Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:778225
MD5:666c88fcf0d3bfeff2141ae4cd3c998f
SHA1:f24d13e05099aaeadda2933af13a01dd31defe6e
SHA256:2ffce4a30025c7b0c408da211a4a5c00c395c4933b94ecfa818a8c1aea5ae4d2
Tags:exe
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Detected unpacking (changes PE section rights)
Snort IDS alert for network traffic
Tries to steal Crypto Currency Wallets
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Found evasive API chain (may stop execution after checking a module file name)
Yara detected Credential Stealer
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 4092 cmdline: C:\Users\user\Desktop\file.exe MD5: 666C88FCF0D3BFEFF2141AE4CD3C998F)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": "77.73.133.62:22344", "Bot Id": "@new@2023", "Message": "Error!", "Authorization Header": "8284279aedaed026a9b7cb9c1c0be4e4"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.316017890.0000000002390000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.316017890.0000000002390000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
        • 0x294bc:$pat14: , CommandLine:
        • 0x1dc09:$v2_1: ListOfProcesses
        • 0x1d3d7:$v4_3: base64str
        • 0x1d3a4:$v4_4: stringKey
        • 0x1d3e1:$v4_5: BytesToStringConverted
        • 0x1d3cc:$v4_6: FromBase64
        • 0x1d8bd:$v4_8: procName
        00000000.00000003.246087746.0000000000881000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000003.245776794.0000000000770000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            00000000.00000003.245776794.0000000000770000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
            • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
            • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
            • 0x700:$s3: 83 EC 38 53 B0 AE 88 44 24 2B 88 44 24 2F B0 EF 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
            • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
            • 0x1e9d0:$s5: delete[]
            • 0x1de88:$s6: constructor or from DllMain.
            Click to see the 12 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.file.exe.2620000.6.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              0.2.file.exe.2620000.6.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
              • 0x285d4:$pat14: , CommandLine:
              • 0x1cd21:$v2_1: ListOfProcesses
              • 0x1c4ef:$v4_3: base64str
              • 0x1c4bc:$v4_4: stringKey
              • 0x1c4f9:$v4_5: BytesToStringConverted
              • 0x1c4e4:$v4_6: FromBase64
              • 0x1c9d5:$v4_8: procName
              0.2.file.exe.2390000.4.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                0.2.file.exe.2390000.4.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                • 0x276bc:$pat14: , CommandLine:
                • 0x1be09:$v2_1: ListOfProcesses
                • 0x1b5d7:$v4_3: base64str
                • 0x1b5a4:$v4_4: stringKey
                • 0x1b5e1:$v4_5: BytesToStringConverted
                • 0x1b5cc:$v4_6: FromBase64
                • 0x1babd:$v4_8: procName
                0.2.file.exe.400000.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  Click to see the 23 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  Timestamp:192.168.2.377.73.133.6249698223442850286 01/05/23-08:33:19.794738
                  SID:2850286
                  Source Port:49698
                  Destination Port:22344
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.377.73.133.6249698223442850027 01/05/23-08:33:15.942610
                  SID:2850027
                  Source Port:49698
                  Destination Port:22344
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:77.73.133.62192.168.2.322344496982850353 01/05/23-08:33:17.284418
                  SID:2850353
                  Source Port:22344
                  Destination Port:49698
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Machine Learning detection for sample
                  Source: file.exeJoe Sandbox ML: detected
                  Source: 00000000.00000003.246087746.0000000000881000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "77.73.133.62:22344", "Bot Id": "@new@2023", "Message": "Error!", "Authorization Header": "8284279aedaed026a9b7cb9c1c0be4e4"}

                  Compliance

                  barindex
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack
                  Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                  Source: Binary string: C:\suyo14-voc-rukaxan.pdb source: file.exe
                  Source: Binary string: _.pdb source: file.exe, 00000000.00000002.316017890.0000000002390000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000003.246087746.0000000000881000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.247201095.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.315583461.0000000002269000.00000004.00000800.00020000.00000000.sdmp

                  Networking

                  barindex
                  Snort IDS alert for network traffic
                  Source: TrafficSnort IDS: 2850027 ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init 192.168.2.3:49698 -> 77.73.133.62:22344
                  Source: TrafficSnort IDS: 2850286 ETPRO TROJAN Redline Stealer TCP CnC Activity 192.168.2.3:49698 -> 77.73.133.62:22344
                  Source: TrafficSnort IDS: 2850353 ETPRO MALWARE Redline Stealer TCP CnC - Id1Response 77.73.133.62:22344 -> 192.168.2.3:49698
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 77.73.133.62:22344
                  Source: Joe Sandbox ViewASN Name: AS43260TR AS43260TR
                  Source: Joe Sandbox ViewIP Address: 77.73.133.62 77.73.133.62
                  Source: global trafficTCP traffic: 192.168.2.3:49698 -> 77.73.133.62:22344
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.73.133.62
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.73.133.62
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.73.133.62
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.73.133.62
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.73.133.62
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.73.133.62
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.73.133.62
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.73.133.62
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.73.133.62
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.73.133.62
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.73.133.62
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.73.133.62
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                  Source: file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                  Source: file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                  Source: file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                  Source: file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                  Source: file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                  Source: file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                  Source: file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                  Source: file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                  Source: file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                  Source: file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                  Source: file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                  Source: file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                  Source: file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                  Source: file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                  Source: file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                  Source: file.exe, 00000000.00000002.320030058.0000000002B26000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                  Source: file.exe, 00000000.00000002.320030058.0000000002B26000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                  Source: file.exe, 00000000.00000002.319868177.0000000002AEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                  Source: file.exe, 00000000.00000002.323606581.000000000399A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: file.exe, 00000000.00000002.316017890.0000000002390000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000003.246087746.0000000000881000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.315583461.0000000002269000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.316721099.0000000002620000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                  Source: file.exe, 00000000.00000002.323606581.000000000399A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: file.exe, 00000000.00000002.323606581.000000000399A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: file.exe, 00000000.00000002.320805184.000000000370F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.319226379.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322727550.00000000038A2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322526912.0000000003885000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323515796.000000000397D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318408132.0000000002918000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321815681.0000000003807000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.317662722.0000000002801000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323299525.0000000003920000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318026799.000000000288D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323046128.0000000003903000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321973962.0000000003824000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.320669483.00000000036F2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321144845.0000000003789000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321256153.00000000037A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318816272.00000000029A5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323606581.000000000399A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: file.exe, 00000000.00000002.323606581.000000000399A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: file.exe, 00000000.00000002.320805184.000000000370F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.319226379.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322727550.00000000038A2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322526912.0000000003885000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323515796.000000000397D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318408132.0000000002918000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321815681.0000000003807000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.317662722.0000000002801000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323299525.0000000003920000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318026799.000000000288D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323046128.0000000003903000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321973962.0000000003824000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.320669483.00000000036F2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321144845.0000000003789000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321256153.00000000037A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318816272.00000000029A5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323606581.000000000399A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                  Source: file.exe, 00000000.00000002.320805184.000000000370F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.319226379.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322727550.00000000038A2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322526912.0000000003885000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323515796.000000000397D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318408132.0000000002918000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321815681.0000000003807000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.317662722.0000000002801000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323299525.0000000003920000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318026799.000000000288D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323046128.0000000003903000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321973962.0000000003824000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.320669483.00000000036F2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321144845.0000000003789000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321256153.00000000037A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318816272.00000000029A5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323606581.000000000399A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
                  Source: file.exe, 00000000.00000002.320805184.000000000370F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322727550.00000000038A2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323299525.0000000003920000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321973962.0000000003824000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321256153.00000000037A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323606581.000000000399A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
                  Source: file.exe, 00000000.00000002.320805184.000000000370F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.319226379.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322727550.00000000038A2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322526912.0000000003885000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323515796.000000000397D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318408132.0000000002918000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321815681.0000000003807000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.317662722.0000000002801000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323299525.0000000003920000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318026799.000000000288D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323046128.0000000003903000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321973962.0000000003824000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.320669483.00000000036F2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321144845.0000000003789000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321256153.00000000037A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318816272.00000000029A5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323606581.000000000399A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
                  Source: file.exe, 00000000.00000002.320805184.000000000370F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.319226379.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322727550.00000000038A2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322526912.0000000003885000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323515796.000000000397D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318408132.0000000002918000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321815681.0000000003807000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.317662722.0000000002801000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323299525.0000000003920000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318026799.000000000288D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323046128.0000000003903000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321973962.0000000003824000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.320669483.00000000036F2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321144845.0000000003789000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321256153.00000000037A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318816272.00000000029A5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323606581.000000000399A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: file.exe, 00000000.00000002.314645028.00000000007F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.file.exe.2620000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.file.exe.2390000.4.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.file.exe.2390000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.file.exe.22aabae.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.file.exe.2390ee8.5.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.file.exe.2620000.6.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.file.exe.5e0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.file.exe.2390ee8.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.3.file.exe.770000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.file.exe.22aabae.3.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.file.exe.22a9cc6.2.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.file.exe.22a9cc6.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000000.00000002.316017890.0000000002390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000000.00000003.245776794.0000000000770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000000.00000002.316721099.0000000002620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000000.00000002.314687772.0000000000807000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000000.00000002.313918869.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 0.2.file.exe.2620000.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.file.exe.2390000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.file.exe.2390000.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.file.exe.22aabae.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.file.exe.2390ee8.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.file.exe.2620000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.file.exe.5e0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.file.exe.2390ee8.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.3.file.exe.770000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.file.exe.22aabae.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.file.exe.22a9cc6.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.file.exe.22a9cc6.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000000.00000002.316017890.0000000002390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000000.00000003.245776794.0000000000770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000000.00000002.316721099.0000000002620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000000.00000002.314687772.0000000000807000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000000.00000002.313918869.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00408C60
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040DC11
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00407C3F
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00418CCC
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406CA0
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004028B0
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041A4BE
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00418244
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401650
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402F20
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004193C4
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00418788
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402F89
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402B90
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004073A0
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02230C2E
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02230C30
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_05807448
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_05808180
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0580C1D0
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0580A1E8
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0580BC88
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0580C503
                  Source: C:\Users\user\Desktop\file.exeCode function: String function: 0040E1D8 appears 44 times
                  Source: file.exe, 00000000.00000002.316017890.0000000002390000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRichens.exeH vs file.exe
                  Source: file.exe, 00000000.00000002.316017890.0000000002390000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs file.exe
                  Source: file.exe, 00000000.00000003.246087746.0000000000881000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRichens.exeH vs file.exe
                  Source: file.exe, 00000000.00000003.246087746.0000000000881000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs file.exe
                  Source: file.exe, 00000000.00000003.247201095.00000000008C5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs file.exe
                  Source: file.exe, 00000000.00000002.320916289.0000000003735000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRichens.exeH vs file.exe
                  Source: file.exe, 00000000.00000003.245776794.0000000000770000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRichens.exeH vs file.exe
                  Source: file.exe, 00000000.00000002.315583461.0000000002269000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRichens.exeH vs file.exe
                  Source: file.exe, 00000000.00000002.315583461.0000000002269000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs file.exe
                  Source: file.exe, 00000000.00000002.316721099.0000000002620000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRichens.exeH vs file.exe
                  Source: file.exe, 00000000.00000002.319492051.0000000002A7C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs file.exe
                  Source: file.exe, 00000000.00000002.319492051.0000000002A7C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: l,\\StringFileInfo\\040904B0\\OriginalFilename vs file.exe
                  Source: file.exe, 00000000.00000002.319492051.0000000002A7C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs file.exe
                  Source: file.exe, 00000000.00000002.319492051.0000000002A7C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXED vs file.exe
                  Source: file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs file.exe
                  Source: file.exe, 00000000.00000002.313818591.000000000045A000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameRichens.exeH vs file.exe
                  Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                  Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                  Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Wind?wsJump to behavior
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/1@0/1
                  Source: C:\Users\user\Desktop\file.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                  Source: C:\Users\user\Desktop\file.exeCommand line argument: 08A
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                  Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: C:\suyo14-voc-rukaxan.pdb source: file.exe
                  Source: Binary string: _.pdb source: file.exe, 00000000.00000002.316017890.0000000002390000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000003.246087746.0000000000881000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.247201095.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.315583461.0000000002269000.00000004.00000800.00020000.00000000.sdmp

                  Data Obfuscation

                  barindex
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack
                  Detected unpacking (changes PE section rights)
                  Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041C40C push cs; iretd
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00423149 push eax; ret
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041C50E push cs; iretd
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004231C8 push eax; ret
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040E21D push ecx; ret
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041C6BE push ebx; ret
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008099F0 push FFFFFFE1h; ret
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0080C93B push edi; retf
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0080F170 push cs; retf
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022343CD push ebp; retf
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02234C14 push cs; ret
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                  Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                  Source: C:\Users\user\Desktop\file.exe TID: 2400Thread sleep time: -3689348814741908s >= -30000s
                  Source: C:\Users\user\Desktop\file.exe TID: 1768Thread sleep count: 3524 > 30
                  Source: C:\Users\user\Desktop\file.exe TID: 6084Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                  Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
                  Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                  Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\file.exeRegistry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                  Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 3524
                  Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end node
                  Source: file.exe, 00000000.00000002.315185531.00000000008C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
                  Source: file.exe, 00000000.00000002.315185531.00000000008C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMware18E_2DU2Win32_VideoControllerFN_PM3SZVideoController120060621000000.000000-00067789331display.infMSBDA3PUCB96YPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsVV3CDAMO0ad49c6d16a3b6d\rY
                  Source: file.exe, 00000000.00000002.315185531.00000000008C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040ADB0 GetProcessHeap,HeapFree,
                  Source: C:\Users\user\Desktop\file.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00807ED3 push dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guard
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004123F1 SetUnhandledExceptionFilter,
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                  Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoA,
                  Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                  Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                  Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                  Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                  Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                  Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                  Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                  Source: file.exe, 00000000.00000002.314962542.0000000000867000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.324532388.00000000058B4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 0.2.file.exe.2620000.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.2390000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.2390000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.22aabae.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.2390ee8.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.2620000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.5e0e67.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.2390ee8.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.file.exe.770000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.22aabae.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.22a9cc6.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.22a9cc6.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.316017890.0000000002390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.246087746.0000000000881000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.245776794.0000000000770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.315583461.0000000002269000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.316721099.0000000002620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.313918869.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 4092, type: MEMORYSTR
                  Tries to steal Crypto Currency Wallets
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                  Found many strings related to Crypto-Wallets (likely being stolen)
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumE#
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: JaxxE#
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ExodusE#
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
                  Source: file.exe, 00000000.00000002.316017890.0000000002390000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: set_UseMachineKeyStore
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                  Source: Yara matchFile source: 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 4092, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 0.2.file.exe.2620000.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.2390000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.2390000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.22aabae.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.2390ee8.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.2620000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.5e0e67.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.2390ee8.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.file.exe.770000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.22aabae.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.22a9cc6.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.22a9cc6.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.316017890.0000000002390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.246087746.0000000000881000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.245776794.0000000000770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.315583461.0000000002269000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.316721099.0000000002620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.313918869.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 4092, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts221
                  Windows Management Instrumentation                  		Path InterceptionPath Interception1
                  Masquerading                  		1
                  OS Credential Dumping                  		1
                  System Time Discovery                  		Remote Services1
                  Input Capture                  		Exfiltration Over Other Network Medium1
                  Encrypted Channel                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default Accounts2
                  Command and Scripting Interpreter                  		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                  Disable or Modify Tools                  		1
                  Input Capture                  		261
                  Security Software Discovery                  		Remote Desktop Protocol1
                  Archive Collected Data                  		Exfiltration Over Bluetooth1
                  Non-Standard Port                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain Accounts2
                  Native API                  		Logon Script (Windows)Logon Script (Windows)231
                  Virtualization/Sandbox Evasion                  		Security Account Manager231
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin Shares3
                  Data from Local System                  		Automated Exfiltration1
                  Application Layer Protocol                  		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                  Deobfuscate/Decode Files or Information                  		NTDS11
                  Process Discovery                  		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
                  Obfuscated Files or Information                  		LSA Secrets1
                  Application Window Discovery                  		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common2
                  Software Packing                  		Cached Domain Credentials134
                  System Information Discovery                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  file.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  SourceDetectionScannerLabelLink
                  windowsupdatebg.s.llnwi.net0%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://tempuri.org/0%URL Reputationsafe
                  http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                  https://api.ip.sb/ip0%URL Reputationsafe
                  http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                  77.73.133.62:223440%URL Reputationsafe
                  http://www.w3.o0%URL Reputationsafe
                  http://tempuri.org/Entity/Id10%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  windowsupdatebg.s.llnwi.net
                  		95.140.236.128
                  		truefalseunknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  77.73.133.62:22344true
                  • URL Reputation: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Textfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://schemas.xmlsoap.org/ws/2005/02/sc/sctfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://duckduckgo.com/chrome_newtabfile.exe, 00000000.00000002.320805184.000000000370F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.319226379.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322727550.00000000038A2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322526912.0000000003885000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323515796.000000000397D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318408132.0000000002918000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321815681.0000000003807000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.317662722.0000000002801000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323299525.0000000003920000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318026799.000000000288D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323046128.0000000003903000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321973962.0000000003824000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.320669483.00000000036F2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321144845.0000000003789000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321256153.00000000037A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318816272.00000000029A5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323606581.000000000399A000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://duckduckgo.com/ac/?q=file.exe, 00000000.00000002.323606581.000000000399A000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://tempuri.org/file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://tempuri.org/Entity/Id2Responsefile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrapfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Preparefile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licensefile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuefile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Abortedfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequencefile.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/faultfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2004/10/wsatfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namefile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renewfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/Registerfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://api.ip.sb/ipfile.exe, 00000000.00000002.316017890.0000000002390000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000003.246087746.0000000000881000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.315583461.0000000002269000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.316721099.0000000002620000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2004/04/scfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancelfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=file.exe, 00000000.00000002.323606581.000000000399A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issuefile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://tempuri.org/Entity/Id1Responsefile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=file.exe, 00000000.00000002.320805184.000000000370F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.319226379.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322727550.00000000038A2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322526912.0000000003885000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323515796.000000000397D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318408132.0000000002918000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321815681.0000000003807000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.317662722.0000000002801000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323299525.0000000003920000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318026799.000000000288D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323046128.0000000003903000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321973962.0000000003824000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.320669483.00000000036F2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321144845.0000000003789000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321256153.00000000037A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318816272.00000000029A5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323606581.000000000399A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedfile.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Replayfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegofile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binaryfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2004/08/addressingfile.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuefile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/Completionfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/trustfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponsefile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancelfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/Noncefile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsfile.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/Renewfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.xmlsoap.org/ws/2006/02/addressingidentityfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://schemas.xmlsoap.org/soap/envelope/file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://search.yahoo.com?fr=crmas_sfpffile.exe, 00000000.00000002.320805184.000000000370F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.319226379.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322727550.00000000038A2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322526912.0000000003885000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323515796.000000000397D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318408132.0000000002918000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321815681.0000000003807000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.317662722.0000000002801000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323299525.0000000003920000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318026799.000000000288D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323046128.0000000003903000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321973962.0000000003824000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.320669483.00000000036F2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321144845.0000000003789000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321256153.00000000037A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318816272.00000000029A5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323606581.000000000399A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trustfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollbackfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/06/addressingexfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wscoorfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/Noncefile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponsefile.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/08/addressing/faultfile.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renewfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKeyfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://www.w3.ofile.exe, 00000000.00000002.319868177.0000000002AEA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        		unknown
                                                                                                                                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentiffile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Committedfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wscoor/faultfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyfile.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/sc/sctfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponsefile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/Cancelfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgementfile.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCTfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://www.google.com/images/branding/product/ico/googleg_lodp.icofile.exe, 00000000.00000002.320805184.000000000370F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.319226379.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322727550.00000000038A2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322526912.0000000003885000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323515796.000000000397D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318408132.0000000002918000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321815681.0000000003807000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.317662722.0000000002801000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323299525.0000000003920000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318026799.000000000288D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323046128.0000000003903000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321973962.0000000003824000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.320669483.00000000036F2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321144845.0000000003789000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321256153.00000000037A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318816272.00000000029A5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323606581.000000000399A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousfile.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrapfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2002/12/policyfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/sc/dkfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issuefile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchfile.exe, 00000000.00000002.320805184.000000000370F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.319226379.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322727550.00000000038A2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322526912.0000000003885000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323515796.000000000397D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318408132.0000000002918000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321815681.0000000003807000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.317662722.0000000002801000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323299525.0000000003920000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318026799.000000000288D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323046128.0000000003903000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321973962.0000000003824000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.320669483.00000000036F2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321144845.0000000003789000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321256153.00000000037A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318816272.00000000029A5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323606581.000000000399A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issuefile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Commitfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/Issuefile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCTfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          http://tempuri.org/Entity/Id1file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                          https://ac.ecosia.org/autocomplete?q=file.exe, 00000000.00000002.323606581.000000000399A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high

                                                                                                                                                                                                            World Map of Contacted IPs

                                                                                                                                                                                                            • No. of IPs < 25%
                                                                                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                                                                                            • 75% < No. of IPs

                                                                                                                                                                                                            Public IPs

                                                                                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                            77.73.133.62
                                                                                                                                                                                                            		unknownKazakhstan
                                                                                                                                                                                                            		43260AS43260TRtrue

                                                                                                                                                                                                            General Information

                                                                                                                                                                                                            Joe Sandbox Version:36.0.0 Rainbow Opal
                                                                                                                                                                                                            Analysis ID:778225
                                                                                                                                                                                                            Start date and time:2023-01-05 08:32:07 +01:00
                                                                                                                                                                                                            Joe Sandbox Product:CloudBasic
                                                                                                                                                                                                            Overall analysis duration:0h 5m 57s
                                                                                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                                                                                            Report type:light
                                                                                                                                                                                                            Sample file name:file.exe
                                                                                                                                                                                                            Cookbook file name:default.jbs
                                                                                                                                                                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                                                                            Number of analysed new started processes analysed:12
                                                                                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                                                                                            Technologies:
                                                                                                                                                                                                            • HCA enabled
                                                                                                                                                                                                            • EGA enabled
                                                                                                                                                                                                            • HDC enabled
                                                                                                                                                                                                            • AMSI enabled
                                                                                                                                                                                                            Analysis Mode:default
                                                                                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                                                                                            Detection:MAL
                                                                                                                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@1/1@0/1
                                                                                                                                                                                                            EGA Information:
                                                                                                                                                                                                            • Successful, ratio: 100%
                                                                                                                                                                                                            HDC Information:Failed
                                                                                                                                                                                                            HCA Information:
                                                                                                                                                                                                            • Successful, ratio: 89%
                                                                                                                                                                                                            • Number of executed functions: 0
                                                                                                                                                                                                            • Number of non-executed functions: 0
                                                                                                                                                                                                            Cookbook Comments:
                                                                                                                                                                                                            • Found application associated with file extension: .exe

                                                                                                                                                                                                            Warnings

                                                                                                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                                                                                                            • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 8.248.131.254, 67.26.75.254, 8.253.207.121, 8.253.207.120, 67.26.137.254, 209.197.3.8, 93.184.221.240
                                                                                                                                                                                                            • Excluded domains from analysis (whitelisted): www.bing.com, fg.download.windowsupdate.com.c.footprint.net, fs.microsoft.com, dual-a-0001.a-msedge.net, wu.ec.azureedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, www-www.bing.com.trafficmanager.net, wu-bg-shim.trafficmanager.net, wu.azureedge.net, www-bing-com.dual-a-0001.a-msedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net
                                                                                                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                                                                            Simulations

                                                                                                                                                                                                            Behavior and APIs

                                                                                                                                                                                                            TimeTypeDescription
                                                                                                                                                                                                            08:33:28API Interceptor20x Sleep call for process: file.exe modified

                                                                                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                                                                                            IPs

                                                                                                                                                                                                            No context

                                                                                                                                                                                                            Domains

                                                                                                                                                                                                            No context

                                                                                                                                                                                                            ASNs

                                                                                                                                                                                                            No context

                                                                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                                                                            No context

                                                                                                                                                                                                            Dropped Files

                                                                                                                                                                                                            No context

                                                                                                                                                                                                            Created / dropped Files

                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):2291
                                                                                                                                                                                                            Entropy (8bit):5.3192079301865585
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:48:MIHK5HKXRfHK7HKhBHKdHKB1AHKzvQTHmYHKhQnoPtHoxHImHKx1qHAHxLHqH5HX:Pq5qXdq7qLqdqUqzcGYqhQnoPtIxHbqA
                                                                                                                                                                                                            MD5:A374B6BA789CC3D1135615FFE61BB448
                                                                                                                                                                                                            SHA1:7FC31737426CE659638FD9DDE50A11FBEB8D0FB5
                                                                                                                                                                                                            SHA-256:D6C911C395022483BB1ACB6B9DF303E210FB80F2875C31BFF62404F2E10897D0
                                                                                                                                                                                                            SHA-512:614289188EA2E2B9AC1A76AFEB60D8F5423E6BB9FF505D707B6E59D20F49530B1418640BA0160A76A3E27249ACEA4108AE10AEA163E34291D6DCD1EBF9C68953
                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                            Reputation:moderate, very likely benign file
                                                                                                                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\34957343ad5d84daee97a1affda91665\System.Runtime.Serialization.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b

                                                                                                                                                                                                            Static File Info

                                                                                                                                                                                                            General

                                                                                                                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                            Entropy (8bit):7.357018387882796
                                                                                                                                                                                                            TrID:
                                                                                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                            File name:file.exe
                                                                                                                                                                                                            File size:370688
                                                                                                                                                                                                            MD5:666c88fcf0d3bfeff2141ae4cd3c998f
                                                                                                                                                                                                            SHA1:f24d13e05099aaeadda2933af13a01dd31defe6e
                                                                                                                                                                                                            SHA256:2ffce4a30025c7b0c408da211a4a5c00c395c4933b94ecfa818a8c1aea5ae4d2
                                                                                                                                                                                                            SHA512:13ea510475f5c54bd0849bfa464fd8d8f0eb49a97deeb579241d70ef37ec3ca38230be106b73b3a054b30c96885ed88172122fc24d4f95d238c1a6013d62dca1
                                                                                                                                                                                                            SSDEEP:6144:45OL/4Vw30CgqHDS+tMLavr4SlyqAhFwn/rHOob4:45O74VwGqHe+tGaESlyqAHYrHA
                                                                                                                                                                                                            TLSH:E074F021F693C435C6921A35083CA6E07A77BC725875DC4F33A43B3E5E712C06A667BA
                                                                                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................;.Y.......Z.......L.......................K.......[.......^.....Rich............................PE..L.....zb...

                                                                                                                                                                                                            File Icon

                                                                                                                                                                                                            Icon Hash:9062e090c6e73146

                                                                                                                                                                                                            Static PE Info

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Entrypoint:0x40600e
                                                                                                                                                                                                            Entrypoint Section:.text
                                                                                                                                                                                                            Digitally signed:false
                                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                                            Subsystem:windows gui
                                                                                                                                                                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                            DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                                                                                                            Time Stamp:0x627A050C [Tue May 10 06:24:12 2022 UTC]
                                                                                                                                                                                                            TLS Callbacks:
                                                                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                                                                            OS Version Major:5
                                                                                                                                                                                                            OS Version Minor:0
                                                                                                                                                                                                            File Version Major:5
                                                                                                                                                                                                            File Version Minor:0
                                                                                                                                                                                                            Subsystem Version Major:5
                                                                                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                                                                                            Import Hash:7bca87c7309353055aed194207c93e99

                                                                                                                                                                                                            Entrypoint Preview

                                                                                                                                                                                                            Instruction
                                                                                                                                                                                                            call 00007FD8ECE20179h
                                                                                                                                                                                                            jmp 00007FD8ECE1AA9Eh
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            mov edx, dword ptr [esp+0Ch]
                                                                                                                                                                                                            mov ecx, dword ptr [esp+04h]
                                                                                                                                                                                                            test edx, edx
                                                                                                                                                                                                            je 00007FD8ECE1AC8Bh
                                                                                                                                                                                                            xor eax, eax
                                                                                                                                                                                                            mov al, byte ptr [esp+08h]
                                                                                                                                                                                                            test al, al
                                                                                                                                                                                                            jne 00007FD8ECE1AC38h
                                                                                                                                                                                                            cmp edx, 00000100h
                                                                                                                                                                                                            jc 00007FD8ECE1AC30h
                                                                                                                                                                                                            cmp dword ptr [0046AE2Ch], 00000000h
                                                                                                                                                                                                            je 00007FD8ECE1AC27h
                                                                                                                                                                                                            jmp 00007FD8ECE2022Dh
                                                                                                                                                                                                            push edi
                                                                                                                                                                                                            mov edi, ecx
                                                                                                                                                                                                            cmp edx, 04h
                                                                                                                                                                                                            jc 00007FD8ECE1AC53h
                                                                                                                                                                                                            neg ecx
                                                                                                                                                                                                            and ecx, 03h
                                                                                                                                                                                                            je 00007FD8ECE1AC2Eh
                                                                                                                                                                                                            sub edx, ecx
                                                                                                                                                                                                            mov byte ptr [edi], al
                                                                                                                                                                                                            add edi, 01h
                                                                                                                                                                                                            sub ecx, 01h
                                                                                                                                                                                                            jne 00007FD8ECE1AC18h
                                                                                                                                                                                                            mov ecx, eax
                                                                                                                                                                                                            shl eax, 08h
                                                                                                                                                                                                            add eax, ecx
                                                                                                                                                                                                            mov ecx, eax
                                                                                                                                                                                                            shl eax, 10h
                                                                                                                                                                                                            add eax, ecx
                                                                                                                                                                                                            mov ecx, edx
                                                                                                                                                                                                            and edx, 03h
                                                                                                                                                                                                            shr ecx, 02h
                                                                                                                                                                                                            je 00007FD8ECE1AC28h
                                                                                                                                                                                                            rep stosd
                                                                                                                                                                                                            test edx, edx
                                                                                                                                                                                                            je 00007FD8ECE1AC2Ch
                                                                                                                                                                                                            mov byte ptr [edi], al
                                                                                                                                                                                                            add edi, 01h
                                                                                                                                                                                                            sub edx, 01h
                                                                                                                                                                                                            jne 00007FD8ECE1AC18h
                                                                                                                                                                                                            mov eax, dword ptr [esp+08h]
                                                                                                                                                                                                            pop edi
                                                                                                                                                                                                            ret
                                                                                                                                                                                                            mov eax, dword ptr [esp+04h]
                                                                                                                                                                                                            ret
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            push ebp
                                                                                                                                                                                                            mov ebp, esp
                                                                                                                                                                                                            push edi
                                                                                                                                                                                                            push esi
                                                                                                                                                                                                            mov esi, dword ptr [ebp+0Ch]
                                                                                                                                                                                                            mov ecx, dword ptr [ebp+10h]
                                                                                                                                                                                                            mov edi, dword ptr [ebp+08h]
                                                                                                                                                                                                            mov eax, ecx
                                                                                                                                                                                                            mov edx, ecx
                                                                                                                                                                                                            add eax, esi
                                                                                                                                                                                                            cmp edi, esi
                                                                                                                                                                                                            jbe 00007FD8ECE1AC2Ah
                                                                                                                                                                                                            cmp edi, eax
                                                                                                                                                                                                            jc 00007FD8ECE1ADCAh
                                                                                                                                                                                                            cmp ecx, 00000100h
                                                                                                                                                                                                            jc 00007FD8ECE1AC41h
                                                                                                                                                                                                            cmp dword ptr [0046AE2Ch], 00000000h
                                                                                                                                                                                                            je 00007FD8ECE1AC38h
                                                                                                                                                                                                            push edi
                                                                                                                                                                                                            push esi
                                                                                                                                                                                                            and edi, 0Fh

                                                                                                                                                                                                            Rich Headers

                                                                                                                                                                                                            Programming Language:
                                                                                                                                                                                                            • [ASM] VS2008 build 21022
                                                                                                                                                                                                            • [ C ] VS2008 build 21022
                                                                                                                                                                                                            • [IMP] VS2005 build 50727
                                                                                                                                                                                                            • [C++] VS2008 build 21022
                                                                                                                                                                                                            • [RES] VS2008 build 21022
                                                                                                                                                                                                            • [LNK] VS2008 build 21022

                                                                                                                                                                                                            Data Directories

                                                                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x16dec0x3c.text
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x6b0000xbcb0.rsrc
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x12200x1c.text
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x43a00x40.text
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x10000x1d4.text
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                            Sections

                                                                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                            .text0x10000x168500x16a00False0.5433895890883977data6.339213405332651IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                            .data0x180000x52e340x37c00False0.9675194436659192data7.927411246731437IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                            .rsrc0x6b0000xbcb00xbe00False0.3848889802631579data4.233070994447432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                            Resources

                                                                                                                                                                                                            NameRVASizeTypeLanguageCountry
                                                                                                                                                                                                            AFX_DIALOG_LAYOUT0x740a00x2data
                                                                                                                                                                                                            AFX_DIALOG_LAYOUT0x740980x2data
                                                                                                                                                                                                            AFX_DIALOG_LAYOUT0x740a80x2data
                                                                                                                                                                                                            AFX_DIALOG_LAYOUT0x740b00x2data
                                                                                                                                                                                                            AFX_DIALOG_LAYOUT0x740b80x2data
                                                                                                                                                                                                            RT_CURSOR0x740c00x130Device independent bitmap graphic, 32 x 64 x 1, image size 0
                                                                                                                                                                                                            RT_CURSOR0x742080x130Device independent bitmap graphic, 32 x 64 x 1, image size 0
                                                                                                                                                                                                            RT_CURSOR0x743380xf0Device independent bitmap graphic, 24 x 48 x 1, image size 0
                                                                                                                                                                                                            RT_CURSOR0x744280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0
                                                                                                                                                                                                            RT_CURSOR0x755000x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0
                                                                                                                                                                                                            RT_ICON0x6b6e00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0SerbianItaly
                                                                                                                                                                                                            RT_ICON0x6bda80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0SerbianItaly
                                                                                                                                                                                                            RT_ICON0x6c3100x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0SerbianItaly
                                                                                                                                                                                                            RT_ICON0x6d3b80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0SerbianItaly
                                                                                                                                                                                                            RT_ICON0x6d8600xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsSerbianItaly
                                                                                                                                                                                                            RT_ICON0x6e7080x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsSerbianItaly
                                                                                                                                                                                                            RT_ICON0x6efb00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsSerbianItaly
                                                                                                                                                                                                            RT_ICON0x6f6780x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsSerbianItaly
                                                                                                                                                                                                            RT_ICON0x6fbe00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600SerbianItaly
                                                                                                                                                                                                            RT_ICON0x721880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224SerbianItaly
                                                                                                                                                                                                            RT_ICON0x732300x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400SerbianItaly
                                                                                                                                                                                                            RT_ICON0x73bb80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088SerbianItaly
                                                                                                                                                                                                            RT_STRING0x75f180xeadataSerbianItaly
                                                                                                                                                                                                            RT_STRING0x760080x348dataSerbianItaly
                                                                                                                                                                                                            RT_STRING0x763500x682dataSerbianItaly
                                                                                                                                                                                                            RT_STRING0x769d80x2d8dataSerbianItaly
                                                                                                                                                                                                            RT_GROUP_CURSOR0x741f00x14data
                                                                                                                                                                                                            RT_GROUP_CURSOR0x75da80x14data
                                                                                                                                                                                                            RT_GROUP_CURSOR0x754d00x30data
                                                                                                                                                                                                            RT_GROUP_ICON0x740200x76dataSerbianItaly
                                                                                                                                                                                                            RT_GROUP_ICON0x6d8200x3edataSerbianItaly
                                                                                                                                                                                                            RT_VERSION0x75dc00x154Encore not stripped - version 79

                                                                                                                                                                                                            Imports

                                                                                                                                                                                                            DLLImport
                                                                                                                                                                                                            KERNEL32.dllGetConsoleAliasW, GetModuleHandleW, CreateDirectoryExW, ReadConsoleInputW, GetTempPathW, GetSystemDirectoryW, RemoveDirectoryW, OutputDebugStringA, GetProcAddress, LocalAlloc, GetBinaryTypeA, SearchPathA, VerifyVersionInfoA, SetProcessPriorityBoost, EndUpdateResourceA, FindNextFileW, FindFirstVolumeA, LocalShrink, GlobalFlags, _llseek, UpdateResourceA, CreateActCtxW, CopyFileW, AddConsoleAliasW, CreateMutexA, GetCurrentActCtx, GetDiskFreeSpaceA, MoveFileW, GetLogicalDriveStringsA, SetEvent, MoveFileExA, CreateMailslotA, WriteConsoleInputA, TerminateThread, GetCurrentProcess, RtlCaptureContext, InterlockedCompareExchange, GetFileTime, lstrcatA, FindFirstFileW, FreeEnvironmentStringsA, SetErrorMode, InterlockedExchangeAdd, MoveFileWithProgressA, GetTickCount, SetLastError, GetPrivateProfileStructW, VerSetConditionMask, LoadLibraryA, GetLastError, DeleteFileA, GetStartupInfoW, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetModuleHandleA, HeapFree, HeapAlloc, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, Sleep, ExitProcess, WriteFile, GetModuleFileNameA, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, InterlockedDecrement, HeapCreate, VirtualFree, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, RaiseException, VirtualAlloc, HeapReAlloc, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, InitializeCriticalSectionAndSpinCount, RtlUnwind, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, FlushFileBuffers, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, ReadFile, HeapSize, CloseHandle, CreateFileA
                                                                                                                                                                                                            GDI32.dllSetBrushOrgEx

                                                                                                                                                                                                            Possible Origin

                                                                                                                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                            SerbianItaly

                                                                                                                                                                                                            Network Behavior

                                                                                                                                                                                                            Snort IDS Alerts

                                                                                                                                                                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                                                            192.168.2.377.73.133.6249698223442850286 01/05/23-08:33:19.794738TCP2850286ETPRO TROJAN Redline Stealer TCP CnC Activity4969822344192.168.2.377.73.133.62
                                                                                                                                                                                                            192.168.2.377.73.133.6249698223442850027 01/05/23-08:33:15.942610TCP2850027ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init4969822344192.168.2.377.73.133.62
                                                                                                                                                                                                            77.73.133.62192.168.2.322344496982850353 01/05/23-08:33:17.284418TCP2850353ETPRO MALWARE Redline Stealer TCP CnC - Id1Response223444969877.73.133.62192.168.2.3

                                                                                                                                                                                                            Network Port Distribution

                                                                                                                                                                                                            TCP Packets

                                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                            Jan 5, 2023 08:33:15.515443087 CET4969822344192.168.2.377.73.133.62
                                                                                                                                                                                                            Jan 5, 2023 08:33:15.538602114 CET223444969877.73.133.62192.168.2.3
                                                                                                                                                                                                            Jan 5, 2023 08:33:15.538750887 CET4969822344192.168.2.377.73.133.62
                                                                                                                                                                                                            Jan 5, 2023 08:33:15.942610025 CET4969822344192.168.2.377.73.133.62
                                                                                                                                                                                                            Jan 5, 2023 08:33:15.966166019 CET223444969877.73.133.62192.168.2.3
                                                                                                                                                                                                            Jan 5, 2023 08:33:16.011603117 CET4969822344192.168.2.377.73.133.62
                                                                                                                                                                                                            Jan 5, 2023 08:33:17.261018991 CET4969822344192.168.2.377.73.133.62
                                                                                                                                                                                                            Jan 5, 2023 08:33:17.284418106 CET223444969877.73.133.62192.168.2.3
                                                                                                                                                                                                            Jan 5, 2023 08:33:17.339823008 CET4969822344192.168.2.377.73.133.62
                                                                                                                                                                                                            Jan 5, 2023 08:33:19.794738054 CET4969822344192.168.2.377.73.133.62
                                                                                                                                                                                                            Jan 5, 2023 08:33:19.821599960 CET223444969877.73.133.62192.168.2.3
                                                                                                                                                                                                            Jan 5, 2023 08:33:19.821656942 CET223444969877.73.133.62192.168.2.3
                                                                                                                                                                                                            Jan 5, 2023 08:33:19.821726084 CET223444969877.73.133.62192.168.2.3
                                                                                                                                                                                                            Jan 5, 2023 08:33:19.821727991 CET4969822344192.168.2.377.73.133.62
                                                                                                                                                                                                            Jan 5, 2023 08:33:19.821774006 CET223444969877.73.133.62192.168.2.3
                                                                                                                                                                                                            Jan 5, 2023 08:33:19.821813107 CET223444969877.73.133.62192.168.2.3
                                                                                                                                                                                                            Jan 5, 2023 08:33:19.821839094 CET4969822344192.168.2.377.73.133.62
                                                                                                                                                                                                            Jan 5, 2023 08:33:19.871328115 CET4969822344192.168.2.377.73.133.62
                                                                                                                                                                                                            Jan 5, 2023 08:33:32.675800085 CET4969822344192.168.2.377.73.133.62
                                                                                                                                                                                                            Jan 5, 2023 08:33:32.700694084 CET223444969877.73.133.62192.168.2.3
                                                                                                                                                                                                            Jan 5, 2023 08:33:32.701272011 CET223444969877.73.133.62192.168.2.3
                                                                                                                                                                                                            Jan 5, 2023 08:33:32.701309919 CET223444969877.73.133.62192.168.2.3
                                                                                                                                                                                                            Jan 5, 2023 08:33:32.754235029 CET223444969877.73.133.62192.168.2.3
                                                                                                                                                                                                            Jan 5, 2023 08:33:32.800678015 CET4969822344192.168.2.377.73.133.62

                                                                                                                                                                                                            DNS Answers

                                                                                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                            Jan 5, 2023 08:32:51.825423956 CET8.8.8.8192.168.2.30x1033No error (0)windowsupdatebg.s.llnwi.net95.140.236.128A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 5, 2023 08:32:51.825423956 CET8.8.8.8192.168.2.30x1033No error (0)windowsupdatebg.s.llnwi.net178.79.242.0A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 5, 2023 08:32:52.124833107 CET8.8.8.8192.168.2.30xa184No error (0)windowsupdatebg.s.llnwi.net95.140.236.0A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Jan 5, 2023 08:32:52.124833107 CET8.8.8.8192.168.2.30xa184No error (0)windowsupdatebg.s.llnwi.net178.79.242.0A (IP address)IN (0x0001)false

                                                                                                                                                                                                            Statistics

                                                                                                                                                                                                            No statistics

                                                                                                                                                                                                            System Behavior

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Target ID:0
                                                                                                                                                                                                            Start time:08:32:56
                                                                                                                                                                                                            Start date:05/01/2023
                                                                                                                                                                                                            Path:C:\Users\user\Desktop\file.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:C:\Users\user\Desktop\file.exe
                                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                                            File size:370688 bytes
                                                                                                                                                                                                            MD5 hash:666C88FCF0D3BFEFF2141AE4CD3C998F
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.316017890.0000000002390000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                            • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.316017890.0000000002390000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.246087746.0000000000881000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.245776794.0000000000770000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                            • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000003.245776794.0000000000770000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.315583461.0000000002269000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.316721099.0000000002620000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                            • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.316721099.0000000002620000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                            • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.314687772.0000000000807000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                                                            • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.313918869.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                            • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.313918869.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                            Reputation:low

                                                                                                                                                                                                            Disassembly

                                                                                                                                                                                                            No disassembly