Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
szDGo5lHdI.exe

Overview

General Information

Sample Name:szDGo5lHdI.exe
Original Sample Name:d20ba0ceff50b0a05c84f694e28462aa.exe
Analysis ID:829671
MD5:d20ba0ceff50b0a05c84f694e28462aa
SHA1:c7c3b70840660f8dd81770e3bd5200eb2feda120
SHA256:bfe36fe57256d59f04350be588333d644cf1aac03039d14dfce313aa60d42ced
Tags:exeRedLineStealer
Infos:

Detection

Amadey, RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Yara detected Amadeys stealer DLL
Detected unpacking (overwrites its own PE header)
Detected unpacking (changes PE section rights)
Antivirus detection for dropped file
Snort IDS alert for network traffic
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Disable Windows Defender real time protection (registry)
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Found many strings related to Crypto-Wallets (likely being stolen)
Disable Windows Defender notifications (registry)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Binary contains a suspicious time stamp
Dropped file seen in connection with other malware
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Enables debug privileges
Is looking for software installed on the system
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • szDGo5lHdI.exe (PID: 4688 cmdline: C:\Users\user\Desktop\szDGo5lHdI.exe MD5: D20BA0CEFF50B0A05C84F694E28462AA)
    • kino0095.exe (PID: 5248 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe MD5: 566C1099548DF136503F4DC814D54B17)
      • kino2456.exe (PID: 5212 cmdline: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe MD5: EBD95183957BECDB18025FC9D553B15E)
        • kino0588.exe (PID: 6088 cmdline: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe MD5: 54A8FD200F50B6AF0F10CA6EB68471D3)
          • bus9402.exe (PID: 6120 cmdline: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe MD5: 7E93BACBBC33E6652E147E7FE07572A0)
          • con1332.exe (PID: 5144 cmdline: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe MD5: 0B63FCA2981CA840B845011956E212AD)
        • dvL76s65.exe (PID: 1332 cmdline: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exe MD5: C49DABA1E54976E33808914E11DEE05B)
  • rundll32.exe (PID: 4968 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)
  • rundll32.exe (PID: 812 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)
  • rundll32.exe (PID: 5892 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about 500$ on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: Amadey

{"C2 url": "31.41.244.200/games/category/index.php", "Version": "3.68"}

Threatname: RedLine

{"C2 url": "193.233.20.30:4125", "Bot Id": "relon", "Authorization Header": "17da69809725577b595e217ba006b869"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exeMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
        • 0x1a434:$pat14: , CommandLine:
        • 0x134a7:$v2_1: ListOfProcesses
        • 0x13286:$v4_3: base64str
        • 0x13dff:$v4_4: stringKey
        • 0x11b63:$v4_5: BytesToStringConverted
        • 0x10d76:$v4_6: FromBase64
        • 0x12098:$v4_8: procName
        • 0x12811:$v5_5: FileScanning
        • 0x11d6c:$v5_7: RecordHeaderField
        • 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
        C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge821663.exeJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          0000000F.00000002.412783124.0000000004A20000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            0000000F.00000002.412783124.0000000004A20000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
            • 0x2d742:$pat14: , CommandLine:
            • 0x1f823:$v2_1: ListOfProcesses
            • 0x1df49:$v4_3: base64str
            • 0x1df08:$v4_4: stringKey
            • 0x1df53:$v4_5: BytesToStringConverted
            • 0x1df3e:$v4_6: FromBase64
            • 0x1f4de:$v4_8: procName
            • 0x1cc30:$v5_5: FileScanning
            • 0x1ce4e:$v5_7: RecordHeaderField
            • 0x1cd80:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
            0000000F.00000003.345188702.0000000002C80000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              0000000F.00000003.345188702.0000000002C80000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
              • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
              • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
              • 0x700:$s3: 83 EC 38 53 B0 05 88 44 24 2B 88 44 24 2F B0 95 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
              • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
              • 0x1e9d0:$s5: delete[]
              • 0x1de88:$s6: constructor or from DllMain.
              0000000F.00000002.411952742.0000000002C00000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                Click to see the 22 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                15.2.dvL76s65.exe.2cd7c6e.3.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  15.2.dvL76s65.exe.2cd7c6e.3.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                  • 0x2c85a:$pat14: , CommandLine:
                  • 0x1e93b:$v2_1: ListOfProcesses
                  • 0x1d061:$v4_3: base64str
                  • 0x1d020:$v4_4: stringKey
                  • 0x1d06b:$v4_5: BytesToStringConverted
                  • 0x1d056:$v4_6: FromBase64
                  • 0x1e5f6:$v4_8: procName
                  • 0x1bd48:$v5_5: FileScanning
                  • 0x1bf66:$v5_7: RecordHeaderField
                  • 0x1be98:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
                  13.2.con1332.exe.2bf0e67.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    13.2.con1332.exe.2bf0e67.1.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                    • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
                    • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
                    • 0x700:$s3: 83 EC 38 53 B0 C4 88 44 24 2B 88 44 24 2F B0 3F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
                    • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
                    • 0x1e9d0:$s5: delete[]
                    • 0x1de88:$s6: constructor or from DllMain.
                    13.3.con1332.exe.2c20000.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      Click to see the 37 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      Timestamp:192.168.2.3193.233.20.304970141252043231 03/18/23-20:58:24.653479
                      SID:2043231
                      Source Port:49701
                      Destination Port:4125
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.3193.233.20.304970141252043233 03/18/23-20:58:07.054155
                      SID:2043233
                      Source Port:49701
                      Destination Port:4125
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:193.233.20.30192.168.2.34125497012043234 03/18/23-20:58:08.632497
                      SID:2043234
                      Source Port:4125
                      Destination Port:49701
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exeAvira: detection malicious, Label: HEUR/AGEN.1252166
                      Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exeAvira: detection malicious, Label: HEUR/AGEN.1252166
                      Multi AV Scanner detection for submitted file
                      Source: szDGo5lHdI.exeReversingLabs: Detection: 46%
                      Source: szDGo5lHdI.exeVirustotal: Detection: 44%Perma Link
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge821663.exeReversingLabs: Detection: 63%
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge821663.exeVirustotal: Detection: 79%Perma Link
                      Machine Learning detection for sample
                      Source: szDGo5lHdI.exeJoe Sandbox ML: detected
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge821663.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeJoe Sandbox ML: detected
                      Source: 00000001.00000003.261924931.0000000004C7C000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "193.233.20.30:4125", "Bot Id": "relon", "Authorization Header": "17da69809725577b595e217ba006b869"}
                      Source: 0.3.szDGo5lHdI.exe.6f26a20.1.unpackMalware Configuration Extractor: Amadey {"C2 url": "31.41.244.200/games/category/index.php", "Version": "3.68"}
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeCode function: 0_2_00402F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exeCode function: 1_2_010B2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,
                      Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exeCode function: 2_2_00962F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exeCode function: 3_2_00192F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,

                      Compliance

                      barindex
                      Detected unpacking (overwrites its own PE header)
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeUnpacked PE file: 0.2.szDGo5lHdI.exe.400000.0.unpack
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeUnpacked PE file: 13.2.con1332.exe.400000.0.unpack
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeUnpacked PE file: 15.2.dvL76s65.exe.400000.0.unpack
                      Source: szDGo5lHdI.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                      Source: Binary string: wextract.pdb source: szDGo5lHdI.exe, szDGo5lHdI.exe, 00000000.00000003.260695646.0000000006E55000.00000004.00000020.00020000.00000000.sdmp, szDGo5lHdI.exe, 00000000.00000002.446310125.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kino0095.exe, kino0095.exe, 00000001.00000002.437433001.00000000010B1000.00000020.00000001.01000000.00000004.sdmp, kino0095.exe, 00000001.00000003.261924931.0000000004C7C000.00000004.00000020.00020000.00000000.sdmp, kino2456.exe, kino2456.exe, 00000002.00000002.430454699.0000000000961000.00000020.00000001.01000000.00000005.sdmp, kino2456.exe, 00000002.00000003.263295160.0000000004E98000.00000004.00000020.00020000.00000000.sdmp, kino0588.exe, kino0588.exe, 00000003.00000000.263688959.0000000000191000.00000020.00000001.01000000.00000006.sdmp, kino0095.exe.0.dr, kino2456.exe.1.dr, kino0588.exe.2.dr
                      Source: Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: szDGo5lHdI.exe, 00000000.00000003.260924559.0000000004F75000.00000004.00000020.00020000.00000000.sdmp, szDGo5lHdI.exe, 00000000.00000003.260695646.0000000006E55000.00000004.00000020.00020000.00000000.sdmp, ge821663.exe.0.dr
                      Source: Binary string: Healer.pdb source: con1332.exe, 0000000D.00000002.329988354.0000000007090000.00000004.08000000.00040000.00000000.sdmp, con1332.exe, 0000000D.00000002.328962587.0000000004C01000.00000004.00000800.00020000.00000000.sdmp, con1332.exe, 0000000D.00000002.328663106.00000000046D0000.00000004.08000000.00040000.00000000.sdmp, con1332.exe, 0000000D.00000003.302691147.0000000002E44000.00000004.00000020.00020000.00000000.sdmp, con1332.exe, 0000000D.00000002.328754727.0000000004750000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wextract.pdbGCTL source: szDGo5lHdI.exe, 00000000.00000003.260695646.0000000006E55000.00000004.00000020.00020000.00000000.sdmp, szDGo5lHdI.exe, 00000000.00000002.446310125.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kino0095.exe, 00000001.00000002.437433001.00000000010B1000.00000020.00000001.01000000.00000004.sdmp, kino0095.exe, 00000001.00000003.261924931.0000000004C7C000.00000004.00000020.00020000.00000000.sdmp, kino2456.exe, 00000002.00000002.430454699.0000000000961000.00000020.00000001.01000000.00000005.sdmp, kino2456.exe, 00000002.00000003.263295160.0000000004E98000.00000004.00000020.00020000.00000000.sdmp, kino0588.exe, 00000003.00000000.263688959.0000000000191000.00000020.00000001.01000000.00000006.sdmp, kino0095.exe.0.dr, kino2456.exe.1.dr, kino0588.exe.2.dr
                      Source: Binary string: <C:\zarepot\talotoyuy1\guf.pdb source: kino2456.exe, 00000002.00000003.263295160.0000000004E98000.00000004.00000020.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000000.331145914.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, dvL76s65.exe.2.dr
                      Source: Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: kino0588.exe, 00000003.00000003.264209575.00000000043E1000.00000004.00000020.00020000.00000000.sdmp, bus9402.exe, 00000004.00000000.264403832.00000000004D2000.00000002.00000001.01000000.00000007.sdmp, bus9402.exe.3.dr
                      Source: Binary string: C:\tugiwozexe-hon68\xozutuboreja.pdb source: kino0588.exe, 00000003.00000003.264209575.00000000043E1000.00000004.00000020.00020000.00000000.sdmp, con1332.exe, 0000000D.00000000.300762945.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, con1332.exe.3.dr
                      Source: Binary string: _.pdb source: con1332.exe, 0000000D.00000002.328304640.0000000002E56000.00000004.00000020.00020000.00000000.sdmp, con1332.exe, 0000000D.00000003.304290466.0000000002E56000.00000004.00000020.00020000.00000000.sdmp, con1332.exe, 0000000D.00000002.328962587.0000000004C01000.00000004.00000800.00020000.00000000.sdmp, con1332.exe, 0000000D.00000002.328663106.00000000046D0000.00000004.08000000.00040000.00000000.sdmp, con1332.exe, 0000000D.00000003.302691147.0000000002E44000.00000004.00000020.00020000.00000000.sdmp, con1332.exe, 0000000D.00000002.328754727.0000000004750000.00000004.00000020.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.412783124.0000000004A20000.00000004.08000000.00040000.00000000.sdmp, dvL76s65.exe, 0000000F.00000003.346294709.0000000002EA0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: C:\zarepot\talotoyuy1\guf.pdb source: kino2456.exe, 00000002.00000003.263295160.0000000004E98000.00000004.00000020.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000000.331145914.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, dvL76s65.exe.2.dr
                      Source: Binary string: C:\sigizecem\xigago\tukonunoz_givizadi\yodawusafix\11\j.pdb source: szDGo5lHdI.exe
                      Source: Binary string: Healer.pdbH5 source: con1332.exe, 0000000D.00000002.329988354.0000000007090000.00000004.08000000.00040000.00000000.sdmp, con1332.exe, 0000000D.00000002.328962587.0000000004C01000.00000004.00000800.00020000.00000000.sdmp, con1332.exe, 0000000D.00000002.328663106.00000000046D0000.00000004.08000000.00040000.00000000.sdmp, con1332.exe, 0000000D.00000003.302691147.0000000002E44000.00000004.00000020.00020000.00000000.sdmp, con1332.exe, 0000000D.00000002.328754727.0000000004750000.00000004.00000020.00020000.00000000.sdmp
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeCode function: 0_2_00402390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exeCode function: 1_2_010B2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
                      Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exeCode function: 2_2_00962390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exeCode function: 3_2_00192390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2043233 ET TROJAN RedLine Stealer TCP CnC net.tcp Init 192.168.2.3:49701 -> 193.233.20.30:4125
                      Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.3:49701 -> 193.233.20.30:4125
                      Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 193.233.20.30:4125 -> 192.168.2.3:49701
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 31.41.244.200/games/category/index.php
                      Source: Malware configuration extractorURLs: 193.233.20.30:4125
                      Source: Joe Sandbox ViewASN Name: REDCOM-ASRedcomKhabarovskRussiaRU REDCOM-ASRedcomKhabarovskRussiaRU
                      Source: Joe Sandbox ViewIP Address: 193.233.20.30 193.233.20.30
                      Source: global trafficTCP traffic: 192.168.2.3:49701 -> 193.233.20.30:4125
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm8D#
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.000000000503D000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.000000000503D000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.000000000503D000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.000000000503D000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.000000000503D000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.000000000503D000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.000000000503D000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.000000000503D000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.000000000503D000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                      Source: dvL76s65.exe, 0000000F.00000002.416452346.0000000005CCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: kino0095.exe, 00000001.00000003.261924931.0000000004C7C000.00000004.00000020.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.412783124.0000000004A20000.00000004.08000000.00040000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000003.346294709.0000000002EA0000.00000004.00000020.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413068385.0000000004C10000.00000004.08000000.00040000.00000000.sdmp, en675431.exe.1.drString found in binary or memory: https://api.ip.sb/ip
                      Source: dvL76s65.exe, 0000000F.00000002.416452346.0000000005CCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: dvL76s65.exe, 0000000F.00000002.416452346.0000000005CCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004FA3000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005ED2000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005F50000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005E37000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004F16000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000005030000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005DB9000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005D5D000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005F8C000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005DD6000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005F33000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004DFD000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005EB5000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004E8A000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005CB2000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005CCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: dvL76s65.exe, 0000000F.00000002.416452346.0000000005CCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004FA3000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005ED2000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005F50000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005E37000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004F16000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000005030000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005DB9000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005D5D000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005F8C000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005DD6000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005F33000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004DFD000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005EB5000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004E8A000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005CB2000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005CCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004FA3000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005ED2000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005F50000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005E37000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004F16000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000005030000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005DB9000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005D5D000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005F8C000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005DD6000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005F33000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004DFD000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005EB5000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004E8A000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005CB2000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005CCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
                      Source: dvL76s65.exe, 0000000F.00000002.416452346.0000000005ED2000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005F50000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005D5D000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005DD6000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005CCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004FA3000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005ED2000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005F50000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005E37000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004F16000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000005030000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005DB9000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005D5D000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005F8C000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005DD6000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005F33000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004DFD000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005EB5000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004E8A000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005CB2000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005CCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004FA3000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005ED2000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005F50000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005E37000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004F16000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000005030000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005DB9000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005D5D000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005F8C000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005DD6000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005F33000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004DFD000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005EB5000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004E8A000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005CB2000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005CCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.20.30
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.20.30
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.20.30
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.20.30
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.20.30
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.20.30
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.20.30
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.20.30
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.20.30
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.20.30
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.20.30
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.20.30
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.20.30
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.20.30
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.20.30
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.20.30
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.20.30
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.20.30
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.20.30
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.20.30
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.20.30
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.20.30
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.20.30
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.20.30
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.20.30
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.20.30
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.20.30
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.20.30
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.20.30
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.20.30
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.20.30
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.20.30
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.20.30
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.20.30
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.20.30

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 15.2.dvL76s65.exe.2cd7c6e.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 13.2.con1332.exe.2bf0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 13.3.con1332.exe.2c20000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 13.2.con1332.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 15.2.dvL76s65.exe.4a20000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 15.2.dvL76s65.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 1.3.kino0095.exe.4d2a220.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 15.2.dvL76s65.exe.2c00e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 15.2.dvL76s65.exe.4a20ee8.5.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 15.2.dvL76s65.exe.4c10000.6.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 13.2.con1332.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 15.2.dvL76s65.exe.4c10000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 15.3.dvL76s65.exe.2c80000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 15.2.dvL76s65.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 15.2.dvL76s65.exe.4a20000.4.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 15.2.dvL76s65.exe.2cd6d86.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 15.2.dvL76s65.exe.2cd6d86.2.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 1.3.kino0095.exe.4d2a220.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 15.2.dvL76s65.exe.4a20ee8.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 15.2.dvL76s65.exe.2cd7c6e.3.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 0000000F.00000002.412783124.0000000004A20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 0000000F.00000003.345188702.0000000002C80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 0000000F.00000002.411952742.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                      Source: 0000000F.00000002.411593767.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 0000000F.00000002.412282672.0000000002E28000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                      Source: 0000000D.00000002.328271047.0000000002DE6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                      Source: 00000000.00000002.447521600.0000000006902000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                      Source: 0000000D.00000002.326634560.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 0000000D.00000002.327606223.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                      Source: 0000000F.00000002.413068385.0000000004C10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 0000000D.00000003.302283247.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 00000000.00000002.447701625.0000000006A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                      Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exe, type: DROPPEDMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeCode function: 0_2_00403BA2
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeCode function: 0_2_00405C9E
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exeCode function: 1_2_010B3BA2
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exeCode function: 1_2_010B5C9E
                      Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exeCode function: 2_2_00963BA2
                      Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exeCode function: 2_2_00965C9E
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exeCode function: 3_2_00193BA2
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exeCode function: 3_2_00195C9E
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_00408C60
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_0040DC11
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_00407C3F
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_00418CCC
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_00406CA0
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_004028B0
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_0041A4BE
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_00418244
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_00401650
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_00402F20
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_004193C4
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_00418788
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_00402F89
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_00402B90
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_004073A0
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_02BF2B17
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_02BF18B7
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_02BF786D
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_02C089EF
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_02BF3187
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_02BF31F0
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_02BF7EA6
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_02BF8EC7
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_02BFDE78
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_02BF77D9
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_02BF6F07
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_02C0A725
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_02C08F33
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_02C084AB
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_02BF2DF7
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_046B0DB0
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_046B0B78
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge821663.exe 319B22945BEEB7424FE6DB1E9953AD5F2DC12CBBA2FE24E599C3DEDA678893BB
                      Source: szDGo5lHdI.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 15.2.dvL76s65.exe.2cd7c6e.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 13.2.con1332.exe.2bf0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 13.3.con1332.exe.2c20000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 13.2.con1332.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 15.2.dvL76s65.exe.4a20000.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 15.2.dvL76s65.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 1.3.kino0095.exe.4d2a220.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 15.2.dvL76s65.exe.2c00e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 15.2.dvL76s65.exe.4a20ee8.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 15.2.dvL76s65.exe.4c10000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 13.2.con1332.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 15.2.dvL76s65.exe.4c10000.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 15.3.dvL76s65.exe.2c80000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 15.2.dvL76s65.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 15.2.dvL76s65.exe.4a20000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 15.2.dvL76s65.exe.2cd6d86.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 15.2.dvL76s65.exe.2cd6d86.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 1.3.kino0095.exe.4d2a220.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 15.2.dvL76s65.exe.4a20ee8.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 15.2.dvL76s65.exe.2cd7c6e.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 0000000F.00000002.412783124.0000000004A20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 0000000F.00000003.345188702.0000000002C80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 0000000F.00000002.411952742.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                      Source: 0000000F.00000002.411593767.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 0000000F.00000002.412282672.0000000002E28000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                      Source: 0000000D.00000002.328271047.0000000002DE6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                      Source: 00000000.00000002.447521600.0000000006902000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                      Source: 0000000D.00000002.326634560.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 0000000D.00000002.327606223.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                      Source: 0000000F.00000002.413068385.0000000004C10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 0000000D.00000003.302283247.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 00000000.00000002.447701625.0000000006A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                      Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exe, type: DROPPEDMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeCode function: 0_2_00401F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exeCode function: 1_2_010B1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,
                      Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exeCode function: 2_2_00961F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exeCode function: 3_2_00191F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: String function: 0040E1D8 appears 44 times
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: String function: 02BFE43F appears 44 times
                      Source: kino0095.exe.0.drStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 712052 bytes, 2 files, at 0x2c +A "kino2456.exe" +A "en675431.exe", ID 1903, number 1, 28 datablocks, 0x1503 compression
                      Source: kino2456.exe.1.drStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 566384 bytes, 2 files, at 0x2c +A "kino0588.exe" +A "dvL76s65.exe", ID 2007, number 1, 24 datablocks, 0x1503 compression
                      Source: kino0588.exe.2.drStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 206926 bytes, 2 files, at 0x2c +A "bus9402.exe" +A "con1332.exe", ID 1794, number 1, 11 datablocks, 0x1503 compression
                      Source: szDGo5lHdI.exeBinary or memory string: OriginalFilename vs szDGo5lHdI.exe
                      Source: szDGo5lHdI.exe, 00000000.00000003.260695646.0000000006E55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs szDGo5lHdI.exe
                      Source: szDGo5lHdI.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: dvL76s65.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: con1332.exe.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: szDGo5lHdI.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\bus9402.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@16/11@0/1
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeCode function: 0_2_0040597D GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exeCode function: 4_2_00007FFBACED1B10 ChangeServiceConfigA,
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeCode function: 0_2_00404FE0 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,FreeResource,SendMessageA,
                      Source: szDGo5lHdI.exeReversingLabs: Detection: 46%
                      Source: szDGo5lHdI.exeVirustotal: Detection: 44%
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\szDGo5lHdI.exe C:\Users\user\Desktop\szDGo5lHdI.exe
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe
                      Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\
                      Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exe
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe
                      Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe
                      Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exe
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeCode function: 0_2_00401F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exeCode function: 1_2_010B1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,
                      Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exeCode function: 2_2_00961F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exeCode function: 3_2_00191F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMPJump to behavior
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeCode function: 0_2_0040597D GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeCode function: 0_2_069027C6 CreateToolhelp32Snapshot,Module32First,
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeCommand line argument: Kernel32.dll
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exeCommand line argument: Kernel32.dll
                      Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exeCommand line argument: Kernel32.dll
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exeCommand line argument: Kernel32.dll
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCommand line argument: 08A
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeAutomated click: OK
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exeAutomated click: OK
                      Source: szDGo5lHdI.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                      Source: szDGo5lHdI.exeStatic file information: File size 1228288 > 1048576
                      Source: szDGo5lHdI.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x106a00
                      Source: szDGo5lHdI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: szDGo5lHdI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: szDGo5lHdI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: szDGo5lHdI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: szDGo5lHdI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: szDGo5lHdI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: szDGo5lHdI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: wextract.pdb source: szDGo5lHdI.exe, szDGo5lHdI.exe, 00000000.00000003.260695646.0000000006E55000.00000004.00000020.00020000.00000000.sdmp, szDGo5lHdI.exe, 00000000.00000002.446310125.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kino0095.exe, kino0095.exe, 00000001.00000002.437433001.00000000010B1000.00000020.00000001.01000000.00000004.sdmp, kino0095.exe, 00000001.00000003.261924931.0000000004C7C000.00000004.00000020.00020000.00000000.sdmp, kino2456.exe, kino2456.exe, 00000002.00000002.430454699.0000000000961000.00000020.00000001.01000000.00000005.sdmp, kino2456.exe, 00000002.00000003.263295160.0000000004E98000.00000004.00000020.00020000.00000000.sdmp, kino0588.exe, kino0588.exe, 00000003.00000000.263688959.0000000000191000.00000020.00000001.01000000.00000006.sdmp, kino0095.exe.0.dr, kino2456.exe.1.dr, kino0588.exe.2.dr
                      Source: Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: szDGo5lHdI.exe, 00000000.00000003.260924559.0000000004F75000.00000004.00000020.00020000.00000000.sdmp, szDGo5lHdI.exe, 00000000.00000003.260695646.0000000006E55000.00000004.00000020.00020000.00000000.sdmp, ge821663.exe.0.dr
                      Source: Binary string: Healer.pdb source: con1332.exe, 0000000D.00000002.329988354.0000000007090000.00000004.08000000.00040000.00000000.sdmp, con1332.exe, 0000000D.00000002.328962587.0000000004C01000.00000004.00000800.00020000.00000000.sdmp, con1332.exe, 0000000D.00000002.328663106.00000000046D0000.00000004.08000000.00040000.00000000.sdmp, con1332.exe, 0000000D.00000003.302691147.0000000002E44000.00000004.00000020.00020000.00000000.sdmp, con1332.exe, 0000000D.00000002.328754727.0000000004750000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wextract.pdbGCTL source: szDGo5lHdI.exe, 00000000.00000003.260695646.0000000006E55000.00000004.00000020.00020000.00000000.sdmp, szDGo5lHdI.exe, 00000000.00000002.446310125.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kino0095.exe, 00000001.00000002.437433001.00000000010B1000.00000020.00000001.01000000.00000004.sdmp, kino0095.exe, 00000001.00000003.261924931.0000000004C7C000.00000004.00000020.00020000.00000000.sdmp, kino2456.exe, 00000002.00000002.430454699.0000000000961000.00000020.00000001.01000000.00000005.sdmp, kino2456.exe, 00000002.00000003.263295160.0000000004E98000.00000004.00000020.00020000.00000000.sdmp, kino0588.exe, 00000003.00000000.263688959.0000000000191000.00000020.00000001.01000000.00000006.sdmp, kino0095.exe.0.dr, kino2456.exe.1.dr, kino0588.exe.2.dr
                      Source: Binary string: <C:\zarepot\talotoyuy1\guf.pdb source: kino2456.exe, 00000002.00000003.263295160.0000000004E98000.00000004.00000020.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000000.331145914.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, dvL76s65.exe.2.dr
                      Source: Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: kino0588.exe, 00000003.00000003.264209575.00000000043E1000.00000004.00000020.00020000.00000000.sdmp, bus9402.exe, 00000004.00000000.264403832.00000000004D2000.00000002.00000001.01000000.00000007.sdmp, bus9402.exe.3.dr
                      Source: Binary string: C:\tugiwozexe-hon68\xozutuboreja.pdb source: kino0588.exe, 00000003.00000003.264209575.00000000043E1000.00000004.00000020.00020000.00000000.sdmp, con1332.exe, 0000000D.00000000.300762945.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, con1332.exe.3.dr
                      Source: Binary string: _.pdb source: con1332.exe, 0000000D.00000002.328304640.0000000002E56000.00000004.00000020.00020000.00000000.sdmp, con1332.exe, 0000000D.00000003.304290466.0000000002E56000.00000004.00000020.00020000.00000000.sdmp, con1332.exe, 0000000D.00000002.328962587.0000000004C01000.00000004.00000800.00020000.00000000.sdmp, con1332.exe, 0000000D.00000002.328663106.00000000046D0000.00000004.08000000.00040000.00000000.sdmp, con1332.exe, 0000000D.00000003.302691147.0000000002E44000.00000004.00000020.00020000.00000000.sdmp, con1332.exe, 0000000D.00000002.328754727.0000000004750000.00000004.00000020.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.412783124.0000000004A20000.00000004.08000000.00040000.00000000.sdmp, dvL76s65.exe, 0000000F.00000003.346294709.0000000002EA0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: C:\zarepot\talotoyuy1\guf.pdb source: kino2456.exe, 00000002.00000003.263295160.0000000004E98000.00000004.00000020.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000000.331145914.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, dvL76s65.exe.2.dr
                      Source: Binary string: C:\sigizecem\xigago\tukonunoz_givizadi\yodawusafix\11\j.pdb source: szDGo5lHdI.exe
                      Source: Binary string: Healer.pdbH5 source: con1332.exe, 0000000D.00000002.329988354.0000000007090000.00000004.08000000.00040000.00000000.sdmp, con1332.exe, 0000000D.00000002.328962587.0000000004C01000.00000004.00000800.00020000.00000000.sdmp, con1332.exe, 0000000D.00000002.328663106.00000000046D0000.00000004.08000000.00040000.00000000.sdmp, con1332.exe, 0000000D.00000003.302691147.0000000002E44000.00000004.00000020.00020000.00000000.sdmp, con1332.exe, 0000000D.00000002.328754727.0000000004750000.00000004.00000020.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      Detected unpacking (overwrites its own PE header)
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeUnpacked PE file: 0.2.szDGo5lHdI.exe.400000.0.unpack
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeUnpacked PE file: 13.2.con1332.exe.400000.0.unpack
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeUnpacked PE file: 15.2.dvL76s65.exe.400000.0.unpack
                      Detected unpacking (changes PE section rights)
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeUnpacked PE file: 0.2.szDGo5lHdI.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.data:W;.idata:R;.rsrc:R;.reloc:R;
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeUnpacked PE file: 13.2.con1332.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeUnpacked PE file: 15.2.dvL76s65.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeCode function: 0_2_0040724D push ecx; ret
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeCode function: 0_2_06903E94 pushad ; retf
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeCode function: 0_2_069058D3 push cs; ret
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeCode function: 0_2_06903F0B push FFFFFF8Bh; ret
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeCode function: 0_2_06907623 pushfd ; ret
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exeCode function: 1_2_010B724D push ecx; ret
                      Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exeCode function: 2_2_0096724D push ecx; ret
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exeCode function: 3_2_0019724D push ecx; ret
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_0041C40C push cs; iretd
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_00423149 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_0041C50E push cs; iretd
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_004231C8 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_0040E21D push ecx; ret
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_0041C6BE push ebx; ret
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_02C0C125 push ebx; ret
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_02C0BE73 push cs; iretd
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_02C0BF75 push cs; iretd
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_02BFE484 push ecx; ret
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_046B454E push ecx; retf
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_046B4139 push edi; iretd
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeCode function: 0_2_00402F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,
                      Source: en675431.exe.1.drStatic PE information: 0xEFAF45DE [Wed Jun 5 03:28:30 2097 UTC]
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.985286241021559
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.842085736950787
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.7554731967823
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exeFile created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exeFile created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeJump to dropped file
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exeJump to dropped file
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge821663.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exeFile created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exeFile created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exeFile created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exeFile created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeJump to dropped file
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeCode function: 0_2_00401AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exeCode function: 1_2_010B1AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,
                      Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exeCode function: 2_2_00961AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exeCode function: 3_2_00191AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe TID: 4488Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe TID: 2228Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exe TID: 5136Thread sleep time: -1844674407370954s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exe TID: 6124Thread sleep count: 2031 > 30
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exe TID: 5552Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeWindow / User API: threadDelayed 2031
                      Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge821663.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeRegistry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeAPI call chain: ExitProcess graph end node
                      Source: dvL76s65.exe, 0000000F.00000002.419531812.0000000007F38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQQ;Y
                      Source: dvL76s65.exe, 0000000F.00000003.410086799.0000000007F78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
                      Source: dvL76s65.exe, 0000000F.00000003.410086799.0000000007F78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareE7R15_4AWin32_VideoController8D1N5GGZVideoController120060621000000.000000-00045768007display.infMSBDAEGWTPFDPPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&
                      Source: dvL76s65.exe, 0000000F.00000002.412316821.0000000002E7D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareE7R15_4AWin32_VideoController8D1N5GGZVideoController120060621000000.000000-00045768007display.infMSBD
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeCode function: 0_2_00405467 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeCode function: 0_2_00402390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exeCode function: 1_2_010B2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
                      Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exeCode function: 2_2_00962390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exeCode function: 3_2_00192390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeCode function: 0_2_00402F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeCode function: 0_2_069020A3 push dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_02BF092B mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_02BF0D90 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_0040ADB0 GetProcessHeap,HeapFree,
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exeMemory allocated: page read and write | page guard
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeCode function: 0_2_00406F40 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeCode function: 0_2_00406CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exeCode function: 1_2_010B6F40 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exeCode function: 1_2_010B6CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exeCode function: 2_2_00966F40 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exeCode function: 2_2_00966CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exeCode function: 3_2_00196F40 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exeCode function: 3_2_00196CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_004123F1 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_02BFE883 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_02BFD070 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_02C071D1 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: 13_2_02C02658 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeCode function: 0_2_004017EE LoadLibraryA,GetProcAddress,AllocateAndInitializeSid,FreeSid,FreeLibrary,
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exeQueries volume information: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeCode function: 0_2_00407155 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exeCode function: 4_2_00007FFBACED077D GetUserNameA,
                      Source: C:\Users\user\Desktop\szDGo5lHdI.exeCode function: 0_2_00402BFB GetVersion,GetModuleHandleW,GetProcAddress,CloseHandle,

                      Lowering of HIPS / PFW / Operating System Security Settings

                      barindex
                      Disable Windows Defender real time protection (registry)
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection DisableIOAVProtection 1Jump to behavior
                      Disable Windows Defender notifications (registry)
                      Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                      Source: dvL76s65.exe, 0000000F.00000002.419531812.0000000007F38000.00000004.00000020.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.419902931.0000000007FE5000.00000004.00000020.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.419761949.0000000007FAF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                      Stealing of Sensitive Information

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 15.2.dvL76s65.exe.2cd7c6e.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.con1332.exe.2bf0e67.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.3.con1332.exe.2c20000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.con1332.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.dvL76s65.exe.4a20000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.dvL76s65.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.3.kino0095.exe.4d2a220.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.dvL76s65.exe.2c00e67.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.dvL76s65.exe.4a20ee8.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.dvL76s65.exe.4c10000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.con1332.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.dvL76s65.exe.4c10000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.3.dvL76s65.exe.2c80000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.dvL76s65.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.dvL76s65.exe.4a20000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.dvL76s65.exe.2cd6d86.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.dvL76s65.exe.2cd6d86.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.3.kino0095.exe.4d2a220.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.dvL76s65.exe.4a20ee8.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.dvL76s65.exe.2cd7c6e.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000F.00000002.412783124.0000000004A20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000003.345188702.0000000002C80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.411952742.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.411593767.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.326634560.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.261924931.0000000004C7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.412058173.0000000002C96000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.327606223.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000003.346294709.0000000002EA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.413068385.0000000004C10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000003.302283247.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: dvL76s65.exe PID: 1332, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exe, type: DROPPED
                      Yara detected Amadeys stealer DLL
                      Source: Yara matchFile source: 0.3.szDGo5lHdI.exe.6f26a20.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.szDGo5lHdI.exe.6f26a20.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000003.260695646.0000000006E55000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge821663.exe, type: DROPPED
                      Found many strings related to Crypto-Wallets (likely being stolen)
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumE#
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: JaxxE#
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ExodusE#
                      Source: dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
                      Source: con1332.exe, 0000000D.00000002.329988354.0000000007090000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: set_UseMachineKeyStore
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                      Tries to steal Crypto Currency Wallets
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                      Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                      Source: Yara matchFile source: Process Memory Space: dvL76s65.exe PID: 1332, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 15.2.dvL76s65.exe.2cd7c6e.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.con1332.exe.2bf0e67.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.3.con1332.exe.2c20000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.con1332.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.dvL76s65.exe.4a20000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.dvL76s65.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.3.kino0095.exe.4d2a220.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.dvL76s65.exe.2c00e67.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.dvL76s65.exe.4a20ee8.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.dvL76s65.exe.4c10000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.con1332.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.dvL76s65.exe.4c10000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.3.dvL76s65.exe.2c80000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.dvL76s65.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.dvL76s65.exe.4a20000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.dvL76s65.exe.2cd6d86.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.dvL76s65.exe.2cd6d86.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.3.kino0095.exe.4d2a220.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.dvL76s65.exe.4a20ee8.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.dvL76s65.exe.2cd7c6e.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000F.00000002.412783124.0000000004A20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000003.345188702.0000000002C80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.411952742.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.411593767.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.326634560.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.261924931.0000000004C7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.412058173.0000000002C96000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.327606223.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000003.346294709.0000000002EA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.413068385.0000000004C10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000003.302283247.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: dvL76s65.exe PID: 1332, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exe, type: DROPPED

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts221
                      Windows Management Instrumentation                      		1
                      Windows Service                      		2
                      Bypass User Access Control                      		21
                      Disable or Modify Tools                      		1
                      OS Credential Dumping                      		1
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		Exfiltration Over Other Network Medium2
                      Encrypted Channel                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
                      System Shutdown/Reboot
                      Default Accounts3
                      Native API                      		Boot or Logon Initialization Scripts1
                      Access Token Manipulation                      		1
                      Deobfuscate/Decode Files or Information                      		LSASS Memory1
                      Account Discovery                      		Remote Desktop Protocol3
                      Data from Local System                      		Exfiltration Over Bluetooth1
                      Non-Standard Port                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain Accounts2
                      Command and Scripting Interpreter                      		Logon Script (Windows)1
                      Windows Service                      		3
                      Obfuscated Files or Information                      		Security Account Manager1
                      File and Directory Discovery                      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                      Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local Accounts1
                      Service Execution                      		Logon Script (Mac)1
                      Process Injection                      		22
                      Software Packing                      		NTDS137
                      System Information Discovery                      		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Timestomp                      		LSA Secrets361
                      Security Software Discovery                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common2
                      Bypass User Access Control                      		Cached Domain Credentials231
                      Virtualization/Sandbox Evasion                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                      Masquerading                      		DCSync12
                      Process Discovery                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job231
                      Virtualization/Sandbox Evasion                      		Proc Filesystem1
                      Application Window Discovery                      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                      Access Token Manipulation                      		/etc/passwd and /etc/shadow1
                      System Owner/User Discovery                      		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
                      Process Injection                      		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCron1
                      Rundll32                      		Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 829671 Sample: szDGo5lHdI.exe Startdate: 18/03/2023 Architecture: WINDOWS Score: 100 57 Snort IDS alert for network traffic 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus detection for dropped file 2->61 63 8 other signatures 2->63 9 szDGo5lHdI.exe 1 4 2->9         started        13 rundll32.exe 2->13         started        15 rundll32.exe 2->15         started        17 rundll32.exe 2->17         started        process3 file4 47 C:\Users\user\AppData\Local\...\kino0095.exe, PE32 9->47 dropped 49 C:\Users\user\AppData\Local\...\ge821663.exe, PE32 9->49 dropped 81 Detected unpacking (changes PE section rights) 9->81 83 Detected unpacking (overwrites its own PE header) 9->83 19 kino0095.exe 1 4 9->19         started        signatures5 process6 file7 39 C:\Users\user\AppData\Local\...\kino2456.exe, PE32 19->39 dropped 41 C:\Users\user\AppData\Local\...\en675431.exe, PE32 19->41 dropped 75 Antivirus detection for dropped file 19->75 77 Machine Learning detection for dropped file 19->77 23 kino2456.exe 1 4 19->23         started        signatures8 process9 file10 43 C:\Users\user\AppData\Local\...\kino0588.exe, PE32 23->43 dropped 45 C:\Users\user\AppData\Local\...\dvL76s65.exe, PE32 23->45 dropped 79 Machine Learning detection for dropped file 23->79 27 kino0588.exe 1 4 23->27         started        31 dvL76s65.exe 5 23->31         started        signatures11 process12 dnsIp13 51 C:\Users\user\AppData\Local\...\con1332.exe, PE32 27->51 dropped 53 C:\Users\user\AppData\Local\...\bus9402.exe, PE32 27->53 dropped 85 Machine Learning detection for dropped file 27->85 34 con1332.exe 1 1 27->34         started        37 bus9402.exe 9 1 27->37         started        55 193.233.20.30, 4125, 49701 REDCOM-ASRedcomKhabarovskRussiaRU Russian Federation 31->55 87 Detected unpacking (changes PE section rights) 31->87 89 Detected unpacking (overwrites its own PE header) 31->89 91 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 31->91 93 3 other signatures 31->93 file14 signatures15 process16 signatures17 65 Detected unpacking (changes PE section rights) 34->65 67 Detected unpacking (overwrites its own PE header) 34->67 69 Machine Learning detection for dropped file 34->69 71 Disable Windows Defender notifications (registry) 37->71 73 Disable Windows Defender real time protection (registry) 37->73

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      szDGo5lHdI.exe46%ReversingLabsWin32.Trojan.Generic
                      szDGo5lHdI.exe45%VirustotalBrowse
                      szDGo5lHdI.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe100%AviraHEUR/AGEN.1252166
                      C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exe100%AviraHEUR/AGEN.1252166
                      C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge821663.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge821663.exe63%ReversingLabsWin32.Trojan.Amadey
                      C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge821663.exe80%VirustotalBrowse

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      3.3.kino0588.exe.43e3c20.0.unpack100%AviraHEUR/AGEN.1253311Download File
                      1.2.kino0095.exe.10b0000.0.unpack100%AviraHEUR/AGEN.1252166Download File
                      1.0.kino0095.exe.10b0000.0.unpack100%AviraHEUR/AGEN.1252166Download File
                      0.2.szDGo5lHdI.exe.400000.0.unpack100%AviraHEUR/AGEN.1252166Download File
                      2.3.kino2456.exe.4eee420.0.unpack100%AviraHEUR/AGEN.1253311Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
                      31.41.244.200/games/category/index.php0%URL Reputationsafe
                      31.41.244.200/games/category/index.php0%URL Reputationsafe
                      http://tempuri.org/0%URL Reputationsafe
                      http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id90%URL Reputationsafe
                      http://tempuri.org/Entity/Id80%URL Reputationsafe
                      http://tempuri.org/Entity/Id50%URL Reputationsafe
                      http://tempuri.org/Entity/Id40%URL Reputationsafe
                      http://tempuri.org/Entity/Id70%URL Reputationsafe
                      http://tempuri.org/Entity/Id70%URL Reputationsafe
                      http://tempuri.org/Entity/Id60%URL Reputationsafe
                      http://tempuri.org/Entity/Id60%URL Reputationsafe
                      http://tempuri.org/Entity/Id19Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
                      https://api.ip.sb/ip0%URL Reputationsafe
                      https://api.ip.sb/ip0%URL Reputationsafe
                      http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id200%URL Reputationsafe
                      http://tempuri.org/Entity/Id210%URL Reputationsafe
                      http://tempuri.org/Entity/Id220%URL Reputationsafe
                      http://tempuri.org/Entity/Id220%URL Reputationsafe
                      http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id100%URL Reputationsafe
                      http://tempuri.org/Entity/Id110%URL Reputationsafe
                      http://tempuri.org/Entity/Id110%URL Reputationsafe
                      http://tempuri.org/Entity/Id120%URL Reputationsafe
                      http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id130%URL Reputationsafe
                      http://tempuri.org/Entity/Id130%URL Reputationsafe
                      http://tempuri.org/Entity/Id140%URL Reputationsafe
                      http://tempuri.org/Entity/Id150%URL Reputationsafe
                      http://tempuri.org/Entity/Id150%URL Reputationsafe
                      http://tempuri.org/Entity/Id160%URL Reputationsafe
                      http://tempuri.org/Entity/Id170%URL Reputationsafe
                      http://tempuri.org/Entity/Id180%URL Reputationsafe
                      http://tempuri.org/Entity/Id180%URL Reputationsafe
                      http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id190%URL Reputationsafe
                      http://tempuri.org/Entity/Id190%URL Reputationsafe
                      http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id8Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id17Response0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      31.41.244.200/games/category/index.phptrue
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		low

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextdvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/02/sc/sctdvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://duckduckgo.com/chrome_newtabdvL76s65.exe, 0000000F.00000002.413281318.0000000004FA3000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005ED2000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005F50000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005E37000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004F16000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000005030000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005DB9000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005D5D000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005F8C000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005DD6000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005F33000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004DFD000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005EB5000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004E8A000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005CB2000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005CCF000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkdvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://duckduckgo.com/ac/?q=dvL76s65.exe, 0000000F.00000002.416452346.0000000005CCF000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinarydvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id12ResponsedvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id2ResponsedvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id21ResponsedvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapdvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id9dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDdvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id8dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://tempuri.org/Entity/Id5dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/PreparedvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id4dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://tempuri.org/Entity/Id7dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://tempuri.org/Entity/Id6dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretdvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://tempuri.org/Entity/Id19ResponsedvL76s65.exe, 0000000F.00000002.413281318.000000000503D000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licensedvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssuedvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/AborteddvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequencedvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/faultdvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2004/10/wsatdvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeydvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://tempuri.org/Entity/Id15ResponsedvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namedvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewdvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterdvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://tempuri.org/Entity/Id6ResponsedvL76s65.exe, 0000000F.00000002.413281318.000000000503D000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeydvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://api.ip.sb/ipkino0095.exe, 00000001.00000003.261924931.0000000004C7C000.00000004.00000020.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.412783124.0000000004A20000.00000004.08000000.00040000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000003.346294709.0000000002EA0000.00000004.00000020.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413068385.0000000004C10000.00000004.08000000.00040000.00000000.sdmp, en675431.exe.1.drfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2004/04/scdvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCdvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CanceldvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://tempuri.org/Entity/Id9ResponsedvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://schemas.xmlsoap.org/ws/2005/02/rm8D#dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=dvL76s65.exe, 0000000F.00000002.416452346.0000000005CCF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://tempuri.org/Entity/Id20dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://tempuri.org/Entity/Id21dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://tempuri.org/Entity/Id22dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssuedvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://tempuri.org/Entity/Id1ResponsedvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=dvL76s65.exe, 0000000F.00000002.413281318.0000000004FA3000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005ED2000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005F50000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005E37000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004F16000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000005030000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005DB9000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005D5D000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005F8C000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005DD6000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005F33000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004DFD000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005EB5000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004E8A000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005CB2000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005CCF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequesteddvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlydvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplaydvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegodvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinarydvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCdvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeydvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2004/08/addressingdvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssuedvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletiondvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/trustdvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://tempuri.org/Entity/Id10dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id11dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id12dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id16ResponsedvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponsedvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CanceldvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://tempuri.org/Entity/Id13dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id14dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id15dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id16dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/NoncedvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://tempuri.org/Entity/Id17dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id18dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id5ResponsedvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id19dvL76s65.exe, 0000000F.00000002.413281318.000000000503D000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsdvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://tempuri.org/Entity/Id10ResponsedvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RenewdvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://tempuri.org/Entity/Id8ResponsedvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeydvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDdvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTdvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://schemas.xmlsoap.org/ws/2006/02/addressingidentitydvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://schemas.xmlsoap.org/soap/envelope/dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://search.yahoo.com?fr=crmas_sfpfdvL76s65.exe, 0000000F.00000002.413281318.0000000004FA3000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005ED2000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005F50000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005E37000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004F16000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000005030000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005DB9000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005D5D000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005F8C000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005DD6000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005F33000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004DFD000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005EB5000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004E8A000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005CB2000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.416452346.0000000005CCF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeydvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1dvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trustdvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/RollbackdvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTdvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/06/addressingexdvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wscoordvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/NoncedvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponsedvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/08/addressing/faultdvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/RenewdvL76s65.exe, 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://tempuri.org/Entity/Id17ResponsedvL76s65.exe, 0000000F.00000002.413281318.000000000503D000.00000004.00000800.00020000.00000000.sdmp, dvL76s65.exe, 0000000F.00000002.413281318.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        		unknown

                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                        Public IPs

                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                        193.233.20.30
                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                        		8749REDCOM-ASRedcomKhabarovskRussiaRUtrue

                                                                                                                                                        General Information

                                                                                                                                                        Joe Sandbox Version:37.0.0 Beryl
                                                                                                                                                        Analysis ID:829671
                                                                                                                                                        Start date and time:2023-03-18 20:56:13 +01:00
                                                                                                                                                        Joe Sandbox Product:CloudBasic
                                                                                                                                                        Overall analysis duration:0h 12m 28s
                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                        Report type:light
                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                        Number of analysed new started processes analysed:22
                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                        Technologies:
                                                                                                                                                        • HCA enabled
                                                                                                                                                        • EGA enabled
                                                                                                                                                        • HDC enabled
                                                                                                                                                        • AMSI enabled
                                                                                                                                                        Analysis Mode:default
                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                        Sample file name:szDGo5lHdI.exe
                                                                                                                                                        Original Sample Name:d20ba0ceff50b0a05c84f694e28462aa.exe
                                                                                                                                                        Detection:MAL
                                                                                                                                                        Classification:mal100.troj.spyw.evad.winEXE@16/11@0/1
                                                                                                                                                        EGA Information:
                                                                                                                                                        • Successful, ratio: 100%
                                                                                                                                                        HDC Information:
                                                                                                                                                        • Successful, ratio: 45% (good quality ratio 43.1%)
                                                                                                                                                        • Quality average: 85.1%
                                                                                                                                                        • Quality standard deviation: 23.8%
                                                                                                                                                        HCA Information:
                                                                                                                                                        • Successful, ratio: 94%
                                                                                                                                                        • Number of executed functions: 0
                                                                                                                                                        • Number of non-executed functions: 0
                                                                                                                                                        Cookbook Comments:
                                                                                                                                                        • Found application associated with file extension: .exe
                                                                                                                                                        • Override analysis time to 240s for rundll32

                                                                                                                                                        Warnings

                                                                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                                                                                                                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com
                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                        Simulations

                                                                                                                                                        Behavior and APIs

                                                                                                                                                        TimeTypeDescription
                                                                                                                                                        20:59:20API Interceptor11x Sleep call for process: dvL76s65.exe modified

                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                        IPs

                                                                                                                                                        No context

                                                                                                                                                        Domains

                                                                                                                                                        No context

                                                                                                                                                        ASNs

                                                                                                                                                        No context

                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                        No context

                                                                                                                                                        Dropped Files

                                                                                                                                                        No context

                                                                                                                                                        Created / dropped Files

                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\bus9402.exe.log

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe
                                                                                                                                                        File Type:CSV text
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):226
                                                                                                                                                        Entropy (8bit):5.354940450065058
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2wlAsDZiIv:Q3La/KDLI4MWuPTxAIv
                                                                                                                                                        MD5:B10E37251C5B495643F331DB2EEC3394
                                                                                                                                                        SHA1:25A5FFE4C2554C2B9A7C2794C9FE215998871193
                                                                                                                                                        SHA-256:8A6B926C70F8DCFD915D68F167A1243B9DF7B9F642304F570CE584832D12102D
                                                                                                                                                        SHA-512:296BC182515900934AA96E996FC48B565B7857801A07FEFA0D3D1E0C165981B266B084E344DB5B53041D1171F9C6708B4EE0D444906391C4FC073BCC23B92C37
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..

                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\con1332.exe.log

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe
                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):321
                                                                                                                                                        Entropy (8bit):5.355221377978991
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:Q3La/xwchM3RJoDLIP12MUAvvR+uCqDLIP12MUAvvR+uTL2LDY3U21v:Q3La/hhkvoDLI4MWuCqDLI4MWuPk21v
                                                                                                                                                        MD5:03C5BA5FCE7124B503EA65EF522177C3
                                                                                                                                                        SHA1:F76B1F538D5EA66664355901E927B2F870ACCDD8
                                                                                                                                                        SHA-256:8128CE419BBE0419F1A0BDE97C3A14E3377C0184DC1D7AF61AA01AAB756B625B
                                                                                                                                                        SHA-512:151A974DDABA852144EC4BC18C548227A32E5261736F186A3920F2497434AEE9DBB0E0AB77E0E52A84A9FBC4529A158882B7549763400DDC2082D384B1135141
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..

                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dvL76s65.exe.log

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exe
                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):2843
                                                                                                                                                        Entropy (8bit):5.3371553026862095
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:48:MIHK5HKXeHKlEHU0YHKhQnouHIWUfHKhBHKdHKBfHK5AHKzvQTHmtHoxHImHKx15:Pq5qXeqm00YqhQnouOqLqdqNq2qzcGtX
                                                                                                                                                        MD5:B8422A20BE05209187B69B7EEFA138B5
                                                                                                                                                        SHA1:E1FDD185B2277732AB2D728A2657291077A66811
                                                                                                                                                        SHA-256:FAD57E6847B4B32DF6AE6665F75F388886058EB6CC492718EED2589D830C626E
                                                                                                                                                        SHA-512:1729D8A82C212C61E2395941D3B23625A5EF09EDEA7AA25E6653827E3259EC11A38885C296E12AE82A82A1338066AFFFAEF389F21EE887DA18AC489E39B64B73
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Cultu

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge821663.exe

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\Desktop\szDGo5lHdI.exe
                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):231424
                                                                                                                                                        Entropy (8bit):6.351317966279805
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:4rzyIG8IcCnD5A2QdY8rWpau1CYUqfhYdMBg:KmlLnD5qdY8Fu1CYUehrBg
                                                                                                                                                        MD5:8627EBE3777CC777ED2A14B907162224
                                                                                                                                                        SHA1:06EEED93EB3094F9D0B13AC4A6936F7088FBBDAA
                                                                                                                                                        SHA-256:319B22945BEEB7424FE6DB1E9953AD5F2DC12CBBA2FE24E599C3DEDA678893BB
                                                                                                                                                        SHA-512:9DE429300C95D52452CAEB80C9D44FF72714F017319E416649C2100F882C394F5AB9F3876CC68D338F4B5A3CD58337DEFFF9405BE64C87D078EDD0D86259C845
                                                                                                                                                        Malicious:true
                                                                                                                                                        Yara Hits:
                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge821663.exe, Author: Joe Security
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 63%
                                                                                                                                                        • Antivirus: Virustotal, Detection: 80%, Browse
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]..M.o...o...o..B....o..B....o..B....o.......o.......o......5o..B....o...o...o.......o....m..o.......o..Rich.o..................PE..L...gv.d.............................V............@.......................................@..................................M..d................................'...#..p....................$.......#..@............................................text...}........................... ..`.rdata..p...........................@..@.data...H'...`.......F..............@....rsrc................^..............@..@.reloc...'.......(...`..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\Desktop\szDGo5lHdI.exe
                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):858624
                                                                                                                                                        Entropy (8bit):7.9173206349168845
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12288:lMrOy90U9S1jZY7zjt4IrITYlgomWCWx8gl0GuNVn1DTYbgiCFC7D4jghvlWTUPL:LyH9UyyI9goXZ8gRuN34mC4jqly4P
                                                                                                                                                        MD5:566C1099548DF136503F4DC814D54B17
                                                                                                                                                        SHA1:31F3A2230D7043D645B5451DDBCA0FECE20DE8B9
                                                                                                                                                        SHA-256:B251936E101904F6A72600EB714E7127B89E19E0EF9B4A64FD1578CE62208AF5
                                                                                                                                                        SHA-512:D8D4507A960834EC68786D313321EA2186B09E08C47AEC73EF5067CA60550AA1D31D88C83B90C66A1602A25B8F124254409C0002D8A3DC3044C6FF372908C4BE
                                                                                                                                                        Malicious:true
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%...K..K..K...N..K...H..K...O..K...J..K..J...K...C..K.....K...I..K.Rich..K.........PE..L....`.b.................d..........`j............@..........................p............@...... ...........................................................`..........T...............................@............................................text....c.......d.................. ..`.data...H............h..............@....idata..R............j..............@..@.rsrc................|..............@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exe

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe
                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):179200
                                                                                                                                                        Entropy (8bit):4.951892860913068
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3072:W9xqZWBJaHEDgXGJ5MS8IL1eXx9vhxbxNn2pU9f2MKTV/wi4lr55R9TxlnsPsUw9:WHqZVGJ5bHLYvh
                                                                                                                                                        MD5:6FBFF2D7C9BA7F0A71F02A5C70DF9DFC
                                                                                                                                                        SHA1:003DA0075734CD2D7F201C5B0E4779B8E1F33621
                                                                                                                                                        SHA-256:CB56407367A42F61993842B66BCD24993A30C87116313C26D6AF9E37BBB1B6B3
                                                                                                                                                        SHA-512:25842B9DF4767B16096F2BFCEDC9D368A9696E6C6D9C7B2C75987769A5B338AE04B23B1E89F18EEF2244E84F04E4ACF6AF56643A97ABFE5B605F66CBA0BAC27F
                                                                                                                                                        Malicious:true
                                                                                                                                                        Yara Hits:
                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exe, Author: Joe Security
                                                                                                                                                        • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exe, Author: ditekSHen
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E................0.............~.... ........@.. ....................... ............@.................................,...O.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe
                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):713216
                                                                                                                                                        Entropy (8bit):7.890631801900666
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12288:FMrAy90gyVe3l8BrITJln173C6x8g00G4NGnmDyYygiHBCSDsv9hJlWTUP:9yxyVql8FAn1bz8gA4NhMhC7v9ly8
                                                                                                                                                        MD5:EBD95183957BECDB18025FC9D553B15E
                                                                                                                                                        SHA1:73A57EE27624459B13318E13148A5812F9AFC72A
                                                                                                                                                        SHA-256:23B519083DBE38A5E62CAA55B223BC7E9AE9F89075E241171005B31CCF903994
                                                                                                                                                        SHA-512:E4EBB6A5E5639E5A99E03F94AAA820BE48EFA6971C36B89661E8094081BF89C295CD60FE5EFE7E5DCD9517C1B5D60990BA714A5CC0287B82FE223F5B31807ABE
                                                                                                                                                        Malicious:true
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%...K..K..K...N..K...H..K...O..K...J..K..J...K...C..K.....K...I..K.Rich..K.........PE..L....`.b.................d...z......`j............@..........................0......y.....@...... .......................................Z................... ..........T...............................@............................................text....c.......d.................. ..`.data...H............h..............@....idata..R............j..............@..@.rsrc....`.......\...|..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exe

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe
                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):400896
                                                                                                                                                        Entropy (8bit):6.799070583318619
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:GpBL6vPRiUryaNB5HC6XkN9UomaZ4RPDNr:GpBGvPIUOaThCpDTQr
                                                                                                                                                        MD5:C49DABA1E54976E33808914E11DEE05B
                                                                                                                                                        SHA1:327511A93186C8595A55CAB5552C641FD06906C5
                                                                                                                                                        SHA-256:74F627228484CC1EF30DB15DCA717A6E35D89DAB79AA42EB3E40D10E5E82E547
                                                                                                                                                        SHA-512:CFAC97EEB2703D0FC11116AD405B7A1E80AB3BAB408D8456655F6B7EF319FCF548DD84EE511E429A92C42E5895CCF07FC151AFEFDED79A92BF99586D803EA253
                                                                                                                                                        Malicious:true
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@......P...P...P..(P/..P..9P...P../Pm..P#z.P...P...Py..P..&P...P..8P...P..=P...PRich...P................PE..L......b......................m......P............@.......................... q.................................................d.....n.......................p.....................................x-..@............................................text............................... ..`.data...H.j......&..................@....rsrc.........n.....................@..@.reloc..x.....p.....................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe
                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):353280
                                                                                                                                                        Entropy (8bit):7.694403263596913
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:KXy+bnr+Bp0yN90QEDbIT9olnx142x9Q4lJEXqx8gOMn0GVRaGo8vxg50mE:ZMrNy90pITylnv4AC6x8g30GfNvNmE
                                                                                                                                                        MD5:54A8FD200F50B6AF0F10CA6EB68471D3
                                                                                                                                                        SHA1:2952B9DAD85AD87BCE0B2EFDA76ABB1149DCE018
                                                                                                                                                        SHA-256:5FCEF4C6CF8F1815B6F4B54F6ACD3140DAFA5A24AFDFD876D570FD626CD191B0
                                                                                                                                                        SHA-512:00CBF08050A1AE1A7D188F8F1C265CA882D9FD15587B6F396973F8695A25727B223966A2A0886152675DFE6A6DA125FF6C9524A614578E71B5F05DFFF55A30A3
                                                                                                                                                        Malicious:true
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%...K..K..K...N..K...H..K...O..K...J..K..J...K...C..K.....K...I..K.Rich..K.........PE..L....`.b.................d..........`j............@.................................U.....@...... ......................................................................T...............................@............................................text....c.......d.................. ..`.data...H............h..............@....idata..R............j..............@..@.rsrc................|..............@..@.reloc...............Z..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe
                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):11264
                                                                                                                                                        Entropy (8bit):4.97029807367379
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:96:yA/vMth9sDLibql3A44P9QL4fwmPImg+A03PvXLOzk+gqWYV4J6oP/zNt:yw+wGWt94+iANiCkc4Jhp
                                                                                                                                                        MD5:7E93BACBBC33E6652E147E7FE07572A0
                                                                                                                                                        SHA1:421A7167DA01C8DA4DC4D5234CA3DD84E319E762
                                                                                                                                                        SHA-256:850CD190AAEEBCF1505674D97F51756F325E650320EAF76785D954223A9BEE38
                                                                                                                                                        SHA-512:250169D7B6FCEBFF400BE89EDAE8340F14130CED70C340BA9DA9F225F62B52B35F6645BFB510962EFB866F988688CB42392561D3E6B72194BC89D310EA43AA91
                                                                                                                                                        Malicious:true
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0.."...........@... ...`....@.. ....................................@..................................@..O....`...............................@..8............................................ ............... ..H............text.... ... ...".................. ..`.rsrc........`.......$..............@..@.reloc...............*..............@..B.................@......H.......T$...............................................................0...........@s.....@...(....&*..0..K......... ?...(......~....(....,.*r...p.....(....%..(....& ....(....(....&.(....&*..0..e.......(....~........+G.....o....r#..p(....,-.o.... ......(....-.*.(....&(.....o....(....&..X....i2..(....&*....0..`.......(....~........+B.....o....r...p(....,(.o.... ......(....-.*.(....&.o....(....&..X....i2..(....&*.0..c......... ?...(......~....(....,.*....(............%...(...

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe
                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):341504
                                                                                                                                                        Entropy (8bit):6.481872228762081
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:NZ3LYwHUxsB2a9D4lJERA0Cr4x+WBQYLwzAW0nr:NZ38wHU2BsCi0R+Weowar
                                                                                                                                                        MD5:0B63FCA2981CA840B845011956E212AD
                                                                                                                                                        SHA1:293B8C4F0C8981AE5B568D1CD722E91C16476049
                                                                                                                                                        SHA-256:894D2B3D57258FE980414000FE66D5A483656746A12CEBF4849D883917F13C30
                                                                                                                                                        SHA-512:AA357E4991C4CCA3FA11FC0CB5483E439C398835B9361AEC715C384D319A5D43578B2E2EAB84EBB048E3B8D3F97951A997DD630D915FDCE030D499DD29D5197C
                                                                                                                                                        Malicious:true
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@......P...P...P..(P/..P..9P...P../Pm..P#z.P...P...Py..P..&P...P..8P...P..=P...PRich...P................PE..L......a......................m......P............@..........................0p.................................................d.....n.......................o.....................................x-..@............................................text............................... ..`.data...H.j......&..................@....rsrc.........n.....................@..@.reloc..x.....o.....................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        Static File Info

                                                                                                                                                        General

                                                                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Entropy (8bit):7.764342310125714
                                                                                                                                                        TrID:
                                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                        File name:szDGo5lHdI.exe
                                                                                                                                                        File size:1228288
                                                                                                                                                        MD5:d20ba0ceff50b0a05c84f694e28462aa
                                                                                                                                                        SHA1:c7c3b70840660f8dd81770e3bd5200eb2feda120
                                                                                                                                                        SHA256:bfe36fe57256d59f04350be588333d644cf1aac03039d14dfce313aa60d42ced
                                                                                                                                                        SHA512:699336726b562a7b0ab766d15e305afca0ac7137a6105381fc4832c957f5b74dd27a8da478d2908b5ccebf0fddf2ac9822856ede31e9b1432c0ad4182c952fe6
                                                                                                                                                        SSDEEP:24576:u1F4VX4ZsIETa80JWFst9LqGfEBz9terTMH9MbMx9upUenl6O:u1FWWbETahMszqGfu0rYHqbMxQpPl
                                                                                                                                                        TLSH:6D45F14382E27D48F9268B739E1EC2E8B70DF670DE997B653218DA2F0075176C363A51
                                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@......P...P...P..(P/..P..9P...P../Pm..P#z.P...P...Py..P..&P...P..8P...P..=P...PRich...P................PE..L......a...........

                                                                                                                                                        File Icon

                                                                                                                                                        Icon Hash:a4a4a08484a484e0

                                                                                                                                                        Static PE Info

                                                                                                                                                        General

                                                                                                                                                        Entrypoint:0x4050c8
                                                                                                                                                        Entrypoint Section:.text
                                                                                                                                                        Digitally signed:false
                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                        Subsystem:windows gui
                                                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                        DLL Characteristics:GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                                                        Time Stamp:0x61EC0DDE [Sat Jan 22 13:59:58 2022 UTC]
                                                                                                                                                        TLS Callbacks:
                                                                                                                                                        CLR (.Net) Version:
                                                                                                                                                        OS Version Major:5
                                                                                                                                                        OS Version Minor:0
                                                                                                                                                        File Version Major:5
                                                                                                                                                        File Version Minor:0
                                                                                                                                                        Subsystem Version Major:5
                                                                                                                                                        Subsystem Version Minor:0
                                                                                                                                                        Import Hash:9c97db954c6eab8dfde4a4fd207d98cc

                                                                                                                                                        Entrypoint Preview

                                                                                                                                                        Instruction
                                                                                                                                                        call 00007F48586CA793h
                                                                                                                                                        jmp 00007F48586C69CEh
                                                                                                                                                        mov edi, edi
                                                                                                                                                        push ebp
                                                                                                                                                        mov ebp, esp
                                                                                                                                                        push ecx
                                                                                                                                                        push esi
                                                                                                                                                        mov esi, dword ptr [ebp+0Ch]
                                                                                                                                                        push esi
                                                                                                                                                        call 00007F48586C8255h
                                                                                                                                                        mov dword ptr [ebp+0Ch], eax
                                                                                                                                                        mov eax, dword ptr [esi+0Ch]
                                                                                                                                                        pop ecx
                                                                                                                                                        test al, 82h
                                                                                                                                                        jne 00007F48586C6B69h
                                                                                                                                                        call 00007F48586C7AFDh
                                                                                                                                                        mov dword ptr [eax], 00000009h
                                                                                                                                                        or dword ptr [esi+0Ch], 20h
                                                                                                                                                        or eax, FFFFFFFFh
                                                                                                                                                        jmp 00007F48586C6C84h
                                                                                                                                                        test al, 40h
                                                                                                                                                        je 00007F48586C6B5Fh
                                                                                                                                                        call 00007F48586C7AE2h
                                                                                                                                                        mov dword ptr [eax], 00000022h
                                                                                                                                                        jmp 00007F48586C6B35h
                                                                                                                                                        push ebx
                                                                                                                                                        xor ebx, ebx
                                                                                                                                                        test al, 01h
                                                                                                                                                        je 00007F48586C6B68h
                                                                                                                                                        mov dword ptr [esi+04h], ebx
                                                                                                                                                        test al, 10h
                                                                                                                                                        je 00007F48586C6BDDh
                                                                                                                                                        mov ecx, dword ptr [esi+08h]
                                                                                                                                                        and eax, FFFFFFFEh
                                                                                                                                                        mov dword ptr [esi], ecx
                                                                                                                                                        mov dword ptr [esi+0Ch], eax
                                                                                                                                                        mov eax, dword ptr [esi+0Ch]
                                                                                                                                                        and eax, FFFFFFEFh
                                                                                                                                                        or eax, 02h
                                                                                                                                                        mov dword ptr [esi+0Ch], eax
                                                                                                                                                        mov dword ptr [esi+04h], ebx
                                                                                                                                                        mov dword ptr [ebp-04h], ebx
                                                                                                                                                        test eax, 0000010Ch
                                                                                                                                                        jne 00007F48586C6B7Eh
                                                                                                                                                        call 00007F48586C7DDEh
                                                                                                                                                        add eax, 20h
                                                                                                                                                        cmp esi, eax
                                                                                                                                                        je 00007F48586C6B5Eh
                                                                                                                                                        call 00007F48586C7DD2h
                                                                                                                                                        add eax, 40h
                                                                                                                                                        cmp esi, eax
                                                                                                                                                        jne 00007F48586C6B5Fh
                                                                                                                                                        push dword ptr [ebp+0Ch]
                                                                                                                                                        call 00007F48586CB181h
                                                                                                                                                        pop ecx
                                                                                                                                                        test eax, eax
                                                                                                                                                        jne 00007F48586C6B59h
                                                                                                                                                        push esi
                                                                                                                                                        call 00007F48586CB12Dh
                                                                                                                                                        pop ecx
                                                                                                                                                        test dword ptr [esi+0Ch], 00000108h
                                                                                                                                                        push edi
                                                                                                                                                        je 00007F48586C6BD6h
                                                                                                                                                        mov eax, dword ptr [esi+08h]
                                                                                                                                                        mov edi, dword ptr [esi]
                                                                                                                                                        lea ecx, dword ptr [eax+01h]
                                                                                                                                                        mov dword ptr [esi], ecx

                                                                                                                                                        Rich Headers

                                                                                                                                                        Programming Language:
                                                                                                                                                        • [C++] VS2008 build 21022
                                                                                                                                                        • [ASM] VS2008 build 21022
                                                                                                                                                        • [ C ] VS2008 build 21022
                                                                                                                                                        • [IMP] VS2005 build 50727
                                                                                                                                                        • [RES] VS2008 build 21022
                                                                                                                                                        • [LNK] VS2008 build 21022

                                                                                                                                                        Data Directories

                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x106f400x64.text
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x27b80000x1a612.rsrc
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x27d30000xaa0.reloc
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x11f00x1c.text
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2d780x40.text
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x10000x1ac.text
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                        Sections

                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                        .text0x10000x1069060x106a00False0.9755557249524036data7.985286241021559IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                        .data0x1080000x26af5480x2600unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                        .rsrc0x27b80000x1a6120x1a800False0.38375221108490565data4.307961956559254IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                        .reloc0x27d30000x81780x8200False0.0734375data0.9144732522290139IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                        Resources

                                                                                                                                                        NameRVASizeTypeLanguageCountry
                                                                                                                                                        RT_ICON0x27b88b00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0SpanishMexico
                                                                                                                                                        RT_ICON0x27b97580x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0SpanishMexico
                                                                                                                                                        RT_ICON0x27ba0000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0SpanishMexico
                                                                                                                                                        RT_ICON0x27bc5a80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0SpanishMexico
                                                                                                                                                        RT_ICON0x27bd6500x468Device independent bitmap graphic, 16 x 32 x 32, image size 0SpanishMexico
                                                                                                                                                        RT_ICON0x27bdab80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsSpanishMexico
                                                                                                                                                        RT_ICON0x27be9600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsSpanishMexico
                                                                                                                                                        RT_ICON0x27bf2080x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsSpanishMexico
                                                                                                                                                        RT_ICON0x27bf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsSpanishMexico
                                                                                                                                                        RT_ICON0x27bfe380x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216SpanishMexico
                                                                                                                                                        RT_ICON0x27c23e00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096SpanishMexico
                                                                                                                                                        RT_ICON0x27c34880x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304SpanishMexico
                                                                                                                                                        RT_ICON0x27c3e100x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024SpanishMexico
                                                                                                                                                        RT_ICON0x27c42780xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0SpanishMexico
                                                                                                                                                        RT_ICON0x27c51200x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0SpanishMexico
                                                                                                                                                        RT_ICON0x27c59c80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0SpanishMexico
                                                                                                                                                        RT_ICON0x27c5f300x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0SpanishMexico
                                                                                                                                                        RT_ICON0x27c84d80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0SpanishMexico
                                                                                                                                                        RT_ICON0x27c95800x988Device independent bitmap graphic, 24 x 48 x 32, image size 0SpanishMexico
                                                                                                                                                        RT_ICON0x27c9f080x468Device independent bitmap graphic, 16 x 32 x 32, image size 0SpanishMexico
                                                                                                                                                        RT_ICON0x27ca3700xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0SpanishMexico
                                                                                                                                                        RT_ICON0x27cb2180x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0SpanishMexico
                                                                                                                                                        RT_ICON0x27cbac00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0SpanishMexico
                                                                                                                                                        RT_ICON0x27cc1880x568Device independent bitmap graphic, 16 x 32 x 8, image size 0SpanishMexico
                                                                                                                                                        RT_ICON0x27cc6f00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0SpanishMexico
                                                                                                                                                        RT_ICON0x27cec980x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0SpanishMexico
                                                                                                                                                        RT_ICON0x27cfd400x988Device independent bitmap graphic, 24 x 48 x 32, image size 0SpanishMexico
                                                                                                                                                        RT_ICON0x27d06c80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0SpanishMexico
                                                                                                                                                        RT_DIALOG0x27d0b300x86data
                                                                                                                                                        RT_STRING0x27d0bb80x490data
                                                                                                                                                        RT_STRING0x27d10480x3d6data
                                                                                                                                                        RT_STRING0x27d14200x492data
                                                                                                                                                        RT_STRING0x27d18b40x382data
                                                                                                                                                        RT_ACCELERATOR0x27d1c380x48dataSpanishMexico
                                                                                                                                                        RT_ACCELERATOR0x27d1c800x18dataSpanishMexico
                                                                                                                                                        RT_GROUP_ICON0x27d1c980x68dataSpanishMexico
                                                                                                                                                        RT_GROUP_ICON0x27d1d000x4cdataSpanishMexico
                                                                                                                                                        RT_GROUP_ICON0x27d1d4c0x76dataSpanishMexico
                                                                                                                                                        RT_GROUP_ICON0x27d1dc40x76dataSpanishMexico
                                                                                                                                                        RT_VERSION0x27d1e3c0x1e0data
                                                                                                                                                        RT_MANIFEST0x27d201c0x5ebXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                        None0x27d26080xadata

                                                                                                                                                        Imports

                                                                                                                                                        DLLImport
                                                                                                                                                        KERNEL32.dllGetLogicalDriveStringsW, SetDefaultCommConfigW, CreateHardLinkA, GetConsoleAliasesA, LoadLibraryW, _hread, IsBadCodePtr, CreateEventA, FormatMessageW, GetFileAttributesA, GetExitCodeProcess, SetConsoleMode, WriteConsoleW, WritePrivateProfileSectionW, ChangeTimerQueueTimer, SetLastError, GetProcAddress, GlobalAddAtomA, EnumSystemCodePagesW, LocalAlloc, FoldStringA, FreeEnvironmentStringsW, VirtualProtect, GetWindowsDirectoryW, GetFileInformationByHandle, GlobalReAlloc, InterlockedPushEntrySList, LCMapStringW, CloseHandle, CreateFileA, HeapSize, lstrcpynA, CallNamedPipeA, VirtualAlloc, GetVolumeNameForVolumeMountPointA, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, GetLastError, HeapFree, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetModuleFileNameA, GetModuleFileNameW, GetEnvironmentStringsW, GetCommandLineW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, InterlockedDecrement, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapReAlloc, InitializeCriticalSectionAndSpinCount, RtlUnwind, MultiByteToWideChar, LoadLibraryA, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, LCMapStringA, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, FlushFileBuffers, RaiseException
                                                                                                                                                        USER32.dllClientToScreen, LoadMenuA, InvalidateRgn, GetMenuInfo, MessageBoxIndirectW, CountClipboardFormats, SetScrollInfo
                                                                                                                                                        GDI32.dllGetGlyphIndicesW
                                                                                                                                                        ADVAPI32.dllRegOpenKeyA

                                                                                                                                                        Possible Origin

                                                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                                                        SpanishMexico

                                                                                                                                                        Network Behavior

                                                                                                                                                        Snort IDS Alerts

                                                                                                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                        192.168.2.3193.233.20.304970141252043231 03/18/23-20:58:24.653479TCP2043231ET TROJAN Redline Stealer TCP CnC Activity497014125192.168.2.3193.233.20.30
                                                                                                                                                        192.168.2.3193.233.20.304970141252043233 03/18/23-20:58:07.054155TCP2043233ET TROJAN RedLine Stealer TCP CnC net.tcp Init497014125192.168.2.3193.233.20.30
                                                                                                                                                        193.233.20.30192.168.2.34125497012043234 03/18/23-20:58:08.632497TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response412549701193.233.20.30192.168.2.3

                                                                                                                                                        Network Port Distribution

                                                                                                                                                        TCP Packets

                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                        Mar 18, 2023 20:58:06.663388014 CET497014125192.168.2.3193.233.20.30
                                                                                                                                                        Mar 18, 2023 20:58:06.686135054 CET412549701193.233.20.30192.168.2.3
                                                                                                                                                        Mar 18, 2023 20:58:06.686362982 CET497014125192.168.2.3193.233.20.30
                                                                                                                                                        Mar 18, 2023 20:58:07.054155111 CET497014125192.168.2.3193.233.20.30
                                                                                                                                                        Mar 18, 2023 20:58:07.077070951 CET412549701193.233.20.30192.168.2.3
                                                                                                                                                        Mar 18, 2023 20:58:07.122698069 CET497014125192.168.2.3193.233.20.30
                                                                                                                                                        Mar 18, 2023 20:58:08.609289885 CET497014125192.168.2.3193.233.20.30
                                                                                                                                                        Mar 18, 2023 20:58:08.632497072 CET412549701193.233.20.30192.168.2.3
                                                                                                                                                        Mar 18, 2023 20:58:08.685370922 CET497014125192.168.2.3193.233.20.30
                                                                                                                                                        Mar 18, 2023 20:58:19.614017010 CET497014125192.168.2.3193.233.20.30
                                                                                                                                                        Mar 18, 2023 20:58:19.638431072 CET412549701193.233.20.30192.168.2.3
                                                                                                                                                        Mar 18, 2023 20:58:19.638463974 CET412549701193.233.20.30192.168.2.3
                                                                                                                                                        Mar 18, 2023 20:58:19.638484955 CET412549701193.233.20.30192.168.2.3
                                                                                                                                                        Mar 18, 2023 20:58:19.638664961 CET497014125192.168.2.3193.233.20.30
                                                                                                                                                        Mar 18, 2023 20:58:19.638720989 CET497014125192.168.2.3193.233.20.30
                                                                                                                                                        Mar 18, 2023 20:58:20.938442945 CET497014125192.168.2.3193.233.20.30
                                                                                                                                                        Mar 18, 2023 20:58:20.962827921 CET412549701193.233.20.30192.168.2.3
                                                                                                                                                        Mar 18, 2023 20:58:21.014508009 CET497014125192.168.2.3193.233.20.30
                                                                                                                                                        Mar 18, 2023 20:58:21.380616903 CET497014125192.168.2.3193.233.20.30
                                                                                                                                                        Mar 18, 2023 20:58:21.403899908 CET412549701193.233.20.30192.168.2.3
                                                                                                                                                        Mar 18, 2023 20:58:21.457176924 CET497014125192.168.2.3193.233.20.30
                                                                                                                                                        Mar 18, 2023 20:58:21.541018009 CET497014125192.168.2.3193.233.20.30
                                                                                                                                                        Mar 18, 2023 20:58:21.563800097 CET412549701193.233.20.30192.168.2.3
                                                                                                                                                        Mar 18, 2023 20:58:21.564196110 CET412549701193.233.20.30192.168.2.3
                                                                                                                                                        Mar 18, 2023 20:58:21.608309031 CET497014125192.168.2.3193.233.20.30
                                                                                                                                                        Mar 18, 2023 20:58:21.731764078 CET497014125192.168.2.3193.233.20.30
                                                                                                                                                        Mar 18, 2023 20:58:21.755337954 CET412549701193.233.20.30192.168.2.3
                                                                                                                                                        Mar 18, 2023 20:58:21.763166904 CET497014125192.168.2.3193.233.20.30
                                                                                                                                                        Mar 18, 2023 20:58:21.788644075 CET412549701193.233.20.30192.168.2.3
                                                                                                                                                        Mar 18, 2023 20:58:21.794116974 CET497014125192.168.2.3193.233.20.30
                                                                                                                                                        Mar 18, 2023 20:58:21.817415953 CET412549701193.233.20.30192.168.2.3
                                                                                                                                                        Mar 18, 2023 20:58:21.821443081 CET497014125192.168.2.3193.233.20.30
                                                                                                                                                        Mar 18, 2023 20:58:21.846554041 CET412549701193.233.20.30192.168.2.3
                                                                                                                                                        Mar 18, 2023 20:58:21.889859915 CET497014125192.168.2.3193.233.20.30
                                                                                                                                                        Mar 18, 2023 20:58:22.177835941 CET497014125192.168.2.3193.233.20.30
                                                                                                                                                        Mar 18, 2023 20:58:22.208134890 CET412549701193.233.20.30192.168.2.3
                                                                                                                                                        Mar 18, 2023 20:58:22.208218098 CET412549701193.233.20.30192.168.2.3
                                                                                                                                                        Mar 18, 2023 20:58:22.208268881 CET412549701193.233.20.30192.168.2.3
                                                                                                                                                        Mar 18, 2023 20:58:22.248943090 CET497014125192.168.2.3193.233.20.30
                                                                                                                                                        Mar 18, 2023 20:58:22.619117022 CET497014125192.168.2.3193.233.20.30
                                                                                                                                                        Mar 18, 2023 20:58:22.649648905 CET412549701193.233.20.30192.168.2.3
                                                                                                                                                        Mar 18, 2023 20:58:22.665638924 CET497014125192.168.2.3193.233.20.30
                                                                                                                                                        Mar 18, 2023 20:58:22.689857006 CET412549701193.233.20.30192.168.2.3
                                                                                                                                                        Mar 18, 2023 20:58:22.733931065 CET497014125192.168.2.3193.233.20.30
                                                                                                                                                        Mar 18, 2023 20:58:23.998817921 CET497014125192.168.2.3193.233.20.30
                                                                                                                                                        Mar 18, 2023 20:58:24.021681070 CET412549701193.233.20.30192.168.2.3
                                                                                                                                                        Mar 18, 2023 20:58:24.022135973 CET412549701193.233.20.30192.168.2.3
                                                                                                                                                        Mar 18, 2023 20:58:24.171370029 CET497014125192.168.2.3193.233.20.30
                                                                                                                                                        Mar 18, 2023 20:58:24.356787920 CET497014125192.168.2.3193.233.20.30
                                                                                                                                                        Mar 18, 2023 20:58:24.380835056 CET412549701193.233.20.30192.168.2.3
                                                                                                                                                        Mar 18, 2023 20:58:24.443901062 CET497014125192.168.2.3193.233.20.30
                                                                                                                                                        Mar 18, 2023 20:58:24.468919039 CET412549701193.233.20.30192.168.2.3
                                                                                                                                                        Mar 18, 2023 20:58:24.468954086 CET412549701193.233.20.30192.168.2.3
                                                                                                                                                        Mar 18, 2023 20:58:24.468971014 CET412549701193.233.20.30192.168.2.3
                                                                                                                                                        Mar 18, 2023 20:58:24.469019890 CET412549701193.233.20.30192.168.2.3
                                                                                                                                                        Mar 18, 2023 20:58:24.500091076 CET497014125192.168.2.3193.233.20.30
                                                                                                                                                        Mar 18, 2023 20:58:24.524600983 CET412549701193.233.20.30192.168.2.3
                                                                                                                                                        Mar 18, 2023 20:58:24.569483995 CET497014125192.168.2.3193.233.20.30
                                                                                                                                                        Mar 18, 2023 20:58:24.594418049 CET412549701193.233.20.30192.168.2.3
                                                                                                                                                        Mar 18, 2023 20:58:24.604362011 CET497014125192.168.2.3193.233.20.30
                                                                                                                                                        Mar 18, 2023 20:58:24.627705097 CET412549701193.233.20.30192.168.2.3
                                                                                                                                                        Mar 18, 2023 20:58:24.629317045 CET497014125192.168.2.3193.233.20.30
                                                                                                                                                        Mar 18, 2023 20:58:24.652537107 CET412549701193.233.20.30192.168.2.3
                                                                                                                                                        Mar 18, 2023 20:58:24.653479099 CET497014125192.168.2.3193.233.20.30
                                                                                                                                                        Mar 18, 2023 20:58:24.680087090 CET412549701193.233.20.30192.168.2.3
                                                                                                                                                        Mar 18, 2023 20:58:24.712532997 CET497014125192.168.2.3193.233.20.30

                                                                                                                                                        Statistics

                                                                                                                                                        Behavior

                                                                                                                                                        Click to jump to process

                                                                                                                                                        System Behavior

                                                                                                                                                        General

                                                                                                                                                        Target ID:0
                                                                                                                                                        Start time:20:58:10
                                                                                                                                                        Start date:18/03/2023
                                                                                                                                                        Path:C:\Users\user\Desktop\szDGo5lHdI.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:C:\Users\user\Desktop\szDGo5lHdI.exe
                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                        File size:1228288 bytes
                                                                                                                                                        MD5 hash:D20BA0CEFF50B0A05C84F694E28462AA
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Yara matches:
                                                                                                                                                        • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.447521600.0000000006902000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.260695646.0000000006E55000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.447701625.0000000006A00000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        Reputation:low

                                                                                                                                                        General

                                                                                                                                                        Target ID:1
                                                                                                                                                        Start time:20:58:11
                                                                                                                                                        Start date:18/03/2023
                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe
                                                                                                                                                        Imagebase:0x10b0000
                                                                                                                                                        File size:858624 bytes
                                                                                                                                                        MD5 hash:566C1099548DF136503F4DC814D54B17
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Yara matches:
                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000003.261924931.0000000004C7C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        Antivirus matches:
                                                                                                                                                        • Detection: 100%, Avira
                                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                                        Reputation:low

                                                                                                                                                        General

                                                                                                                                                        Target ID:2
                                                                                                                                                        Start time:20:58:12
                                                                                                                                                        Start date:18/03/2023
                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe
                                                                                                                                                        Imagebase:0x960000
                                                                                                                                                        File size:713216 bytes
                                                                                                                                                        MD5 hash:EBD95183957BECDB18025FC9D553B15E
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Antivirus matches:
                                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                                        Reputation:low

                                                                                                                                                        General

                                                                                                                                                        Target ID:3
                                                                                                                                                        Start time:20:58:13
                                                                                                                                                        Start date:18/03/2023
                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe
                                                                                                                                                        Imagebase:0x190000
                                                                                                                                                        File size:353280 bytes
                                                                                                                                                        MD5 hash:54A8FD200F50B6AF0F10CA6EB68471D3
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Antivirus matches:
                                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                                        Reputation:low

                                                                                                                                                        General

                                                                                                                                                        Target ID:4
                                                                                                                                                        Start time:20:58:13
                                                                                                                                                        Start date:18/03/2023
                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe
                                                                                                                                                        Imagebase:0x4d0000
                                                                                                                                                        File size:11264 bytes
                                                                                                                                                        MD5 hash:7E93BACBBC33E6652E147E7FE07572A0
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                                                                        Antivirus matches:
                                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                                        Reputation:high

                                                                                                                                                        General

                                                                                                                                                        Target ID:12
                                                                                                                                                        Start time:20:58:25
                                                                                                                                                        Start date:18/03/2023
                                                                                                                                                        Path:C:\Windows\System32\rundll32.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                                                                                                                        Imagebase:0x7ff6922f0000
                                                                                                                                                        File size:69632 bytes
                                                                                                                                                        MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high

                                                                                                                                                        General

                                                                                                                                                        Target ID:13
                                                                                                                                                        Start time:20:58:30
                                                                                                                                                        Start date:18/03/2023
                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe
                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                        File size:341504 bytes
                                                                                                                                                        MD5 hash:0B63FCA2981CA840B845011956E212AD
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                                                                        Yara matches:
                                                                                                                                                        • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000D.00000002.328271047.0000000002DE6000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000D.00000002.326634560.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000D.00000002.326634560.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Author: ditekSHen
                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000D.00000002.327606223.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000D.00000002.327606223.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000D.00000003.302283247.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000D.00000003.302283247.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                        Antivirus matches:
                                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                                        Reputation:low

                                                                                                                                                        General

                                                                                                                                                        Target ID:14
                                                                                                                                                        Start time:20:58:37
                                                                                                                                                        Start date:18/03/2023
                                                                                                                                                        Path:C:\Windows\System32\rundll32.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\
                                                                                                                                                        Imagebase:0x7ff6922f0000
                                                                                                                                                        File size:69632 bytes
                                                                                                                                                        MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                        General

                                                                                                                                                        Target ID:15
                                                                                                                                                        Start time:20:58:44
                                                                                                                                                        Start date:18/03/2023
                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exe
                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                        File size:400896 bytes
                                                                                                                                                        MD5 hash:C49DABA1E54976E33808914E11DEE05B
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                                                                        Yara matches:
                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000F.00000002.412783124.0000000004A20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000F.00000002.412783124.0000000004A20000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000F.00000003.345188702.0000000002C80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000F.00000003.345188702.0000000002C80000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000F.00000002.411952742.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000F.00000002.411952742.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000F.00000002.411593767.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000F.00000002.411593767.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Author: ditekSHen
                                                                                                                                                        • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000F.00000002.412282672.0000000002E28000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000F.00000002.413281318.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000F.00000002.412058173.0000000002C96000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000F.00000003.346294709.0000000002EA0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000F.00000002.413068385.0000000004C10000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000F.00000002.413068385.0000000004C10000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                        Antivirus matches:
                                                                                                                                                        • Detection: 100%, Joe Sandbox ML

                                                                                                                                                        General

                                                                                                                                                        Target ID:16
                                                                                                                                                        Start time:20:58:48
                                                                                                                                                        Start date:18/03/2023
                                                                                                                                                        Path:C:\Windows\System32\rundll32.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\
                                                                                                                                                        Imagebase:0x7ff6922f0000
                                                                                                                                                        File size:69632 bytes
                                                                                                                                                        MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                        Disassembly

                                                                                                                                                        No disassembly