, 2022 21:09:47.891246080 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:47.894762039 CEST	49748	7110	192.168.2.3	51.79.188.112
May 4, 2022 21:09:48.058387995 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.058459997 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.058514118 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.058569908 CEST	49748	7110	192.168.2.3	51.79.188.112
May 4, 2022 21:09:48.058612108 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.058623075 CEST	49748	7110	192.168.2.3	51.79.188.112
May 4, 2022 21:09:48.058639050 CEST	49748	7110	192.168.2.3	51.79.188.112
May 4, 2022 21:09:48.058664083 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.058722019 CEST	49748	7110	192.168.2.3	51.79.188.112
May 4, 2022 21:09:48.058748960 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.058758020 CEST	49748	7110	192.168.2.3	51.79.188.112
May 4, 2022 21:09:48.058810949 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.058821917 CEST	49748	7110	192.168.2.3	51.79.188.112
May 4, 2022 21:09:48.058860064 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.058913946 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.059094906 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.059149027 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.059211969 CEST	49748	7110	192.168.2.3	51.79.188.112
May 4, 2022 21:09:48.059262037 CEST	49748	7110	192.168.2.3	51.79.188.112
May 4, 2022 21:09:48.059303999 CEST	49748	7110	192.168.2.3	51.79.188.112
May 4, 2022 21:09:48.059360027 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.059412003 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.059470892 CEST	49748	7110	192.168.2.3	51.79.188.112
May 4, 2022 21:09:48.059565067 CEST	49748	7110	192.168.2.3	51.79.188.112
May 4, 2022 21:09:48.059612989 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.059886932 CEST	49748	7110	192.168.2.3	51.79.188.112
May 4, 2022 21:09:48.062422037 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.062519073 CEST	49748	7110	192.168.2.3	51.79.188.112
May 4, 2022 21:09:48.226785898 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.226844072 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.226871014 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.227116108 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.227147102 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.227236986 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.227350950 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.227511883 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.227560043 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.227775097 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.227803946 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.227863073 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.228055954 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.228117943 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.228338957 CEST	49748	7110	192.168.2.3	51.79.188.112
May 4, 2022 21:09:48.228404999 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.228436947 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.228471041 CEST	49748	7110	192.168.2.3	51.79.188.112
May 4, 2022 21:09:48.228511095 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.228672981 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.228897095 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.228929043 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.228997946 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.229108095 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.229264975 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.229376078 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.229650974 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.229722023 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.229835033 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.230329037 CEST	49748	7110	192.168.2.3	51.79.188.112
May 4, 2022 21:09:48.230442047 CEST	49748	7110	192.168.2.3	51.79.188.112
May 4, 2022 21:09:48.396063089 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.396092892 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.396109104 CEST	7110	49748	51.79.188.112	192.168.2.3
May 4, 2022 21:09:48.396238089 CEST	7110	49748	51.79.188.112	192.168.2.3

Target ID:	0
Start time:	21:09:14
Start date:	04/05/2022
Path:	C:\Users\user\Desktop\8v0aSYe34Q.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\8v0aSYe34Q.exe"
Imagebase:	0x8f0000
File size:	796304 bytes
MD5 hash:	859E6CF84FF73E9A9921FB829C3A386E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.323167089.0000000003267000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.323258581.0000000003300000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 8v0aSYe34Q

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8v0aSYe34Q.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Statistics

System Behavior

Windows Analysis Report
8v0aSYe34Q