Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2sibxc6cB1.exe

Overview

General Information

Sample Name:2sibxc6cB1.exe
Analysis ID:626607
MD5:bba7db09449a22cfe8f3310bf1238210
SHA1:49ce80fb77d7a06c4de52ddf2457e1dfceb7661c
SHA256:ffd0e59168d8d32c26f16e557b26d7fc45a748ae3d2621f40c740848762249a6
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Detected unpacking (changes PE section rights)
Snort IDS alert for network traffic
Tries to steal Crypto Currency Wallets
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Found evasive API chain (may stop execution after checking a module file name)
Yara detected Credential Stealer
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Contains functionality to detect virtual machines (SLDT)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • 2sibxc6cB1.exe (PID: 6204 cmdline: "C:\Users\user\Desktop\2sibxc6cB1.exe" MD5: BBA7DB09449A22CFE8F3310BF1238210)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["185.215.113.75:4531"], "Bot Id": "swttestmet", "Authorization Header": "adc5dc30debab8d39a706f26a199fa7e"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000003.246398659.0000000000A30000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000003.246398659.0000000000A30000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
        • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
        • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
        • 0x700:$s3: 83 EC 38 53 B0 9A 88 44 24 2B 88 44 24 2F B0 67 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
        • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
        • 0x1e9d0:$s5: delete[]
        • 0x1de88:$s6: constructor or from DllMain.
        00000000.00000002.306736738.0000000000400000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.306736738.0000000000400000.00000040.00000001.01000000.00000003.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
          • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
          • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
          • 0x1300:$s3: 83 EC 38 53 B0 9A 88 44 24 2B 88 44 24 2F B0 67 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
          • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
          • 0x1fdd0:$s5: delete[]
          • 0x1f288:$s6: constructor or from DllMain.
          00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.2sibxc6cB1.exe.400000.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              0.2.2sibxc6cB1.exe.400000.0.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
              • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
              • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
              • 0x1300:$s3: 83 EC 38 53 B0 9A 88 44 24 2B 88 44 24 2F B0 67 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
              • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
              • 0x1fdd0:$s5: delete[]
              • 0x1f288:$s6: constructor or from DllMain.
              0.2.2sibxc6cB1.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                0.2.2sibxc6cB1.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
                • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
                • 0x700:$s3: 83 EC 38 53 B0 9A 88 44 24 2B 88 44 24 2F B0 67 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
                • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
                • 0x1e9d0:$s5: delete[]
                • 0x1de88:$s6: constructor or from DllMain.
                0.3.2sibxc6cB1.exe.a30000.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  Click to see the 27 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  Timestamp:185.215.113.75192.168.2.44531497602850353 05/14/22-15:38:34.055550
                  SID:2850353
                  Source Port:4531
                  Destination Port:49760
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.4185.215.113.754976045312850027 05/14/22-15:38:32.157673
                  SID:2850027
                  Source Port:49760
                  Destination Port:4531
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.4185.215.113.754976045312850286 05/14/22-15:38:35.355126
                  SID:2850286
                  Source Port:49760
                  Destination Port:4531
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 0.2.2sibxc6cB1.exe.238373e.3.raw.unpackMalware Configuration Extractor: RedLine {"C2 url": ["185.215.113.75:4531"], "Bot Id": "swttestmet", "Authorization Header": "adc5dc30debab8d39a706f26a199fa7e"}
                  Multi AV Scanner detection for submitted file
                  Source: 2sibxc6cB1.exeReversingLabs: Detection: 46%
                  Machine Learning detection for sample
                  Source: 2sibxc6cB1.exeJoe Sandbox ML: detected

                  Compliance

                  barindex
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeUnpacked PE file: 0.2.2sibxc6cB1.exe.400000.0.unpack
                  Source: 2sibxc6cB1.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                  Source: Binary string: ^C:\laloze-bifer\giyekibu\bozecotocijaci\gad cah.pdbp source: 2sibxc6cB1.exe
                  Source: Binary string: _.pdb source: 2sibxc6cB1.exe, 00000000.00000002.308048938.0000000002343000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000003.246882548.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.308192150.00000000024D0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: C:\laloze-bifer\giyekibu\bozecotocijaci\gad cah.pdb source: 2sibxc6cB1.exe

                  Networking

                  barindex
                  Snort IDS alert for network traffic
                  Source: TrafficSnort IDS: 2850027 ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init 192.168.2.4:49760 -> 185.215.113.75:4531
                  Source: TrafficSnort IDS: 2850286 ETPRO TROJAN Redline Stealer TCP CnC Activity 192.168.2.4:49760 -> 185.215.113.75:4531
                  Source: TrafficSnort IDS: 2850353 ETPRO MALWARE Redline Stealer TCP CnC - Id1Response 185.215.113.75:4531 -> 192.168.2.4:49760
                  Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                  Source: Joe Sandbox ViewIP Address: 185.215.113.75 185.215.113.75
                  Source: global trafficTCP traffic: 192.168.2.4:49760 -> 185.215.113.75:4531
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.75
                  Source: 2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: l9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
                  Source: 2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: romium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-j
                  Source: 2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                  Source: 2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
                  Source: 2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://forms.rea
                  Source: 2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
                  Source: 2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
                  Source: 2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308838013.00000000026F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308838013.00000000026F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308838013.00000000026F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308838013.00000000026F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308838013.00000000026F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308838013.00000000026F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308838013.00000000026F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308838013.00000000026F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308838013.00000000026F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308838013.00000000026F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308838013.00000000026F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308838013.00000000026F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308838013.00000000026F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308838013.00000000026F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                  Source: 2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://service.r
                  Source: 2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
                  Source: 2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://support.a
                  Source: 2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.308838013.00000000026F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308838013.00000000026F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.308838013.00000000026F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308838013.00000000026F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.308838013.00000000026F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308838013.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310367494.0000000002A5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                  Source: 2sibxc6cB1.exe, 00000000.00000002.310618075.0000000002B1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                  Source: 2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
                  Source: 2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
                  Source: 2sibxc6cB1.exe, 00000000.00000002.310367494.0000000002A5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310209713.0000000002A45000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310717466.0000000002B37000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.311202864.0000000003717000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000003.304581848.00000000039BA000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.312021174.00000000038CC000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309239992.00000000027FD000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000003.304495912.0000000003949000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310367494.0000000002A5B000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309879444.0000000002983000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.311581188.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.311814941.000000000385A000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309571126.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.308048938.0000000002343000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000003.246882548.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.308192150.00000000024D0000.00000004.08000000.00040000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.308507932.0000000002650000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310209713.0000000002A45000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310717466.0000000002B37000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.311202864.0000000003717000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000003.304581848.00000000039BA000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.312021174.00000000038CC000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309239992.00000000027FD000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000003.304495912.0000000003949000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310367494.0000000002A5B000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309879444.0000000002983000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.311581188.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.311814941.000000000385A000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309571126.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: 2sibxc6cB1.exe, 00000000.00000002.310367494.0000000002A5B000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309879444.0000000002983000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.311581188.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.311814941.000000000385A000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309571126.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310209713.0000000002A45000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310717466.0000000002B37000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.311202864.0000000003717000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000003.304581848.00000000039BA000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.312021174.00000000038CC000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309239992.00000000027FD000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000003.304495912.0000000003949000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310367494.0000000002A5B000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309879444.0000000002983000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.311581188.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.311814941.000000000385A000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309571126.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: 2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310367494.0000000002A5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabt
                  Source: 2sibxc6cB1.exe, 00000000.00000002.310367494.0000000002A5B000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309879444.0000000002983000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.311581188.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.311814941.000000000385A000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309571126.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: 2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://get.adob
                  Source: 2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://helpx.ad
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310209713.0000000002A45000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310717466.0000000002B37000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.311202864.0000000003717000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000003.304581848.00000000039BA000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.312021174.00000000038CC000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309239992.00000000027FD000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000003.304495912.0000000003949000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310367494.0000000002A5B000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309879444.0000000002983000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.311581188.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.311814941.000000000385A000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309571126.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310209713.0000000002A45000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310717466.0000000002B37000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.311202864.0000000003717000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000003.304581848.00000000039BA000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.312021174.00000000038CC000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309239992.00000000027FD000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000003.304495912.0000000003949000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310367494.0000000002A5B000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309879444.0000000002983000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.311581188.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.311814941.000000000385A000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309571126.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: 2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
                  Source: 2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                  Source: 2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_java
                  Source: 2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
                  Source: 2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
                  Source: 2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_real
                  Source: 2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
                  Source: 2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
                  Source: 2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310209713.0000000002A45000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310717466.0000000002B37000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.311202864.0000000003717000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000003.304581848.00000000039BA000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.312021174.00000000038CC000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309239992.00000000027FD000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000003.304495912.0000000003949000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310367494.0000000002A5B000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309879444.0000000002983000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.311581188.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.311814941.000000000385A000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309571126.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: 2sibxc6cB1.exe, 00000000.00000002.307519429.000000000073A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.2sibxc6cB1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.2sibxc6cB1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.3.2sibxc6cB1.exe.a30000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.2sibxc6cB1.exe.2384626.2.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.2sibxc6cB1.exe.2650000.6.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.2sibxc6cB1.exe.24d0ee8.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.2sibxc6cB1.exe.2650000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.3.2sibxc6cB1.exe.7b2d08.1.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.2sibxc6cB1.exe.24d0000.4.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.2sibxc6cB1.exe.24d0ee8.5.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.2sibxc6cB1.exe.6d0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.2sibxc6cB1.exe.238373e.3.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.2sibxc6cB1.exe.2384626.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.2sibxc6cB1.exe.24d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.2sibxc6cB1.exe.238373e.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.3.2sibxc6cB1.exe.7b2d08.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000000.00000003.246398659.0000000000A30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000000.00000002.306736738.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000000.00000002.308192150.00000000024D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000000.00000002.308507932.0000000002650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 2sibxc6cB1.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: 0.2.2sibxc6cB1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.2sibxc6cB1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.3.2sibxc6cB1.exe.a30000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.2sibxc6cB1.exe.2384626.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.2sibxc6cB1.exe.2650000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.2sibxc6cB1.exe.24d0ee8.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.2sibxc6cB1.exe.2650000.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.3.2sibxc6cB1.exe.7b2d08.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.2sibxc6cB1.exe.24d0000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.2sibxc6cB1.exe.24d0ee8.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.2sibxc6cB1.exe.6d0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.2sibxc6cB1.exe.238373e.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.2sibxc6cB1.exe.2384626.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.2sibxc6cB1.exe.24d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.2sibxc6cB1.exe.238373e.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.3.2sibxc6cB1.exe.7b2d08.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000000.00000003.246398659.0000000000A30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000000.00000002.306736738.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000000.00000002.308192150.00000000024D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000000.00000002.308507932.0000000002650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_00408C60
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_0040DC11
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_00407C3F
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_00418CCC
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_00406CA0
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_004028B0
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_0041A4BE
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_00418244
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_00401650
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_00402F20
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_004193C4
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_00418788
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_00402F89
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_00402B90
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_004073A0
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_006D786D
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_006D18B7
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_006E89EF
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_006D31F0
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_006D3187
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_006D2B17
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_006E84AB
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_006D2DF7
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_006DDE78
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_006D8EC7
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_006D7EA6
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_006EA725
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_006E8F33
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_006D6F07
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_006D77D9
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: String function: 0040E1D8 appears 44 times
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: String function: 006DE43F appears 44 times
                  Source: 2sibxc6cB1.exeBinary or memory string: OriginalFilename vs 2sibxc6cB1.exe
                  Source: 2sibxc6cB1.exe, 00000000.00000003.246398659.0000000000A30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHarmattans.exe4 vs 2sibxc6cB1.exe
                  Source: 2sibxc6cB1.exe, 00000000.00000002.306827625.0000000000439000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameHarmattans.exe4 vs 2sibxc6cB1.exe
                  Source: 2sibxc6cB1.exe, 00000000.00000002.311202864.0000000003717000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHarmattans.exe4 vs 2sibxc6cB1.exe
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308048938.0000000002343000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHarmattans.exe4 vs 2sibxc6cB1.exe
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308048938.0000000002343000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs 2sibxc6cB1.exe
                  Source: 2sibxc6cB1.exe, 00000000.00000003.246882548.00000000007B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHarmattans.exe4 vs 2sibxc6cB1.exe
                  Source: 2sibxc6cB1.exe, 00000000.00000003.246882548.00000000007B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs 2sibxc6cB1.exe
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308838013.00000000026F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs 2sibxc6cB1.exe
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308192150.00000000024D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameHarmattans.exe4 vs 2sibxc6cB1.exe
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308507932.0000000002650000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameHarmattans.exe4 vs 2sibxc6cB1.exe
                  Source: 2sibxc6cB1.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: 2sibxc6cB1.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: 2sibxc6cB1.exeReversingLabs: Detection: 46%
                  Source: 2sibxc6cB1.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeFile created: C:\Users\user\AppData\Local\Microsoft\Wind?wsJump to behavior
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/1@0/1
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCommand line argument: 08A
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                  Source: 2sibxc6cB1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: 2sibxc6cB1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: 2sibxc6cB1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: 2sibxc6cB1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: 2sibxc6cB1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: 2sibxc6cB1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: 2sibxc6cB1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: ^C:\laloze-bifer\giyekibu\bozecotocijaci\gad cah.pdbp source: 2sibxc6cB1.exe
                  Source: Binary string: _.pdb source: 2sibxc6cB1.exe, 00000000.00000002.308048938.0000000002343000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000003.246882548.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.308192150.00000000024D0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: C:\laloze-bifer\giyekibu\bozecotocijaci\gad cah.pdb source: 2sibxc6cB1.exe

                  Data Obfuscation

                  barindex
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeUnpacked PE file: 0.2.2sibxc6cB1.exe.400000.0.unpack
                  Detected unpacking (changes PE section rights)
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeUnpacked PE file: 0.2.2sibxc6cB1.exe.400000.0.unpack .text:ER;.data:W;.xatoc:R;.kecizu:R;.hig:R;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_0041C40C push cs; iretd
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_00423149 push eax; ret
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_0041C50E push cs; iretd
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_004231C8 push eax; ret
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_0040E21D push ecx; ret
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_0041C6BE push ebx; ret
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_006EC125 push ebx; ret
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_006DE484 push ecx; ret
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_006EBE73 push cs; iretd
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_006EBF75 push cs; iretd
                  Source: 2sibxc6cB1.exeStatic PE information: section name: .xatoc
                  Source: 2sibxc6cB1.exeStatic PE information: section name: .kecizu
                  Source: 2sibxc6cB1.exeStatic PE information: section name: .hig
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.03896581857
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                  Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exe TID: 5952Thread sleep time: -1844674407370954s >= -30000s
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exe TID: 6252Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeRegistry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeWindow / User API: threadDelayed 390
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeWindow / User API: threadDelayed 739
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_0041D8CA sldt word ptr [eax]
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeAPI call chain: ExitProcess graph end node
                  Source: 2sibxc6cB1.exe, 00000000.00000003.295501449.00000000007FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
                  Source: 2sibxc6cB1.exe, 00000000.00000003.295501449.00000000007FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareBSK3PUGBWin32_VideoControllerTYP6GKX_VideoController120060621000000.000000-000359.8880display.infMSBDABOY9R2MWPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsF4NF5K9Z
                  Source: 2sibxc6cB1.exe, 00000000.00000002.307634129.00000000007B6000.00000004.00000020.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000003.286754885.00000000007B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_0040ADB0 GetProcessHeap,HeapFree,
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_006D092B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_006D0D90 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeMemory allocated: page read and write | page guard
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_004123F1 SetUnhandledExceptionFilter,
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_006DD070 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_006DE883 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_006E71D1 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_006E2658 SetUnhandledExceptionFilter,
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: GetLocaleInfoA,
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: GetLocaleInfoA,
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeCode function: 0_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                  Source: 2sibxc6cB1.exe, 00000000.00000002.313466459.0000000005A1C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 0.2.2sibxc6cB1.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2sibxc6cB1.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.2sibxc6cB1.exe.a30000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2sibxc6cB1.exe.2384626.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2sibxc6cB1.exe.2650000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2sibxc6cB1.exe.24d0ee8.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2sibxc6cB1.exe.2650000.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.2sibxc6cB1.exe.7b2d08.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2sibxc6cB1.exe.24d0000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2sibxc6cB1.exe.24d0ee8.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2sibxc6cB1.exe.6d0e67.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2sibxc6cB1.exe.238373e.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2sibxc6cB1.exe.2384626.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2sibxc6cB1.exe.24d0000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2sibxc6cB1.exe.238373e.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.2sibxc6cB1.exe.7b2d08.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000003.246398659.0000000000A30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.306736738.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.308048938.0000000002343000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.246882548.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.308192150.00000000024D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.307296199.00000000006D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.308507932.0000000002650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 2sibxc6cB1.exe PID: 6204, type: MEMORYSTR
                  Tries to steal Crypto Currency Wallets
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                  Found many strings related to Crypto-Wallets (likely being stolen)
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumE#
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: JaxxE#
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ExodusE#
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
                  Source: 2sibxc6cB1.exe, 00000000.00000002.308048938.0000000002343000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: set_UseMachineKeyStore
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                  Source: Yara matchFile source: 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 2sibxc6cB1.exe PID: 6204, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 0.2.2sibxc6cB1.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2sibxc6cB1.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.2sibxc6cB1.exe.a30000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2sibxc6cB1.exe.2384626.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2sibxc6cB1.exe.2650000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2sibxc6cB1.exe.24d0ee8.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2sibxc6cB1.exe.2650000.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.2sibxc6cB1.exe.7b2d08.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2sibxc6cB1.exe.24d0000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2sibxc6cB1.exe.24d0ee8.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2sibxc6cB1.exe.6d0e67.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2sibxc6cB1.exe.238373e.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2sibxc6cB1.exe.2384626.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2sibxc6cB1.exe.24d0000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2sibxc6cB1.exe.238373e.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.2sibxc6cB1.exe.7b2d08.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000003.246398659.0000000000A30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.306736738.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.308048938.0000000002343000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.246882548.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.308192150.00000000024D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.307296199.00000000006D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.308507932.0000000002650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 2sibxc6cB1.exe PID: 6204, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts221
                  Windows Management Instrumentation                  		Path InterceptionPath Interception1
                  Masquerading                  		1
                  OS Credential Dumping                  		1
                  System Time Discovery                  		Remote Services1
                  Input Capture                  		Exfiltration Over Other Network Medium1
                  Encrypted Channel                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default Accounts2
                  Command and Scripting Interpreter                  		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                  Disable or Modify Tools                  		1
                  Input Capture                  		261
                  Security Software Discovery                  		Remote Desktop Protocol1
                  Archive Collected Data                  		Exfiltration Over Bluetooth1
                  Non-Standard Port                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain Accounts2
                  Native API                  		Logon Script (Windows)Logon Script (Windows)241
                  Virtualization/Sandbox Evasion                  		Security Account Manager241
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin Shares3
                  Data from Local System                  		Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                  Deobfuscate/Decode Files or Information                  		NTDS12
                  Process Discovery                  		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script3
                  Obfuscated Files or Information                  		LSA Secrets1
                  Application Window Discovery                  		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common22
                  Software Packing                  		Cached Domain Credentials134
                  System Information Discovery                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  2sibxc6cB1.exe46%ReversingLabsWin32.Infostealer.Generic
                  2sibxc6cB1.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://service.r0%URL Reputationsafe
                  http://tempuri.org/0%URL Reputationsafe
                  http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                  http://www.interoperabilitybridges.com/wmp-extension-for-chrome0%URL Reputationsafe
                  http://support.a0%URL Reputationsafe
                  https://api.ip.sb/ip0%URL Reputationsafe
                  http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                  http://forms.rea0%URL Reputationsafe
                  http://go.micros0%URL Reputationsafe
                  http://www.w3.o0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://schemas.xmlsoap.org/ws/2005/02/sc/sct2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://duckduckgo.com/chrome_newtab2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310209713.0000000002A45000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310717466.0000000002B37000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.311202864.0000000003717000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000003.304581848.00000000039BA000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.312021174.00000000038CC000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309239992.00000000027FD000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000003.304495912.0000000003949000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310367494.0000000002A5B000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309879444.0000000002983000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.311581188.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.311814941.000000000385A000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309571126.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://service.r2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://duckduckgo.com/ac/?q=2sibxc6cB1.exe, 00000000.00000002.310367494.0000000002A5B000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309879444.0000000002983000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.311581188.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.311814941.000000000385A000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309571126.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://tempuri.org/2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.308838013.00000000026F1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://tempuri.org/Entity/Id2Response2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.308838013.00000000026F1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha12sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://support.google.com/chrome/?p=plugin_real2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.interoperabilitybridges.com/wmp-extension-for-chrome2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence2sibxc6cB1.exe, 00000000.00000002.308838013.00000000026F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://support.google.com/chrome/?p=plugin_pdf2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/fault2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://forms.real.com/real/realone/download.html?type=rpsp_us2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://support.a2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://api.ip.sb/ip2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.308048938.0000000002343000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000003.246882548.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.308192150.00000000024D0000.00000004.08000000.00040000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.308507932.0000000002650000.00000004.08000000.00040000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://support.google.com/chrome/?p=plugin_quicktime2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/ws/2004/04/sc2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=2sibxc6cB1.exe, 00000000.00000002.310367494.0000000002A5B000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309879444.0000000002983000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.311581188.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.311814941.000000000385A000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309571126.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA12sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA12sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://tempuri.org/Entity/Id1Response2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.308838013.00000000026F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested2sibxc6cB1.exe, 00000000.00000002.308838013.00000000026F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2004/08/addressing2sibxc6cB1.exe, 00000000.00000002.308838013.00000000026F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://support.google.com/chrome/?p=plugin_shockwave2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://forms.rea2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/trust2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns2sibxc6cB1.exe, 00000000.00000002.308838013.00000000026F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/Renew2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://support.google.com/chrome/?p=plugin_wmp2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.02sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://support.google.com/chrome/answer/62587842sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://schemas.xmlsoap.org/ws/2006/02/addressingidentity2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://schemas.xmlsoap.org/soap/envelope/2sibxc6cB1.exe, 00000000.00000002.308838013.00000000026F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://support.google.com/chrome/?p=plugin_flash2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA12sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://support.google.com/chrome/?p=plugin_java2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://go.micros2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    		unknown
                                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/06/addressingex2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wscoor2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse2sibxc6cB1.exe, 00000000.00000002.308838013.00000000026F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/08/addressing/fault2sibxc6cB1.exe, 00000000.00000002.308838013.00000000026F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ15102sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://support.google.com/chrome/?p=plugin_divx2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl2sibxc6cB1.exe, 00000000.00000002.310900982.0000000002B9A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            http://www.w3.o2sibxc6cB1.exe, 00000000.00000002.310367494.0000000002A5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                                            		unknown
                                                                                                                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA12sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA12sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty2sibxc6cB1.exe, 00000000.00000002.308838013.00000000026F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement2sibxc6cB1.exe, 00000000.00000002.308838013.00000000026F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://www.google.com/images/branding/product/ico/googleg_lodp.ico2sibxc6cB1.exe, 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310209713.0000000002A45000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310717466.0000000002B37000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.311202864.0000000003717000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309998781.0000000002999000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000003.304581848.00000000039BA000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.312021174.00000000038CC000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309322720.0000000002813000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309239992.00000000027FD000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000003.304495912.0000000003949000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309657760.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.310367494.0000000002A5B000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309879444.0000000002983000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.311581188.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.311814941.000000000385A000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.309571126.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high

                                                                                                                                                                                                      World Map of Contacted IPs

                                                                                                                                                                                                      • No. of IPs < 25%
                                                                                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                                                                                      • 75% < No. of IPs

                                                                                                                                                                                                      Public IPs

                                                                                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                      185.215.113.75
                                                                                                                                                                                                      		unknownPortugal
                                                                                                                                                                                                      		206894WHOLESALECONNECTIONSNLtrue

                                                                                                                                                                                                      General Information

                                                                                                                                                                                                      Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                                                                                      Analysis ID:626607
                                                                                                                                                                                                      Start date and time: 14/05/202215:37:082022-05-14 15:37:08 +02:00
                                                                                                                                                                                                      Joe Sandbox Product:CloudBasic
                                                                                                                                                                                                      Overall analysis duration:0h 6m 16s
                                                                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                                                                      Report type:light
                                                                                                                                                                                                      Sample file name:2sibxc6cB1.exe
                                                                                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                                                                      Number of analysed new started processes analysed:25
                                                                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                                                                                      Technologies:
                                                                                                                                                                                                      • HCA enabled
                                                                                                                                                                                                      • EGA enabled
                                                                                                                                                                                                      • HDC enabled
                                                                                                                                                                                                      • AMSI enabled
                                                                                                                                                                                                      Analysis Mode:default
                                                                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                                                                      Detection:MAL
                                                                                                                                                                                                      Classification:mal100.troj.spyw.evad.winEXE@1/1@0/1
                                                                                                                                                                                                      EGA Information:
                                                                                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                                                                                      HDC Information:
                                                                                                                                                                                                      • Successful, ratio: 42.3% (good quality ratio 40.6%)
                                                                                                                                                                                                      • Quality average: 84.9%
                                                                                                                                                                                                      • Quality standard deviation: 24.9%
                                                                                                                                                                                                      HCA Information:
                                                                                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                                                                                      • Number of executed functions: 0
                                                                                                                                                                                                      • Number of non-executed functions: 0
                                                                                                                                                                                                      Cookbook Comments:
                                                                                                                                                                                                      • Found application associated with file extension: .exe
                                                                                                                                                                                                      • Adjust boot time
                                                                                                                                                                                                      • Enable AMSI

                                                                                                                                                                                                      Warnings

                                                                                                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                                                                      • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                                                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                      • VT rate limit hit for: 2sibxc6cB1.exe

                                                                                                                                                                                                      Simulations

                                                                                                                                                                                                      Behavior and APIs

                                                                                                                                                                                                      TimeTypeDescription
                                                                                                                                                                                                      15:38:44API Interceptor14x Sleep call for process: 2sibxc6cB1.exe modified

                                                                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                                                                      IPs

                                                                                                                                                                                                      No context

                                                                                                                                                                                                      Domains

                                                                                                                                                                                                      No context

                                                                                                                                                                                                      ASNs

                                                                                                                                                                                                      No context

                                                                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                                                                      No context

                                                                                                                                                                                                      Dropped Files

                                                                                                                                                                                                      No context

                                                                                                                                                                                                      Created / dropped Files

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2sibxc6cB1.exe.log

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\Desktop\2sibxc6cB1.exe
                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):2291
                                                                                                                                                                                                      Entropy (8bit):5.3192079301865585
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:48:MIHK5HKXRfHK7HKhBHKdHKB1AHKzvQTHmYHKhQnoPtHoxHImHKoLHG1qHqHAH5HX:Pq5qXdq7qLqdqUqzcGYqhQnoPtIxHbq4
                                                                                                                                                                                                      MD5:924DEA6470CAC502B24442CF377CE6A7
                                                                                                                                                                                                      SHA1:133C304912A1DF4AF62F6EDCA3EA21F3E0CE7F4F
                                                                                                                                                                                                      SHA-256:2B2572C7D0134EEF12644AF90D61302A50E7B550FFB4629666F8C566F34BED0D
                                                                                                                                                                                                      SHA-512:34C817F3F4D87AAD5F6902BB80522B59FE8F9935C86819B575B6139EBDEF3026866ED802DB1D36765CF7ECCF323692705DCA3D799FC7CFF7C0114B08CBE9F7A9
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Reputation:moderate, very likely benign file
                                                                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\34957343ad5d84daee97a1affda91665\System.Runtime.Serialization.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b

                                                                                                                                                                                                      Static File Info

                                                                                                                                                                                                      General

                                                                                                                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Entropy (8bit):5.9584871530039845
                                                                                                                                                                                                      TrID:
                                                                                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                      File name:2sibxc6cB1.exe
                                                                                                                                                                                                      File size:379904
                                                                                                                                                                                                      MD5:bba7db09449a22cfe8f3310bf1238210
                                                                                                                                                                                                      SHA1:49ce80fb77d7a06c4de52ddf2457e1dfceb7661c
                                                                                                                                                                                                      SHA256:ffd0e59168d8d32c26f16e557b26d7fc45a748ae3d2621f40c740848762249a6
                                                                                                                                                                                                      SHA512:930a6dae0d84521584022956aa8f6fffc2f1bd17d4b009647fd23dfc600da9936360ac56f3b5c393a9a61e1f6f1c9846d29b3786f6713383c7cf060653fc5168
                                                                                                                                                                                                      SSDEEP:6144:toaV+vVYmvkH1MA3ggu8otbXz+q+yUshZUsx8:toaV+tPvk/gZ8oN+jyLHUsx8
                                                                                                                                                                                                      TLSH:C584F121B3A0C035E493163054B5E2B16E7EB8A7A531458B67A8AF3D6F703C05FB9367
                                                                                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j....sS..sS..sS.}.S..sS.}.S..sS.}.S..sS.s.S..sS..rS..sS.}.S..sS.}.S..sS.}.S..sSRich..sS........................PE..L....^.`...

                                                                                                                                                                                                      File Icon

                                                                                                                                                                                                      Icon Hash:d0e4e6b6e4cce134

                                                                                                                                                                                                      Static PE Info

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Entrypoint:0x405fd9
                                                                                                                                                                                                      Entrypoint Section:.text
                                                                                                                                                                                                      Digitally signed:false
                                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                                      Subsystem:windows gui
                                                                                                                                                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                                                                                                      DLL Characteristics:TERMINAL_SERVER_AWARE, NX_COMPAT
                                                                                                                                                                                                      Time Stamp:0x60065E96 [Tue Jan 19 04:22:46 2021 UTC]
                                                                                                                                                                                                      TLS Callbacks:
                                                                                                                                                                                                      CLR (.Net) Version:
                                                                                                                                                                                                      OS Version Major:5
                                                                                                                                                                                                      OS Version Minor:1
                                                                                                                                                                                                      File Version Major:5
                                                                                                                                                                                                      File Version Minor:1
                                                                                                                                                                                                      Subsystem Version Major:5
                                                                                                                                                                                                      Subsystem Version Minor:1
                                                                                                                                                                                                      Import Hash:3b1349984d3f2d24d6b47d7a7e833ab3

                                                                                                                                                                                                      Entrypoint Preview

                                                                                                                                                                                                      Instruction
                                                                                                                                                                                                      call 00007FFB54F07E42h
                                                                                                                                                                                                      jmp 00007FFB54F03D7Eh
                                                                                                                                                                                                      sub eax, 000003A4h
                                                                                                                                                                                                      je 00007FFB54F03F14h
                                                                                                                                                                                                      sub eax, 04h
                                                                                                                                                                                                      je 00007FFB54F03F09h
                                                                                                                                                                                                      sub eax, 0Dh
                                                                                                                                                                                                      je 00007FFB54F03EFEh
                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                      je 00007FFB54F03EF5h
                                                                                                                                                                                                      xor eax, eax
                                                                                                                                                                                                      ret
                                                                                                                                                                                                      mov eax, 00000404h
                                                                                                                                                                                                      ret
                                                                                                                                                                                                      mov eax, 00000412h
                                                                                                                                                                                                      ret
                                                                                                                                                                                                      mov eax, 00000804h
                                                                                                                                                                                                      ret
                                                                                                                                                                                                      mov eax, 00000411h
                                                                                                                                                                                                      ret
                                                                                                                                                                                                      mov edi, edi
                                                                                                                                                                                                      push esi
                                                                                                                                                                                                      push edi
                                                                                                                                                                                                      mov esi, eax
                                                                                                                                                                                                      push 00000101h
                                                                                                                                                                                                      xor edi, edi
                                                                                                                                                                                                      lea eax, dword ptr [esi+1Ch]
                                                                                                                                                                                                      push edi
                                                                                                                                                                                                      push eax
                                                                                                                                                                                                      call 00007FFB54F07E9Ch
                                                                                                                                                                                                      xor eax, eax
                                                                                                                                                                                                      movzx ecx, ax
                                                                                                                                                                                                      mov eax, ecx
                                                                                                                                                                                                      mov dword ptr [esi+04h], edi
                                                                                                                                                                                                      mov dword ptr [esi+08h], edi
                                                                                                                                                                                                      mov dword ptr [esi+0Ch], edi
                                                                                                                                                                                                      shl ecx, 10h
                                                                                                                                                                                                      or eax, ecx
                                                                                                                                                                                                      lea edi, dword ptr [esi+10h]
                                                                                                                                                                                                      stosd
                                                                                                                                                                                                      stosd
                                                                                                                                                                                                      stosd
                                                                                                                                                                                                      mov ecx, 00447018h
                                                                                                                                                                                                      add esp, 0Ch
                                                                                                                                                                                                      lea eax, dword ptr [esi+1Ch]
                                                                                                                                                                                                      sub ecx, esi
                                                                                                                                                                                                      mov edi, 00000101h
                                                                                                                                                                                                      mov dl, byte ptr [ecx+eax]
                                                                                                                                                                                                      mov byte ptr [eax], dl
                                                                                                                                                                                                      inc eax
                                                                                                                                                                                                      dec edi
                                                                                                                                                                                                      jne 00007FFB54F03EE9h
                                                                                                                                                                                                      lea eax, dword ptr [esi+0000011Dh]
                                                                                                                                                                                                      mov esi, 00000100h
                                                                                                                                                                                                      mov dl, byte ptr [eax+ecx]
                                                                                                                                                                                                      mov byte ptr [eax], dl
                                                                                                                                                                                                      inc eax
                                                                                                                                                                                                      dec esi
                                                                                                                                                                                                      jne 00007FFB54F03EE9h
                                                                                                                                                                                                      pop edi
                                                                                                                                                                                                      pop esi
                                                                                                                                                                                                      ret
                                                                                                                                                                                                      mov edi, edi
                                                                                                                                                                                                      push ebp
                                                                                                                                                                                                      mov ebp, esp
                                                                                                                                                                                                      sub esp, 0000051Ch
                                                                                                                                                                                                      mov eax, dword ptr [00447BE0h]
                                                                                                                                                                                                      xor eax, ebp
                                                                                                                                                                                                      mov dword ptr [ebp-04h], eax
                                                                                                                                                                                                      push ebx
                                                                                                                                                                                                      push edi
                                                                                                                                                                                                      lea eax, dword ptr [ebp-00000518h]
                                                                                                                                                                                                      push eax
                                                                                                                                                                                                      push dword ptr [esi+04h]
                                                                                                                                                                                                      call dword ptr [0040108Ch]
                                                                                                                                                                                                      mov edi, 00000100h

                                                                                                                                                                                                      Rich Headers

                                                                                                                                                                                                      Programming Language:
                                                                                                                                                                                                      • [LNK] VS2010 build 30319
                                                                                                                                                                                                      • [ASM] VS2010 build 30319
                                                                                                                                                                                                      • [ C ] VS2010 build 30319
                                                                                                                                                                                                      • [C++] VS2010 build 30319
                                                                                                                                                                                                      • [RES] VS2010 build 30319
                                                                                                                                                                                                      • [IMP] VS2008 SP1 build 30729

                                                                                                                                                                                                      Data Directories

                                                                                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x458640x3c.text
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xec0000x3ce0.rsrc
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xf00000x9c4.reloc
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x11b00x1c.text
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x34800x40.text
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x10000x168.text
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                      Sections

                                                                                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                      .text0x10000x450740x45200False0.735741834313data7.03896581857IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                      .data0x470000xa19e40x10c00False0.0268481809701data0.355626057246IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                      .xatoc0xe90000xbb80xc00False0.00813802083333data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                      .kecizu0xea0000x2700x400False0.0166015625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                      .hig0xeb0000x170x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                      .rsrc0xec0000x3ce00x3e00False0.632371471774data5.68983329755IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                      .reloc0xf00000x18340x1a00False0.328425480769data3.31415310491IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                      Resources

                                                                                                                                                                                                      NameRVASizeTypeLanguageCountry
                                                                                                                                                                                                      RT_ICON0xec1f00x6c8dBase III DBT, version number 0, next free block index 40, 1st item "\235\242\225"MarathiIndia
                                                                                                                                                                                                      RT_ICON0xec8b80x25a8dataMarathiIndia
                                                                                                                                                                                                      RT_ICON0xeee600x468GLS_BINARY_LSB_FIRSTMarathiIndia
                                                                                                                                                                                                      RT_STRING0xef4980x272dataFrenchSwitzerland
                                                                                                                                                                                                      RT_STRING0xef7100x21cdataFrenchSwitzerland
                                                                                                                                                                                                      RT_STRING0xef9300x3aedataFrenchSwitzerland
                                                                                                                                                                                                      RT_GROUP_ICON0xef2c80x30dataMarathiIndia
                                                                                                                                                                                                      RT_VERSION0xef2f80x1a0dataFrenchSwitzerland

                                                                                                                                                                                                      Imports

                                                                                                                                                                                                      DLLImport
                                                                                                                                                                                                      KERNEL32.dllFreeLibrary, InterlockedIncrement, OpenJobObjectA, GetCurrentProcess, SetDefaultCommConfigW, GetConsoleAliasesLengthA, GetGeoInfoW, GetUserDefaultLangID, GetEnvironmentStrings, GlobalAlloc, SetConsoleMode, GetAtomNameW, GetModuleFileNameW, GetSystemDirectoryA, GetBinaryTypeW, MoveFileExA, LCMapStringA, GetLastError, GetProcAddress, GetDiskFreeSpaceW, LoadLibraryA, LocalAlloc, CreateEventW, GetCommTimeouts, EnumCalendarInfoExA, lstrcmpW, FindResourceA, MultiByteToWideChar, HeapFree, HeapAlloc, GetCommandLineA, HeapSetInformation, GetStartupInfoW, GetCPInfo, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, DecodePointer, TlsFree, GetModuleHandleW, SetLastError, GetCurrentThreadId, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, IsProcessorFeaturePresent, HeapCreate, ExitProcess, WriteFile, GetStdHandle, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, SetFilePointer, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringW, GetStringTypeW, Sleep, GetConsoleCP, GetConsoleMode, LoadLibraryW, ReadFile, RtlUnwind, SetStdHandle, FlushFileBuffers, HeapReAlloc, WriteConsoleW, RaiseException, HeapSize, CreateFileW, CloseHandle
                                                                                                                                                                                                      ADVAPI32.dllImpersonateAnonymousToken

                                                                                                                                                                                                      Version Infos

                                                                                                                                                                                                      DescriptionData
                                                                                                                                                                                                      CopyrighzCopyright (C) 2022, pozkarte
                                                                                                                                                                                                      ProjectVersion28.82.74.73
                                                                                                                                                                                                      FileVersion69.47.75.23

                                                                                                                                                                                                      Possible Origin

                                                                                                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                      MarathiIndia
                                                                                                                                                                                                      FrenchSwitzerland

                                                                                                                                                                                                      Network Behavior

                                                                                                                                                                                                      Snort IDS Alerts

                                                                                                                                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                                                      185.215.113.75192.168.2.44531497602850353 05/14/22-15:38:34.055550TCP2850353ETPRO MALWARE Redline Stealer TCP CnC - Id1Response453149760185.215.113.75192.168.2.4
                                                                                                                                                                                                      192.168.2.4185.215.113.754976045312850027 05/14/22-15:38:32.157673TCP2850027ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init497604531192.168.2.4185.215.113.75
                                                                                                                                                                                                      192.168.2.4185.215.113.754976045312850286 05/14/22-15:38:35.355126TCP2850286ETPRO TROJAN Redline Stealer TCP CnC Activity497604531192.168.2.4185.215.113.75

                                                                                                                                                                                                      Network Port Distribution

                                                                                                                                                                                                      TCP Packets

                                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                      May 14, 2022 15:38:31.719527960 CEST497604531192.168.2.4185.215.113.75
                                                                                                                                                                                                      May 14, 2022 15:38:31.774760962 CEST453149760185.215.113.75192.168.2.4
                                                                                                                                                                                                      May 14, 2022 15:38:31.774909019 CEST497604531192.168.2.4185.215.113.75
                                                                                                                                                                                                      May 14, 2022 15:38:32.157672882 CEST497604531192.168.2.4185.215.113.75
                                                                                                                                                                                                      May 14, 2022 15:38:32.214399099 CEST453149760185.215.113.75192.168.2.4
                                                                                                                                                                                                      May 14, 2022 15:38:32.284423113 CEST497604531192.168.2.4185.215.113.75
                                                                                                                                                                                                      May 14, 2022 15:38:33.990946054 CEST497604531192.168.2.4185.215.113.75
                                                                                                                                                                                                      May 14, 2022 15:38:34.055550098 CEST453149760185.215.113.75192.168.2.4
                                                                                                                                                                                                      May 14, 2022 15:38:34.284590960 CEST497604531192.168.2.4185.215.113.75
                                                                                                                                                                                                      May 14, 2022 15:38:35.355125904 CEST497604531192.168.2.4185.215.113.75
                                                                                                                                                                                                      May 14, 2022 15:38:35.431688070 CEST453149760185.215.113.75192.168.2.4
                                                                                                                                                                                                      May 14, 2022 15:38:35.431745052 CEST453149760185.215.113.75192.168.2.4
                                                                                                                                                                                                      May 14, 2022 15:38:35.431785107 CEST453149760185.215.113.75192.168.2.4
                                                                                                                                                                                                      May 14, 2022 15:38:35.431827068 CEST453149760185.215.113.75192.168.2.4
                                                                                                                                                                                                      May 14, 2022 15:38:35.431855917 CEST497604531192.168.2.4185.215.113.75
                                                                                                                                                                                                      May 14, 2022 15:38:35.431907892 CEST497604531192.168.2.4185.215.113.75
                                                                                                                                                                                                      May 14, 2022 15:38:35.486258030 CEST453149760185.215.113.75192.168.2.4
                                                                                                                                                                                                      May 14, 2022 15:38:35.486289024 CEST453149760185.215.113.75192.168.2.4
                                                                                                                                                                                                      May 14, 2022 15:38:35.486402988 CEST497604531192.168.2.4185.215.113.75
                                                                                                                                                                                                      May 14, 2022 15:38:46.709021091 CEST497604531192.168.2.4185.215.113.75
                                                                                                                                                                                                      May 14, 2022 15:38:46.777354002 CEST453149760185.215.113.75192.168.2.4
                                                                                                                                                                                                      May 14, 2022 15:38:46.790785074 CEST453149760185.215.113.75192.168.2.4
                                                                                                                                                                                                      May 14, 2022 15:38:46.879378080 CEST497604531192.168.2.4185.215.113.75
                                                                                                                                                                                                      May 14, 2022 15:38:47.161674976 CEST497604531192.168.2.4185.215.113.75

                                                                                                                                                                                                      Statistics

                                                                                                                                                                                                      No statistics

                                                                                                                                                                                                      System Behavior

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:0
                                                                                                                                                                                                      Start time:15:38:13
                                                                                                                                                                                                      Start date:14/05/2022
                                                                                                                                                                                                      Path:C:\Users\user\Desktop\2sibxc6cB1.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:"C:\Users\user\Desktop\2sibxc6cB1.exe"
                                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                                      File size:379904 bytes
                                                                                                                                                                                                      MD5 hash:BBA7DB09449A22CFE8F3310BF1238210
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.246398659.0000000000A30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                      • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000003.246398659.0000000000A30000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.306736738.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                                                      • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.306736738.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.308048938.0000000002343000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.246882548.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.308192150.00000000024D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                      • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.308192150.00000000024D0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.307296199.00000000006D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.308507932.0000000002650000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                      • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.308507932.0000000002650000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                      Reputation:low

                                                                                                                                                                                                      Disassembly

                                                                                                                                                                                                      No disassembly