Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
pYHrqNhFKr.exe

Overview

General Information

Sample Name:pYHrqNhFKr.exe
Original Sample Name:65cab4a566b172d984c8f8ebfdbdfea0.exe
Analysis ID:829683
MD5:65cab4a566b172d984c8f8ebfdbdfea0
SHA1:5628ef015cc37598a43b0f032b1ef91ad7f24934
SHA256:4700abbc439afe49697e67333bf6d3fcb04b73d73f44b40f68ed20a1e4812a8b
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Disable Windows Defender real time protection (registry)
Machine Learning detection for sample
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Disable Windows Defender notifications (registry)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Binary contains a suspicious time stamp
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • pYHrqNhFKr.exe (PID: 2980 cmdline: C:\Users\user\Desktop\pYHrqNhFKr.exe MD5: 65CAB4A566B172D984C8F8EBFDBDFEA0)
    • niba6073.exe (PID: 2968 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe MD5: 7ED66C765EC9F99A5D8215486D6BC8C9)
      • niba2214.exe (PID: 5268 cmdline: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe MD5: 6775BA3EF89ACFDA026F96DF54C2C21D)
        • f7051zI.exe (PID: 5244 cmdline: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe MD5: 7E93BACBBC33E6652E147E7FE07572A0)
        • h99af07.exe (PID: 6132 cmdline: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe MD5: C8B5287FF76DDEC6B7F8C0DA94084603)
  • rundll32.exe (PID: 408 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)
  • rundll32.exe (PID: 5140 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)
  • rundll32.exe (PID: 1004 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "193.233.20.28:4125", "Bot Id": "ruka", "Message": "", "Authorization Header": "5d1d0e51ebe1e3f16cca573ff651c43c"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exeMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
    • 0x1a430:$pat14: , CommandLine:
    • 0x134a7:$v2_1: ListOfProcesses
    • 0x13286:$v4_3: base64str
    • 0x13dff:$v4_4: stringKey
    • 0x11b63:$v4_5: BytesToStringConverted
    • 0x10d76:$v4_6: FromBase64
    • 0x12098:$v4_8: procName
    • 0x12811:$v5_5: FileScanning
    • 0x11d6c:$v5_7: RecordHeaderField
    • 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000005.00000002.307087402.0000000002E97000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
    • 0x1328:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
    00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
      • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
      • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
      • 0x1300:$s3: 83 EC 38 53 B0 C4 88 44 24 2B 88 44 24 2F B0 3F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
      • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
      • 0x1fdd0:$s5: delete[]
      • 0x1f288:$s6: constructor or from DllMain.
      00000005.00000002.306851644.0000000002BF0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000005.00000002.306851644.0000000002BF0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
        • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
        Click to see the 1 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        5.2.h99af07.exe.2bf0e67.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          5.2.h99af07.exe.2bf0e67.1.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
          • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
          • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
          • 0x700:$s3: 83 EC 38 53 B0 C4 88 44 24 2B 88 44 24 2F B0 3F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
          • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
          • 0x1e9d0:$s5: delete[]
          • 0x1de88:$s6: constructor or from DllMain.
          5.2.h99af07.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            5.2.h99af07.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
            • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
            • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
            • 0x700:$s3: 83 EC 38 53 B0 C4 88 44 24 2B 88 44 24 2F B0 3F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
            • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
            • 0x1e9d0:$s5: delete[]
            • 0x1de88:$s6: constructor or from DllMain.
            5.2.h99af07.exe.400000.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Click to see the 5 entries

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: pYHrqNhFKr.exeReversingLabs: Detection: 69%
              Source: pYHrqNhFKr.exeVirustotal: Detection: 50%Perma Link
              Antivirus / Scanner detection for submitted sample
              Source: pYHrqNhFKr.exeAvira: detected
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exeAvira: detection malicious, Label: HEUR/AGEN.1252166
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exeReversingLabs: Detection: 87%
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exeVirustotal: Detection: 81%Perma Link
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exeReversingLabs: Detection: 58%
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exeVirustotal: Detection: 56%Perma Link
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\imYkV36.exeReversingLabs: Detection: 48%
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\imYkV36.exeVirustotal: Detection: 51%Perma Link
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exeReversingLabs: Detection: 58%
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exeVirustotal: Detection: 53%Perma Link
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exeReversingLabs: Detection: 88%
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeReversingLabs: Detection: 46%
              Machine Learning detection for sample
              Source: pYHrqNhFKr.exeJoe Sandbox ML: detected
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\imYkV36.exeJoe Sandbox ML: detected
              Source: 00000000.00000003.241248149.0000000004BCC000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "193.233.20.28:4125", "Bot Id": "ruka", "Message": "", "Authorization Header": "5d1d0e51ebe1e3f16cca573ff651c43c"}
              Source: C:\Users\user\Desktop\pYHrqNhFKr.exeCode function: 0_2_008A2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,0_2_008A2F1D
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exeCode function: 1_2_00072F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,1_2_00072F1D
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exeCode function: 2_2_01252F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,2_2_01252F1D

              Compliance

              barindex
              Detected unpacking (overwrites its own PE header)
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeUnpacked PE file: 5.2.h99af07.exe.400000.0.unpack
              Source: pYHrqNhFKr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
              Source: pYHrqNhFKr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Source: Binary string: wextract.pdb source: pYHrqNhFKr.exe, niba6073.exe.0.dr, niba2214.exe.1.dr
              Source: Binary string: Healer.pdb source: h99af07.exe, 00000005.00000003.281384842.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307743738.0000000004B41000.00000004.00000800.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.308257566.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, h99af07.exe, 00000005.00000002.307495557.0000000004750000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307402577.0000000004640000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: wextract.pdbGCTL source: pYHrqNhFKr.exe, niba6073.exe.0.dr, niba2214.exe.1.dr
              Source: Binary string: <C:\zarepot\talotoyuy1\guf.pdb source: niba6073.exe, 00000001.00000003.242966738.0000000004521000.00000004.00000020.00020000.00000000.sdmp, imYkV36.exe.1.dr
              Source: Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: niba2214.exe, 00000002.00000003.243954252.0000000004A0C000.00000004.00000020.00020000.00000000.sdmp, f7051zI.exe, 00000003.00000000.244138101.0000000000CA2000.00000002.00000001.01000000.00000006.sdmp, f7051zI.exe.2.dr
              Source: Binary string: C:\tugiwozexe-hon68\xozutuboreja.pdb source: niba2214.exe, 00000002.00000003.243954252.0000000004A0C000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000000.269895289.0000000000401000.00000020.00000001.01000000.00000009.sdmp, h99af07.exe.2.dr
              Source: Binary string: _.pdb source: h99af07.exe, 00000005.00000003.281384842.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307743738.0000000004B41000.00000004.00000800.00020000.00000000.sdmp, h99af07.exe, 00000005.00000003.283921128.0000000002F05000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307495557.0000000004750000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307402577.0000000004640000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: C:\zarepot\talotoyuy1\guf.pdb source: niba6073.exe, 00000001.00000003.242966738.0000000004521000.00000004.00000020.00020000.00000000.sdmp, imYkV36.exe.1.dr
              Source: Binary string: Healer.pdbH5 source: h99af07.exe, 00000005.00000003.281384842.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307743738.0000000004B41000.00000004.00000800.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.308257566.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, h99af07.exe, 00000005.00000002.307495557.0000000004750000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307402577.0000000004640000.00000004.08000000.00040000.00000000.sdmp
              Source: C:\Users\user\Desktop\pYHrqNhFKr.exeCode function: 0_2_008A2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_008A2390
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exeCode function: 1_2_00072390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,1_2_00072390
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exeCode function: 2_2_01252390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,2_2_01252390

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 193.233.20.28:4125
              Source: pYHrqNhFKr.exe, 00000000.00000003.241248149.0000000004BCC000.00000004.00000020.00020000.00000000.sdmp, l64fQ59.exe.0.drString found in binary or memory: https://api.ip.sb/ip
              Source: h99af07.exe, 00000005.00000002.307016604.0000000002E7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 5.2.h99af07.exe.2bf0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 5.2.h99af07.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 5.2.h99af07.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 0.3.pYHrqNhFKr.exe.4c79c20.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 0.3.pYHrqNhFKr.exe.4c79c20.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 00000005.00000002.307087402.0000000002E97000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
              Source: 00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 00000005.00000002.306851644.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe, type: DROPPEDMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: pYHrqNhFKr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 5.2.h99af07.exe.2bf0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 5.2.h99af07.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 5.2.h99af07.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 0.3.pYHrqNhFKr.exe.4c79c20.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 0.3.pYHrqNhFKr.exe.4c79c20.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 00000005.00000002.307087402.0000000002E97000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
              Source: 00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 00000005.00000002.306851644.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe, type: DROPPEDMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: C:\Users\user\Desktop\pYHrqNhFKr.exeCode function: 0_2_008A1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,0_2_008A1F90
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exeCode function: 1_2_00071F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,1_2_00071F90
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exeCode function: 2_2_01251F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,2_2_01251F90
              Source: C:\Users\user\Desktop\pYHrqNhFKr.exeCode function: 0_2_008A3BA20_2_008A3BA2
              Source: C:\Users\user\Desktop\pYHrqNhFKr.exeCode function: 0_2_008A5C9E0_2_008A5C9E
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exeCode function: 1_2_00073BA21_2_00073BA2
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exeCode function: 1_2_00075C9E1_2_00075C9E
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exeCode function: 2_2_01253BA22_2_01253BA2
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exeCode function: 2_2_01255C9E2_2_01255C9E
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeCode function: 5_2_00408C605_2_00408C60
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeCode function: 5_2_0040DC115_2_0040DC11
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeCode function: 5_2_00407C3F5_2_00407C3F
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeCode function: 5_2_00418CCC5_2_00418CCC
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeCode function: 5_2_00406CA05_2_00406CA0
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeCode function: 5_2_004028B05_2_004028B0
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeCode function: 5_2_0041A4BE5_2_0041A4BE
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeCode function: 5_2_004182445_2_00418244
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeCode function: 5_2_004016505_2_00401650
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeCode function: 5_2_00402F205_2_00402F20
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeCode function: 5_2_004193C45_2_004193C4
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeCode function: 5_2_004187885_2_00418788
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeCode function: 5_2_00402F895_2_00402F89
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeCode function: 5_2_00402B905_2_00402B90
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeCode function: 5_2_004073A05_2_004073A0
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeCode function: 5_2_045E0DB05_2_045E0DB0
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeCode function: String function: 0040E1D8 appears 44 times
              Source: pYHrqNhFKr.exeStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 710141 bytes, 2 files, at 0x2c +A "niba6073.exe" +A "l64fQ59.exe", ID 1861, number 1, 28 datablocks, 0x1503 compression
              Source: niba6073.exe.0.drStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 564865 bytes, 2 files, at 0x2c +A "niba2214.exe" +A "imYkV36.exe", ID 1948, number 1, 23 datablocks, 0x1503 compression
              Source: niba2214.exe.1.drStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 205776 bytes, 2 files, at 0x2c +A "f7051zI.exe" +A "h99af07.exe", ID 1758, number 1, 11 datablocks, 0x1503 compression
              Source: pYHrqNhFKr.exe, 00000000.00000003.241408245.000000000300D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWearing.exe< vs pYHrqNhFKr.exe
              Source: pYHrqNhFKr.exe, 00000000.00000003.241248149.0000000004BCC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs pYHrqNhFKr.exe
              Source: pYHrqNhFKr.exe, 00000000.00000003.241248149.0000000004BCC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWearing.exe< vs pYHrqNhFKr.exe
              Source: pYHrqNhFKr.exeBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs pYHrqNhFKr.exe
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe B182F2D3D49BDDA2E29A0ED312DEEF4BEE03983DE54080C5E97AD6422DE192D2
              Source: imYkV36.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: h99af07.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: pYHrqNhFKr.exeReversingLabs: Detection: 69%
              Source: pYHrqNhFKr.exeVirustotal: Detection: 50%
              Source: pYHrqNhFKr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\pYHrqNhFKr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\pYHrqNhFKr.exe C:\Users\user\Desktop\pYHrqNhFKr.exe
              Source: C:\Users\user\Desktop\pYHrqNhFKr.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe
              Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe
              Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\
              Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\
              Source: C:\Users\user\Desktop\pYHrqNhFKr.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeJump to behavior
              Source: C:\Users\user\Desktop\pYHrqNhFKr.exeCode function: 0_2_008A1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,0_2_008A1F90
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exeCode function: 1_2_00071F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,1_2_00071F90
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exeCode function: 2_2_01251F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,2_2_01251F90
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\f7051zI.exe.logJump to behavior
              Source: C:\Users\user\Desktop\pYHrqNhFKr.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMPJump to behavior
              Source: classification engineClassification label: mal100.troj.evad.winEXE@12/8@0/0
              Source: C:\Users\user\Desktop\pYHrqNhFKr.exeCode function: 0_2_008A597D GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,0_2_008A597D
              Source: C:\Users\user\Desktop\pYHrqNhFKr.exeCode function: 0_2_008A3FEF CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,GetLastError,FormatMessageA,0_2_008A3FEF
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exeCode function: 3_2_00007FFC9DD11B10 ChangeServiceConfigA,3_2_00007FFC9DD11B10
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeCode function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,5_2_004019F0
              Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
              Source: C:\Users\user\Desktop\pYHrqNhFKr.exeCode function: 0_2_008A4FE0 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,FreeResource,SendMessageA,0_2_008A4FE0
              Source: C:\Users\user\Desktop\pYHrqNhFKr.exeCommand line argument: Kernel32.dll0_2_008A2BFB
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exeCommand line argument: Kernel32.dll1_2_00072BFB
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exeCommand line argument: Kernel32.dll2_2_01252BFB
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeCommand line argument: 08A5_2_00413780
              Source: C:\Users\user\Desktop\pYHrqNhFKr.exeAutomated click: OK
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exeAutomated click: OK
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
              Source: pYHrqNhFKr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: pYHrqNhFKr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: pYHrqNhFKr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: pYHrqNhFKr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: pYHrqNhFKr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: pYHrqNhFKr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: pYHrqNhFKr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Source: pYHrqNhFKr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: wextract.pdb source: pYHrqNhFKr.exe, niba6073.exe.0.dr, niba2214.exe.1.dr
              Source: Binary string: Healer.pdb source: h99af07.exe, 00000005.00000003.281384842.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307743738.0000000004B41000.00000004.00000800.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.308257566.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, h99af07.exe, 00000005.00000002.307495557.0000000004750000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307402577.0000000004640000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: wextract.pdbGCTL source: pYHrqNhFKr.exe, niba6073.exe.0.dr, niba2214.exe.1.dr
              Source: Binary string: <C:\zarepot\talotoyuy1\guf.pdb source: niba6073.exe, 00000001.00000003.242966738.0000000004521000.00000004.00000020.00020000.00000000.sdmp, imYkV36.exe.1.dr
              Source: Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: niba2214.exe, 00000002.00000003.243954252.0000000004A0C000.00000004.00000020.00020000.00000000.sdmp, f7051zI.exe, 00000003.00000000.244138101.0000000000CA2000.00000002.00000001.01000000.00000006.sdmp, f7051zI.exe.2.dr
              Source: Binary string: C:\tugiwozexe-hon68\xozutuboreja.pdb source: niba2214.exe, 00000002.00000003.243954252.0000000004A0C000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000000.269895289.0000000000401000.00000020.00000001.01000000.00000009.sdmp, h99af07.exe.2.dr
              Source: Binary string: _.pdb source: h99af07.exe, 00000005.00000003.281384842.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307743738.0000000004B41000.00000004.00000800.00020000.00000000.sdmp, h99af07.exe, 00000005.00000003.283921128.0000000002F05000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307495557.0000000004750000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307402577.0000000004640000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: C:\zarepot\talotoyuy1\guf.pdb source: niba6073.exe, 00000001.00000003.242966738.0000000004521000.00000004.00000020.00020000.00000000.sdmp, imYkV36.exe.1.dr
              Source: Binary string: Healer.pdbH5 source: h99af07.exe, 00000005.00000003.281384842.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307743738.0000000004B41000.00000004.00000800.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.308257566.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, h99af07.exe, 00000005.00000002.307495557.0000000004750000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307402577.0000000004640000.00000004.08000000.00040000.00000000.sdmp

              Data Obfuscation

              barindex
              Detected unpacking (overwrites its own PE header)
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeUnpacked PE file: 5.2.h99af07.exe.400000.0.unpack
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeUnpacked PE file: 5.2.h99af07.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
              Source: C:\Users\user\Desktop\pYHrqNhFKr.exeCode function: 0_2_008A724D push ecx; ret 0_2_008A7260
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exeCode function: 1_2_0007724D push ecx; ret 1_2_00077260
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exeCode function: 2_2_0125724D push ecx; ret 2_2_01257260
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeCode function: 5_2_0041C40C push cs; iretd 5_2_0041C4E2
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeCode function: 5_2_00423149 push eax; ret 5_2_00423179
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeCode function: 5_2_0041C50E push cs; iretd 5_2_0041C4E2
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeCode function: 5_2_00422D28 push ss; ret 5_2_00422D3A
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeCode function: 5_2_004231C8 push eax; ret 5_2_00423179
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeCode function: 5_2_0040E21D push ecx; ret 5_2_0040E230
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeCode function: 5_2_0041C6BE push ebx; ret 5_2_0041C6BF
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeCode function: 5_2_02E9C693 push edi; retf 5_2_02E9C694
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeCode function: 5_2_02E99748 push FFFFFFE1h; ret 5_2_02E99757
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeCode function: 5_2_045E454E push ecx; retf 5_2_045E4554
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeCode function: 5_2_045E4139 push edi; iretd 5_2_045E414E
              Source: C:\Users\user\Desktop\pYHrqNhFKr.exeCode function: 0_2_008A2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,0_2_008A2F1D
              Source: l64fQ59.exe.0.drStatic PE information: 0xD1DEA1A2 [Tue Jul 29 15:28:34 2081 UTC]
              Source: initial sampleStatic PE information: section name: .text entropy: 7.842085736950787
              Source: initial sampleStatic PE information: section name: .text entropy: 7.7554731967823
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exeFile created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\imYkV36.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exeFile created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exeJump to dropped file
              Source: C:\Users\user\Desktop\pYHrqNhFKr.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exeFile created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exeFile created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeJump to dropped file
              Source: C:\Users\user\Desktop\pYHrqNhFKr.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exeJump to dropped file
              Source: C:\Users\user\Desktop\pYHrqNhFKr.exeCode function: 0_2_008A1AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,0_2_008A1AE8
              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exeCode function: 1_2_00071AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,1_2_00071AE8
              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exeCode function: 2_2_01251AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,2_2_01251AE8
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exeProcess information set: NOOPENFILEERRORBOX