Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
o6B2U4HjCJ.exe

Overview

General Information

Sample Name:o6B2U4HjCJ.exe
Original Sample Name:dcb518ed1ed68c30a11cb79d50a0fe69.exe
Analysis ID:829694
MD5:dcb518ed1ed68c30a11cb79d50a0fe69
SHA1:c770b74ee42bba7f1699341e8b03923b93a60789
SHA256:38f88f2119c82d04462c902771d27d1ec546b3d556081a6103d844add1a9af09
Tags:32exetrojan
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Detected unpacking (changes PE section rights)
Snort IDS alert for network traffic
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Found evasive API chain (may stop execution after checking a module file name)
Yara detected Credential Stealer
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • o6B2U4HjCJ.exe (PID: 5604 cmdline: C:\Users\user\Desktop\o6B2U4HjCJ.exe MD5: DCB518ED1ED68C30A11CB79D50A0FE69)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "185.11.61.125:22344", "Bot Id": "@chicago", "Message": "Error", "Authorization Header": "21f863e0cbd09d0681058e068d0d1d7f"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.295675318.0000000004DD0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    00000000.00000002.295675318.0000000004DD0000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
    • 0x282c4:$pat14: , CommandLine:
    • 0x1c8c4:$v2_1: ListOfProcesses
    • 0x1c09f:$v4_3: base64str
    • 0x1c06c:$v4_4: stringKey
    • 0x1c0a9:$v4_5: BytesToStringConverted
    • 0x1c094:$v4_6: FromBase64
    • 0x1c578:$v4_8: procName
    • 0x1a09f:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
    00000000.00000002.295096246.0000000004955000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000000.00000002.295520420.0000000004C40000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.295520420.0000000004C40000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
        • 0x291ac:$pat14: , CommandLine:
        • 0x1d7ac:$v2_1: ListOfProcesses
        • 0x1cf87:$v4_3: base64str
        • 0x1cf54:$v4_4: stringKey
        • 0x1cf91:$v4_5: BytesToStringConverted
        • 0x1cf7c:$v4_6: FromBase64
        • 0x1d460:$v4_8: procName
        • 0x1af87:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
        Click to see the 9 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.o6B2U4HjCJ.exe.400000.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          0.2.o6B2U4HjCJ.exe.400000.0.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
          • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
          • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
          • 0x1300:$s3: 83 EC 38 53 B0 C7 88 44 24 2B 88 44 24 2F B0 43 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
          • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
          • 0x1fdd0:$s5: delete[]
          • 0x1f288:$s6: constructor or from DllMain.
          0.2.o6B2U4HjCJ.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            0.2.o6B2U4HjCJ.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
            • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
            • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
            • 0x700:$s3: 83 EC 38 53 B0 C7 88 44 24 2B 88 44 24 2F B0 43 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
            • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
            • 0x1e9d0:$s5: delete[]
            • 0x1de88:$s6: constructor or from DllMain.
            0.2.o6B2U4HjCJ.exe.2c80e67.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Click to see the 23 entries

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              Timestamp:192.168.2.3185.11.61.12549701223442043233 03/18/23-22:06:06.966690
              SID:2043233
              Source Port:49701
              Destination Port:22344
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: o6B2U4HjCJ.exeReversingLabs: Detection: 38%
              Source: o6B2U4HjCJ.exeVirustotal: Detection: 39%Perma Link
              Machine Learning detection for sample
              Source: o6B2U4HjCJ.exeJoe Sandbox ML: detected
              Source: 00000000.00000003.239241764.0000000002F47000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "185.11.61.125:22344", "Bot Id": "@chicago", "Message": "Error", "Authorization Header": "21f863e0cbd09d0681058e068d0d1d7f"}

              Compliance

              barindex
              Detected unpacking (overwrites its own PE header)
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeUnpacked PE file: 0.2.o6B2U4HjCJ.exe.400000.0.unpack
              Source: o6B2U4HjCJ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
              Source: Binary string: _.pdb source: o6B2U4HjCJ.exe, 00000000.00000002.295096246.0000000004955000.00000004.00000020.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.295520420.0000000004C40000.00000004.08000000.00040000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000003.239241764.0000000002F47000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: Qq5C:\dijulituh\sefoy\mafosivubitalu.pdb source: o6B2U4HjCJ.exe
              Source: Binary string: C:\dijulituh\sefoy\mafosivubitalu.pdb source: o6B2U4HjCJ.exe

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2043233 ET TROJAN RedLine Stealer TCP CnC net.tcp Init 192.168.2.3:49701 -> 185.11.61.125:22344
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 185.11.61.125:22344
              Source: Joe Sandbox ViewASN Name: VERTEX-ASRU VERTEX-ASRU
              Source: Joe Sandbox ViewIP Address: 185.11.61.125 185.11.61.125
              Source: global trafficTCP traffic: 192.168.2.3:49701 -> 185.11.61.125:22344
              Source: unknownTCP traffic detected without corresponding DNS query: 185.11.61.125
              Source: unknownTCP traffic detected without corresponding DNS query: 185.11.61.125
              Source: unknownTCP traffic detected without corresponding DNS query: 185.11.61.125
              Source: unknownTCP traffic detected without corresponding DNS query: 185.11.61.125
              Source: unknownTCP traffic detected without corresponding DNS query: 185.11.61.125
              Source: unknownTCP traffic detected without corresponding DNS query: 185.11.61.125
              Source: unknownTCP traffic detected without corresponding DNS query: 185.11.61.125
              Source: unknownTCP traffic detected without corresponding DNS query: 185.11.61.125
              Source: unknownTCP traffic detected without corresponding DNS query: 185.11.61.125
              Source: unknownTCP traffic detected without corresponding DNS query: 185.11.61.125
              Source: unknownTCP traffic detected without corresponding DNS query: 185.11.61.125
              Source: unknownTCP traffic detected without corresponding DNS query: 185.11.61.125
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004ED1000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Contract/MSValue1
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Contract/MSValue1Response
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Contract/MSValue2
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Contract/MSValue2Response
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.000000000547B000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Contract/MSValue3
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.000000000547B000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004ED1000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Contract/MSValue3Response
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.00000000053FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
              Source: o6B2U4HjCJ.exe, 00000000.00000003.284064494.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.00000000060C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: o6B2U4HjCJ.exe, 00000000.00000002.295675318.0000000004DD0000.00000004.08000000.00040000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.295096246.0000000004955000.00000004.00000020.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.295520420.0000000004C40000.00000004.08000000.00040000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000003.239241764.0000000002F47000.00000004.00000020.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
              Source: o6B2U4HjCJ.exe, 00000000.00000003.284064494.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.00000000060C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: o6B2U4HjCJ.exe, 00000000.00000003.284064494.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.00000000060C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: o6B2U4HjCJ.exe, 00000000.00000002.298158758.000000000613D000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.00000000050B8000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.000000000525C000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000005144000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005F4D000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.000000000502D000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005FE1000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.000000000605F000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.00000000051D0000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000003.284064494.00000000061B8000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.000000000615A000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005FC4000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000006042000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000003.284064494.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.00000000060C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: o6B2U4HjCJ.exe, 00000000.00000003.284064494.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.00000000060C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: o6B2U4HjCJ.exe, 00000000.00000002.298158758.000000000613D000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.00000000050B8000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.000000000525C000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000005144000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005F4D000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.000000000502D000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005FE1000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.000000000605F000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.00000000051D0000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000003.284064494.00000000061B8000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.000000000615A000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005FC4000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000006042000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000003.284064494.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.00000000060C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
              Source: o6B2U4HjCJ.exe, 00000000.00000002.298158758.000000000613D000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.00000000050B8000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.000000000525C000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000005144000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005F4D000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.000000000502D000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005FE1000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.000000000605F000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.00000000051D0000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000003.284064494.00000000061B8000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.000000000615A000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005FC4000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000006042000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000003.284064494.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.00000000060C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
              Source: o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005F4D000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005FE1000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.000000000605F000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.000000000615A000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000003.284064494.00000000061D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
              Source: o6B2U4HjCJ.exe, 00000000.00000002.298158758.000000000613D000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.00000000050B8000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.000000000525C000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000005144000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005F4D000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.000000000502D000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005FE1000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.000000000605F000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.00000000051D0000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000003.284064494.00000000061B8000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.000000000615A000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005FC4000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000006042000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000003.284064494.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.00000000060C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
              Source: o6B2U4HjCJ.exe, 00000000.00000002.298158758.000000000613D000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.00000000050B8000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.000000000525C000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000005144000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005F4D000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.000000000502D000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005FE1000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.000000000605F000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.00000000051D0000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000003.284064494.00000000061B8000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.000000000615A000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005FC4000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000006042000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000003.284064494.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.00000000060C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: o6B2U4HjCJ.exe, 00000000.00000002.294575033.0000000002ECA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 0.2.o6B2U4HjCJ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 0.2.o6B2U4HjCJ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 0.2.o6B2U4HjCJ.exe.2c80e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 0.3.o6B2U4HjCJ.exe.2e10000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 0.2.o6B2U4HjCJ.exe.4c40ee8.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 0.2.o6B2U4HjCJ.exe.4c40000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 0.2.o6B2U4HjCJ.exe.49956f6.2.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 0.2.o6B2U4HjCJ.exe.49956f6.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 0.2.o6B2U4HjCJ.exe.4c40000.4.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 0.2.o6B2U4HjCJ.exe.4dd0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 0.2.o6B2U4HjCJ.exe.49965de.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 0.2.o6B2U4HjCJ.exe.4c40ee8.5.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 0.2.o6B2U4HjCJ.exe.49965de.3.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 0.2.o6B2U4HjCJ.exe.4dd0000.6.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 00000000.00000002.295675318.0000000004DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 00000000.00000002.295520420.0000000004C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 00000000.00000002.294617353.0000000002ED8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
              Source: 00000000.00000003.238934056.0000000002E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 00000000.00000002.293546962.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 00000000.00000002.294046050.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
              Source: o6B2U4HjCJ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 0.2.o6B2U4HjCJ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 0.2.o6B2U4HjCJ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 0.2.o6B2U4HjCJ.exe.2c80e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 0.3.o6B2U4HjCJ.exe.2e10000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 0.2.o6B2U4HjCJ.exe.4c40ee8.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 0.2.o6B2U4HjCJ.exe.4c40000.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 0.2.o6B2U4HjCJ.exe.49956f6.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 0.2.o6B2U4HjCJ.exe.49956f6.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 0.2.o6B2U4HjCJ.exe.4c40000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 0.2.o6B2U4HjCJ.exe.4dd0000.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 0.2.o6B2U4HjCJ.exe.49965de.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 0.2.o6B2U4HjCJ.exe.4c40ee8.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 0.2.o6B2U4HjCJ.exe.49965de.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 0.2.o6B2U4HjCJ.exe.4dd0000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 00000000.00000002.295675318.0000000004DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 00000000.00000002.295520420.0000000004C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 00000000.00000002.294617353.0000000002ED8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
              Source: 00000000.00000003.238934056.0000000002E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 00000000.00000002.293546962.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 00000000.00000002.294046050.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_00408C60
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_0040DC11
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_00407C3F
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_00418CCC
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_00406CA0
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_004028B0
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_0041A4BE
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_00418244
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_00401650
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_00402F20
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_004193C4
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_00418788
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_00402F89
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_00402B90
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_004073A0
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_048E0C20
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_048E0C30
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_073575C8
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_07358300
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_0735A368
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_0735C350
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_0735BDEF
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_0735C680
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_0735D4B0
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: String function: 0040E1D8 appears 44 times
              Source: o6B2U4HjCJ.exe, 00000000.00000002.295675318.0000000004DD0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRetainer.exe" vs o6B2U4HjCJ.exe
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.00000000052B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs o6B2U4HjCJ.exe
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.00000000052B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs o6B2U4HjCJ.exe
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.00000000052B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs o6B2U4HjCJ.exe
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.00000000052B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXED vs o6B2U4HjCJ.exe
              Source: o6B2U4HjCJ.exe, 00000000.00000002.295096246.0000000004955000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRetainer.exe" vs o6B2U4HjCJ.exe
              Source: o6B2U4HjCJ.exe, 00000000.00000002.295096246.0000000004955000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs o6B2U4HjCJ.exe
              Source: o6B2U4HjCJ.exe, 00000000.00000002.295520420.0000000004C40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRetainer.exe" vs o6B2U4HjCJ.exe
              Source: o6B2U4HjCJ.exe, 00000000.00000002.295520420.0000000004C40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs o6B2U4HjCJ.exe
              Source: o6B2U4HjCJ.exe, 00000000.00000002.293546962.0000000000463000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameRetainer.exe" vs o6B2U4HjCJ.exe
              Source: o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004ED1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs o6B2U4HjCJ.exe
              Source: o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005F53000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRetainer.exe" vs o6B2U4HjCJ.exe
              Source: o6B2U4HjCJ.exe, 00000000.00000003.239241764.0000000002F47000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRetainer.exe" vs o6B2U4HjCJ.exe
              Source: o6B2U4HjCJ.exe, 00000000.00000003.239241764.0000000002F47000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs o6B2U4HjCJ.exe
              Source: o6B2U4HjCJ.exe, 00000000.00000003.238934056.0000000002E10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRetainer.exe" vs o6B2U4HjCJ.exe
              Source: o6B2U4HjCJ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: o6B2U4HjCJ.exeReversingLabs: Detection: 38%
              Source: o6B2U4HjCJ.exeVirustotal: Detection: 39%
              Source: o6B2U4HjCJ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeFile created: C:\Users\user\AppData\Local\Microsoft\Wind?wsJump to behavior
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/1@0/1
              Source: o6B2U4HjCJ.exe, 00000000.00000003.284064494.0000000006102000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000003.284064494.00000000060B1000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000003.284064494.0000000006153000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCommand line argument: 08A
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
              Source: o6B2U4HjCJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: o6B2U4HjCJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: o6B2U4HjCJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: o6B2U4HjCJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: o6B2U4HjCJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: o6B2U4HjCJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: o6B2U4HjCJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: _.pdb source: o6B2U4HjCJ.exe, 00000000.00000002.295096246.0000000004955000.00000004.00000020.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.295520420.0000000004C40000.00000004.08000000.00040000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000003.239241764.0000000002F47000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: Qq5C:\dijulituh\sefoy\mafosivubitalu.pdb source: o6B2U4HjCJ.exe
              Source: Binary string: C:\dijulituh\sefoy\mafosivubitalu.pdb source: o6B2U4HjCJ.exe

              Data Obfuscation

              barindex
              Detected unpacking (overwrites its own PE header)
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeUnpacked PE file: 0.2.o6B2U4HjCJ.exe.400000.0.unpack
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeUnpacked PE file: 0.2.o6B2U4HjCJ.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_0041C40C push cs; iretd
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_00423149 push eax; ret
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_0041C50E push cs; iretd
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_004231C8 push eax; ret
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_0040E21D push ecx; ret
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_0041C6BE push ebx; ret
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_02EDA9C3 push FFFFFFE1h; ret
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_02EDD90E push edi; retf
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_048E3F83 pushfd ; iretd
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
              Source: initial sampleStatic PE information: section name: .text entropy: 7.764807118496576
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
              Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exe TID: 4228Thread sleep time: -6456360425798339s >= -30000s
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exe TID: 1764Thread sleep count: 9545 > 30
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeRegistry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeWindow / User API: threadDelayed 9545
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess information queried: ProcessInformation
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeAPI call chain: ExitProcess graph end node
              Source: o6B2U4HjCJ.exe, 00000000.00000002.300616809.0000000008094000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareHFO5P8U1Win32_VideoControllerK2BW3MUZVideoController120060621000000.000000-00021466585display.infMSBDACAHS5WU7PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsYR1GVNYNq
              Source: o6B2U4HjCJ.exe, 00000000.00000002.300616809.0000000008094000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
              Source: o6B2U4HjCJ.exe, 00000000.00000002.300616809.0000000008094000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareHFO5P8U1Win32_VideoControllerK2BW3MUZVideoController120060621000000.000000-00021466585display.infMSBDACAHS5WU7PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsYR1GVNYNLMEMp
              Source: o6B2U4HjCJ.exe, 00000000.00000002.300616809.0000000008094000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareHFO5P8U1Win32_VideoControllerK2BW3MUZVideoController120060621000000.000000-00021466585display.infMSBDACAHS5WU7PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsYR1GVNYN]
              Source: o6B2U4HjCJ.exe, 00000000.00000002.294696055.0000000002FB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_0040ADB0 GetProcessHeap,HeapFree,
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_02ED8EAB push dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeMemory allocated: page read and write | page guard
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_004123F1 SetUnhandledExceptionFilter,
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: GetLocaleInfoA,
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeCode function: 0_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
              Source: o6B2U4HjCJ.exe, 00000000.00000002.300616809.0000000008094000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nder\MsMpeng.exe
              Source: o6B2U4HjCJ.exe, 00000000.00000002.300616809.0000000008094000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: les%\Windows Defender\MsMpeng.exe
              Source: o6B2U4HjCJ.exe, 00000000.00000002.294696055.0000000002F2F000.00000004.00000020.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.300616809.0000000008094000.00000004.00000020.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.300455913.0000000008000000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

              Stealing of Sensitive Information

              barindex
              Yara detected RedLine Stealer
              Source: Yara matchFile source: 0.2.o6B2U4HjCJ.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.o6B2U4HjCJ.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.o6B2U4HjCJ.exe.2c80e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.o6B2U4HjCJ.exe.2e10000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.o6B2U4HjCJ.exe.4c40ee8.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.o6B2U4HjCJ.exe.4c40000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.o6B2U4HjCJ.exe.49956f6.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.o6B2U4HjCJ.exe.49956f6.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.o6B2U4HjCJ.exe.4c40000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.o6B2U4HjCJ.exe.4dd0000.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.o6B2U4HjCJ.exe.49965de.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.o6B2U4HjCJ.exe.4c40ee8.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.o6B2U4HjCJ.exe.49965de.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.o6B2U4HjCJ.exe.4dd0000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.295675318.0000000004DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.295096246.0000000004955000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.295520420.0000000004C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.239241764.0000000002F47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.238934056.0000000002E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.293546962.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.294046050.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Source: C:\Users\user\Desktop\o6B2U4HjCJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
              Source: Yara matchFile source: Process Memory Space: o6B2U4HjCJ.exe PID: 5604, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected RedLine Stealer
              Source: Yara matchFile source: 0.2.o6B2U4HjCJ.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.o6B2U4HjCJ.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.o6B2U4HjCJ.exe.2c80e67.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.o6B2U4HjCJ.exe.2e10000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.o6B2U4HjCJ.exe.4c40ee8.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.o6B2U4HjCJ.exe.4c40000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.o6B2U4HjCJ.exe.49956f6.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.o6B2U4HjCJ.exe.49956f6.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.o6B2U4HjCJ.exe.4c40000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.o6B2U4HjCJ.exe.4dd0000.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.o6B2U4HjCJ.exe.49965de.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.o6B2U4HjCJ.exe.4c40ee8.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.o6B2U4HjCJ.exe.49965de.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.o6B2U4HjCJ.exe.4dd0000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.295675318.0000000004DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.295096246.0000000004955000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.295520420.0000000004C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.239241764.0000000002F47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.238934056.0000000002E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.293546962.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.294046050.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts221
              Windows Management Instrumentation              		Path InterceptionPath Interception1
              Masquerading              		1
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services1
              Input Capture              		Exfiltration Over Other Network Medium1
              Encrypted Channel              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default Accounts2
              Command and Scripting Interpreter              		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
              Disable or Modify Tools              		1
              Input Capture              		261
              Security Software Discovery              		Remote Desktop Protocol1
              Archive Collected Data              		Exfiltration Over Bluetooth1
              Non-Standard Port              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain Accounts2
              Native API              		Logon Script (Windows)Logon Script (Windows)231
              Virtualization/Sandbox Evasion              		Security Account Manager231
              Virtualization/Sandbox Evasion              		SMB/Windows Admin Shares1
              Data from Local System              		Automated Exfiltration1
              Application Layer Protocol              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
              Deobfuscate/Decode Files or Information              		NTDS12
              Process Discovery              		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script3
              Obfuscated Files or Information              		LSA Secrets1
              Application Window Discovery              		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common22
              Software Packing              		Cached Domain Credentials134
              System Information Discovery              		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              o6B2U4HjCJ.exe38%ReversingLabsWin32.Trojan.Generic
              o6B2U4HjCJ.exe39%VirustotalBrowse
              o6B2U4HjCJ.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://tempuri.org/Contract/MSValue2Response0%URL Reputationsafe
              http://tempuri.org/0%URL Reputationsafe
              https://api.ip.sb/ip0%URL Reputationsafe
              http://tempuri.org/Contract/MSValue3Response0%URL Reputationsafe
              185.11.61.125:223440%URL Reputationsafe
              http://tempuri.org/Contract/MSValue10%URL Reputationsafe
              http://tempuri.org/Contract/MSValue20%URL Reputationsafe
              http://tempuri.org/Contract/MSValue30%URL Reputationsafe
              http://www.w3.o0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              185.11.61.125:22344true
              • URL Reputation: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Texto6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://schemas.xmlsoap.org/ws/2005/02/sc/scto6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://duckduckgo.com/chrome_newtabo6B2U4HjCJ.exe, 00000000.00000002.298158758.000000000613D000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.00000000050B8000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.000000000525C000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000005144000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005F4D000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.000000000502D000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005FE1000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.000000000605F000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.00000000051D0000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000003.284064494.00000000061B8000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.000000000615A000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005FC4000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000006042000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000003.284064494.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.00000000060C0000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://schemas.xmlsoap.org/ws/2004/04/security/sc/dko6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://duckduckgo.com/ac/?q=o6B2U4HjCJ.exe, 00000000.00000003.284064494.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.00000000060C0000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://tempuri.org/Contract/MSValue2Responseo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004ED1000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrapo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepareo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecreto6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issueo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Abortedo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004ED1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/faulto6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2004/10/wsato6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renewo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/Registero6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://api.ip.sb/ipo6B2U4HjCJ.exe, 00000000.00000002.295675318.0000000004DD0000.00000004.08000000.00040000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.295096246.0000000004955000.00000004.00000020.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.295520420.0000000004C40000.00000004.08000000.00040000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000003.239241764.0000000002F47000.00000004.00000020.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://schemas.xmlsoap.org/ws/2004/04/sco6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancelo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=o6B2U4HjCJ.exe, 00000000.00000003.284064494.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.00000000060C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://tempuri.org/Contract/MSValue3Responseo6B2U4HjCJ.exe, 00000000.00000002.296405357.000000000547B000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004ED1000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issueo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=o6B2U4HjCJ.exe, 00000000.00000002.298158758.000000000613D000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.00000000050B8000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.000000000525C000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000005144000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005F4D000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.000000000502D000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005FE1000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.000000000605F000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.00000000051D0000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000003.284064494.00000000061B8000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.000000000615A000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005FC4000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000006042000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000003.284064494.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.00000000060C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004ED1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/Replayo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binaryo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2004/08/addressingo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004ED1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issueo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Completiono6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2004/04/trusto6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancelo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/Nonceo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnso6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004ED1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/Renewo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://schemas.xmlsoap.org/ws/2006/02/addressingidentityo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://schemas.xmlsoap.org/soap/envelope/o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004ED1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://search.yahoo.com?fr=crmas_sfpfo6B2U4HjCJ.exe, 00000000.00000002.298158758.000000000613D000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.00000000050B8000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.000000000525C000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000005144000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005F4D000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.000000000502D000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005FE1000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.000000000605F000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.00000000051D0000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000003.284064494.00000000061B8000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.000000000615A000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005FC4000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000006042000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000003.284064494.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.00000000060C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://tempuri.org/Contract/MSValue1o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004ED1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trusto6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://tempuri.org/Contract/MSValue2o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004ED1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              http://tempuri.org/Contract/MSValue3o6B2U4HjCJ.exe, 00000000.00000002.296405357.000000000547B000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004ED1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollbacko6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/06/addressingexo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wscooro6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonceo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponseo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004ED1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/08/addressing/faulto6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004ED1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renewo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKeyo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://www.w3.oo6B2U4HjCJ.exe, 00000000.00000002.296405357.00000000053FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    		unknown
                                                                                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Committedo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wscoor/faulto6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004ED1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/sc/scto6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponseo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/Cancelo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgemento6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004ED1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCTo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://www.google.com/images/branding/product/ico/googleg_lodp.icoo6B2U4HjCJ.exe, 00000000.00000002.298158758.000000000613D000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.00000000050B8000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.000000000525C000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000005144000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005F4D000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.000000000502D000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005FE1000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.000000000605F000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.00000000051D0000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000003.284064494.00000000061B8000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.000000000615A000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005FC4000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000006042000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000003.284064494.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.00000000060C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymouso6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004ED1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrapo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2002/12/policyo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/sc/dko6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issueo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searcho6B2U4HjCJ.exe, 00000000.00000002.298158758.000000000613D000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.00000000050B8000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.000000000525C000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000005144000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005F4D000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.000000000502D000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005FE1000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.000000000605F000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.296405357.00000000051D0000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000003.284064494.00000000061B8000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.000000000615A000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000005FC4000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.0000000006042000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000003.284064494.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, o6B2U4HjCJ.exe, 00000000.00000002.298158758.00000000060C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issueo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/Commito6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContexto6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/Issueo6B2U4HjCJ.exe, 00000000.00000002.296405357.0000000004F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high

                                                                                                                                                                                                    World Map of Contacted IPs

                                                                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                                                                    Public IPs

                                                                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                    185.11.61.125
                                                                                                                                                                                                    		unknownRussian Federation
                                                                                                                                                                                                    		199539VERTEX-ASRUtrue

                                                                                                                                                                                                    General Information

                                                                                                                                                                                                    Joe Sandbox Version:37.0.0 Beryl
                                                                                                                                                                                                    Analysis ID:829694
                                                                                                                                                                                                    Start date and time:2023-03-18 22:05:06 +01:00
                                                                                                                                                                                                    Joe Sandbox Product:CloudBasic
                                                                                                                                                                                                    Overall analysis duration:0h 6m 15s
                                                                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                                                                    Report type:light
                                                                                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                                                                    Number of analysed new started processes analysed:12
                                                                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                                                                    Technologies:
                                                                                                                                                                                                    • HCA enabled
                                                                                                                                                                                                    • EGA enabled
                                                                                                                                                                                                    • HDC enabled
                                                                                                                                                                                                    • AMSI enabled
                                                                                                                                                                                                    Analysis Mode:default
                                                                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                                                                    Sample file name:o6B2U4HjCJ.exe
                                                                                                                                                                                                    Original Sample Name:dcb518ed1ed68c30a11cb79d50a0fe69.exe
                                                                                                                                                                                                    Detection:MAL
                                                                                                                                                                                                    Classification:mal100.troj.spyw.evad.winEXE@1/1@0/1
                                                                                                                                                                                                    EGA Information:
                                                                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                                                                    HDC Information:
                                                                                                                                                                                                    • Successful, ratio: 15.9% (good quality ratio 15.2%)
                                                                                                                                                                                                    • Quality average: 84.9%
                                                                                                                                                                                                    • Quality standard deviation: 24.9%
                                                                                                                                                                                                    HCA Information:
                                                                                                                                                                                                    • Successful, ratio: 90%
                                                                                                                                                                                                    • Number of executed functions: 0
                                                                                                                                                                                                    • Number of non-executed functions: 0
                                                                                                                                                                                                    Cookbook Comments:
                                                                                                                                                                                                    • Found application associated with file extension: .exe

                                                                                                                                                                                                    Warnings

                                                                                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                                                                                                    • Excluded IPs from analysis (whitelisted): 93.184.221.240, 209.197.3.8
                                                                                                                                                                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, wu-bg-shim.trafficmanager.net, wu.azureedge.net
                                                                                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                                                                    Simulations

                                                                                                                                                                                                    Behavior and APIs

                                                                                                                                                                                                    TimeTypeDescription
                                                                                                                                                                                                    22:06:13API Interceptor55x Sleep call for process: o6B2U4HjCJ.exe modified

                                                                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                                                                    IPs

                                                                                                                                                                                                    No context

                                                                                                                                                                                                    Domains

                                                                                                                                                                                                    No context

                                                                                                                                                                                                    ASNs

                                                                                                                                                                                                    No context

                                                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                                                    No context

                                                                                                                                                                                                    Dropped Files

                                                                                                                                                                                                    No context

                                                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\o6B2U4HjCJ.exe.log

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\o6B2U4HjCJ.exe
                                                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):2291
                                                                                                                                                                                                    Entropy (8bit):5.3192079301865585
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:48:MIHK5HKXRfHK7HKhBHKdHKB1AHKzvQTHmYHKhQnoPtHoxHImHK1HG1qHxLH5HZHu:Pq5qXdq7qLqdqUqzcGYqhQnoPtIxHbqs
                                                                                                                                                                                                    MD5:D7EF19655FC3FB2B87FA63100FBBD255
                                                                                                                                                                                                    SHA1:5959AAD372EAEA1B7B74F9D6471842D30E3316FD
                                                                                                                                                                                                    SHA-256:460A28FAAA1701DEDEFD31077A122992C13E5F6D7DD9EBBE481100F67D1721DD
                                                                                                                                                                                                    SHA-512:EEF0AF31D3D233905CF3C38C9ACE054117E36EF40C6C7FAFB68268749E917D1DA4DF0A8FE9C7CA4A486C77AA083B6437EA7AFCB235A5C24D25B6AD4AB5A0104E
                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\34957343ad5d84daee97a1affda91665\System.Runtime.Serialization.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b

                                                                                                                                                                                                    Static File Info

                                                                                                                                                                                                    General

                                                                                                                                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                    Entropy (8bit):6.6860198334423
                                                                                                                                                                                                    TrID:
                                                                                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                    File name:o6B2U4HjCJ.exe
                                                                                                                                                                                                    File size:435712
                                                                                                                                                                                                    MD5:dcb518ed1ed68c30a11cb79d50a0fe69
                                                                                                                                                                                                    SHA1:c770b74ee42bba7f1699341e8b03923b93a60789
                                                                                                                                                                                                    SHA256:38f88f2119c82d04462c902771d27d1ec546b3d556081a6103d844add1a9af09
                                                                                                                                                                                                    SHA512:69cf914141ba3d01aeaedf40da8a546aa1dbd9bcc9027018edc80a3bbbca564e45b91f62877167bd049915571bedd0542d16b34559b8c8a2b672d57be2a8479c
                                                                                                                                                                                                    SSDEEP:6144:CJcavfLvJ3Vx3AxSqFPt+HTUVe64wGz/wWpNV/DXqOxI:Yvf7J3Vx3AEqFPdVzpGEWpzLlI
                                                                                                                                                                                                    TLSH:75946C8392A17D59E9264B33DE1FCAE8B71DF270DF49776632189A2B04701F2C163B94
                                                                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B...,...,...,.......,.......,.......,..0W...,...-...,.......,.......,.......,.Rich..,.................PE..L.....Ma...........

                                                                                                                                                                                                    File Icon

                                                                                                                                                                                                    Icon Hash:94a4a49480a4a4e2

                                                                                                                                                                                                    Static PE Info

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Entrypoint:0x406ee1
                                                                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                                                                    Digitally signed:false
                                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                                    Subsystem:windows gui
                                                                                                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                    DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                                                                                                    Time Stamp:0x614DF0F8 [Fri Sep 24 15:38:32 2021 UTC]
                                                                                                                                                                                                    TLS Callbacks:
                                                                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                                                                    OS Version Major:5
                                                                                                                                                                                                    OS Version Minor:0
                                                                                                                                                                                                    File Version Major:5
                                                                                                                                                                                                    File Version Minor:0
                                                                                                                                                                                                    Subsystem Version Major:5
                                                                                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                                                                                    Import Hash:6aedf45f51642709580c9dc83560f5b5

                                                                                                                                                                                                    Entrypoint Preview

                                                                                                                                                                                                    Instruction
                                                                                                                                                                                                    call 00007F350C94D4F4h
                                                                                                                                                                                                    jmp 00007F350C94804Eh
                                                                                                                                                                                                    mov edi, edi
                                                                                                                                                                                                    push ebp
                                                                                                                                                                                                    mov ebp, esp
                                                                                                                                                                                                    push ecx
                                                                                                                                                                                                    push ebx
                                                                                                                                                                                                    push esi
                                                                                                                                                                                                    push edi
                                                                                                                                                                                                    push dword ptr [02AF4010h]
                                                                                                                                                                                                    call 00007F350C94CF89h
                                                                                                                                                                                                    push dword ptr [02AF400Ch]
                                                                                                                                                                                                    mov edi, eax
                                                                                                                                                                                                    mov dword ptr [ebp-04h], edi
                                                                                                                                                                                                    call 00007F350C94CF79h
                                                                                                                                                                                                    mov esi, eax
                                                                                                                                                                                                    pop ecx
                                                                                                                                                                                                    pop ecx
                                                                                                                                                                                                    cmp esi, edi
                                                                                                                                                                                                    jc 00007F350C948259h
                                                                                                                                                                                                    mov ebx, esi
                                                                                                                                                                                                    sub ebx, edi
                                                                                                                                                                                                    lea eax, dword ptr [ebx+04h]
                                                                                                                                                                                                    cmp eax, 04h
                                                                                                                                                                                                    jc 00007F350C948249h
                                                                                                                                                                                                    push edi
                                                                                                                                                                                                    call 00007F350C94D622h
                                                                                                                                                                                                    mov edi, eax
                                                                                                                                                                                                    lea eax, dword ptr [ebx+04h]
                                                                                                                                                                                                    pop ecx
                                                                                                                                                                                                    cmp edi, eax
                                                                                                                                                                                                    jnc 00007F350C94821Ah
                                                                                                                                                                                                    mov eax, 00000800h
                                                                                                                                                                                                    cmp edi, eax
                                                                                                                                                                                                    jnc 00007F350C9481D4h
                                                                                                                                                                                                    mov eax, edi
                                                                                                                                                                                                    add eax, edi
                                                                                                                                                                                                    cmp eax, edi
                                                                                                                                                                                                    jc 00007F350C9481E1h
                                                                                                                                                                                                    push eax
                                                                                                                                                                                                    push dword ptr [ebp-04h]
                                                                                                                                                                                                    call 00007F350C94D5B0h
                                                                                                                                                                                                    pop ecx
                                                                                                                                                                                                    pop ecx
                                                                                                                                                                                                    test eax, eax
                                                                                                                                                                                                    jne 00007F350C9481E8h
                                                                                                                                                                                                    lea eax, dword ptr [edi+10h]
                                                                                                                                                                                                    cmp eax, edi
                                                                                                                                                                                                    jc 00007F350C948212h
                                                                                                                                                                                                    push eax
                                                                                                                                                                                                    push dword ptr [ebp-04h]
                                                                                                                                                                                                    call 00007F350C94D59Ah
                                                                                                                                                                                                    pop ecx
                                                                                                                                                                                                    pop ecx
                                                                                                                                                                                                    test eax, eax
                                                                                                                                                                                                    je 00007F350C948203h
                                                                                                                                                                                                    sar ebx, 02h
                                                                                                                                                                                                    push eax
                                                                                                                                                                                                    lea esi, dword ptr [eax+ebx*4]
                                                                                                                                                                                                    call 00007F350C94CE94h
                                                                                                                                                                                                    pop ecx
                                                                                                                                                                                                    mov dword ptr [02AF4010h], eax
                                                                                                                                                                                                    push dword ptr [ebp+08h]
                                                                                                                                                                                                    call 00007F350C94CE86h
                                                                                                                                                                                                    mov dword ptr [esi], eax
                                                                                                                                                                                                    add esi, 04h
                                                                                                                                                                                                    push esi
                                                                                                                                                                                                    call 00007F350C94CE7Bh
                                                                                                                                                                                                    pop ecx
                                                                                                                                                                                                    mov dword ptr [02AF400Ch], eax
                                                                                                                                                                                                    mov eax, dword ptr [ebp+08h]
                                                                                                                                                                                                    pop ecx
                                                                                                                                                                                                    jmp 00007F350C9481D4h
                                                                                                                                                                                                    xor eax, eax
                                                                                                                                                                                                    pop edi
                                                                                                                                                                                                    pop esi
                                                                                                                                                                                                    pop ebx
                                                                                                                                                                                                    leave
                                                                                                                                                                                                    ret
                                                                                                                                                                                                    mov edi, edi
                                                                                                                                                                                                    push esi

                                                                                                                                                                                                    Rich Headers

                                                                                                                                                                                                    Programming Language:
                                                                                                                                                                                                    • [ASM] VS2008 build 21022
                                                                                                                                                                                                    • [C++] VS2008 build 21022
                                                                                                                                                                                                    • [ C ] VS2008 build 21022
                                                                                                                                                                                                    • [IMP] VS2005 build 50727
                                                                                                                                                                                                    • [RES] VS2008 build 21022
                                                                                                                                                                                                    • [LNK] VS2008 build 21022

                                                                                                                                                                                                    Data Directories

                                                                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x4285c0x64.text
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x26f60000x19d70.rsrc
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x27100000xe80.reloc
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x12100x1c.text
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2fe80x40.text
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x10000x1b4.text
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                    Sections

                                                                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                    .text0x10000x422600x42400False0.859655070754717data7.764807118496576IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                    .data0x440000x26b11480x4200unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                    .rsrc0x26f60000x19d700x19e00False0.3816519474637681data4.236556234424828IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                    .reloc0x27100000x9d200x9e00False0.08086926424050633data1.0065032619882839IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                    Resources

                                                                                                                                                                                                    NameRVASizeTypeLanguageCountry
                                                                                                                                                                                                    RT_ICON0x26f67e00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0SpanishMexico
                                                                                                                                                                                                    RT_ICON0x26f76880x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0SpanishMexico
                                                                                                                                                                                                    RT_ICON0x26f7f300x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0SpanishMexico
                                                                                                                                                                                                    RT_ICON0x26fa4d80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0SpanishMexico
                                                                                                                                                                                                    RT_ICON0x26fb5800x468Device independent bitmap graphic, 16 x 32 x 32, image size 0SpanishMexico
                                                                                                                                                                                                    RT_ICON0x26fba380xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsSpanishMexico
                                                                                                                                                                                                    RT_ICON0x26fc8e00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsSpanishMexico
                                                                                                                                                                                                    RT_ICON0x26fd1880x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsSpanishMexico
                                                                                                                                                                                                    RT_ICON0x26fd8500x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsSpanishMexico
                                                                                                                                                                                                    RT_ICON0x26fddb80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216SpanishMexico
                                                                                                                                                                                                    RT_ICON0x27003600x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096SpanishMexico
                                                                                                                                                                                                    RT_ICON0x27014080x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304SpanishMexico
                                                                                                                                                                                                    RT_ICON0x2701d900x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024SpanishMexico
                                                                                                                                                                                                    RT_ICON0x27022700xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0SpanishMexico
                                                                                                                                                                                                    RT_ICON0x27031180x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0SpanishMexico
                                                                                                                                                                                                    RT_ICON0x27039c00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0SpanishMexico
                                                                                                                                                                                                    RT_ICON0x2703f280x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0SpanishMexico
                                                                                                                                                                                                    RT_ICON0x27064d00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0SpanishMexico
                                                                                                                                                                                                    RT_ICON0x27075780x988Device independent bitmap graphic, 24 x 48 x 32, image size 0SpanishMexico
                                                                                                                                                                                                    RT_ICON0x2707f000x468Device independent bitmap graphic, 16 x 32 x 32, image size 0SpanishMexico
                                                                                                                                                                                                    RT_ICON0x27083d00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0SpanishMexico
                                                                                                                                                                                                    RT_ICON0x27092780x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0SpanishMexico
                                                                                                                                                                                                    RT_ICON0x2709b200x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0SpanishMexico
                                                                                                                                                                                                    RT_ICON0x270a1e80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0SpanishMexico
                                                                                                                                                                                                    RT_ICON0x270a7500x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0SpanishMexico
                                                                                                                                                                                                    RT_ICON0x270ccf80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0SpanishMexico
                                                                                                                                                                                                    RT_ICON0x270dda00x988Device independent bitmap graphic, 24 x 48 x 32, image size 0SpanishMexico
                                                                                                                                                                                                    RT_ICON0x270e7280x468Device independent bitmap graphic, 16 x 32 x 32, image size 0SpanishMexico
                                                                                                                                                                                                    RT_STRING0x270ec780x490data
                                                                                                                                                                                                    RT_STRING0x270f1080x3d6data
                                                                                                                                                                                                    RT_STRING0x270f4e00x492data
                                                                                                                                                                                                    RT_STRING0x270f9780x3f8data
                                                                                                                                                                                                    RT_ACCELERATOR0x270ec080x48dataSpanishMexico
                                                                                                                                                                                                    RT_ACCELERATOR0x270ec500x18dataSpanishMexico
                                                                                                                                                                                                    RT_GROUP_ICON0x27083680x68dataSpanishMexico
                                                                                                                                                                                                    RT_GROUP_ICON0x26fb9e80x4cdataSpanishMexico
                                                                                                                                                                                                    RT_GROUP_ICON0x27021f80x76dataSpanishMexico
                                                                                                                                                                                                    RT_GROUP_ICON0x270eb900x76dataSpanishMexico
                                                                                                                                                                                                    None0x270ec680xadata

                                                                                                                                                                                                    Imports

                                                                                                                                                                                                    DLLImport
                                                                                                                                                                                                    KERNEL32.dllGetLogicalDriveStringsW, SetDefaultCommConfigW, CreateHardLinkA, GetConsoleAliasesA, LoadLibraryW, _hread, IsBadCodePtr, CreateEventA, FormatMessageW, GetFileAttributesA, GetExitCodeProcess, SetConsoleMode, WriteConsoleW, WritePrivateProfileSectionW, ChangeTimerQueueTimer, SetLastError, GetProcAddress, GlobalAddAtomA, EnumSystemCodePagesW, LocalAlloc, FoldStringA, FreeEnvironmentStringsW, VirtualProtect, EndUpdateResourceA, GetWindowsDirectoryW, GetFileInformationByHandle, InterlockedPushEntrySList, LCMapStringW, CloseHandle, CreateFileA, GetModuleHandleA, LCMapStringA, lstrcpynA, CallNamedPipeA, VirtualAlloc, GetVolumeNameForVolumeMountPointA, InterlockedIncrement, InterlockedDecrement, Sleep, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetStartupInfoW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetLastError, HeapFree, RtlUnwind, RaiseException, TerminateProcess, GetCurrentProcess, IsDebuggerPresent, HeapAlloc, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, WriteFile, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, FlushFileBuffers, GetModuleHandleW, ExitProcess, GetModuleFileNameA, GetModuleFileNameW, GetEnvironmentStringsW, GetCommandLineW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapSize, HeapReAlloc, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, GetLocaleInfoA, GetStringTypeA, MultiByteToWideChar, GetStringTypeW, SetFilePointer, InitializeCriticalSectionAndSpinCount, WriteConsoleA, GetConsoleOutputCP, SetStdHandle, LoadLibraryA
                                                                                                                                                                                                    USER32.dllClientToScreen, LoadMenuA, InvalidateRgn, GetMenuInfo, MessageBoxIndirectW, CountClipboardFormats, SetScrollInfo
                                                                                                                                                                                                    GDI32.dllGetGlyphIndicesW
                                                                                                                                                                                                    ADVAPI32.dllRegOpenKeyA

                                                                                                                                                                                                    Possible Origin

                                                                                                                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                    SpanishMexico

                                                                                                                                                                                                    Network Behavior

                                                                                                                                                                                                    Snort IDS Alerts

                                                                                                                                                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                                                    192.168.2.3185.11.61.12549701223442043233 03/18/23-22:06:06.966690TCP2043233ET TROJAN RedLine Stealer TCP CnC net.tcp Init4970122344192.168.2.3185.11.61.125

                                                                                                                                                                                                    Network Port Distribution

                                                                                                                                                                                                    TCP Packets

                                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                    Mar 18, 2023 22:06:06.592199087 CET4970122344192.168.2.3185.11.61.125
                                                                                                                                                                                                    Mar 18, 2023 22:06:06.655941010 CET2234449701185.11.61.125192.168.2.3
                                                                                                                                                                                                    Mar 18, 2023 22:06:06.658765078 CET4970122344192.168.2.3185.11.61.125
                                                                                                                                                                                                    Mar 18, 2023 22:06:06.966690063 CET4970122344192.168.2.3185.11.61.125
                                                                                                                                                                                                    Mar 18, 2023 22:06:07.029198885 CET2234449701185.11.61.125192.168.2.3
                                                                                                                                                                                                    Mar 18, 2023 22:06:07.077758074 CET4970122344192.168.2.3185.11.61.125
                                                                                                                                                                                                    Mar 18, 2023 22:06:07.997076988 CET4970122344192.168.2.3185.11.61.125
                                                                                                                                                                                                    Mar 18, 2023 22:06:08.103241920 CET2234449701185.11.61.125192.168.2.3
                                                                                                                                                                                                    Mar 18, 2023 22:06:08.316272974 CET2234449701185.11.61.125192.168.2.3
                                                                                                                                                                                                    Mar 18, 2023 22:06:08.359060049 CET4970122344192.168.2.3185.11.61.125
                                                                                                                                                                                                    Mar 18, 2023 22:06:09.933237076 CET4970122344192.168.2.3185.11.61.125
                                                                                                                                                                                                    Mar 18, 2023 22:06:10.037476063 CET2234449701185.11.61.125192.168.2.3
                                                                                                                                                                                                    Mar 18, 2023 22:06:10.411091089 CET2234449701185.11.61.125192.168.2.3
                                                                                                                                                                                                    Mar 18, 2023 22:06:10.411191940 CET2234449701185.11.61.125192.168.2.3
                                                                                                                                                                                                    Mar 18, 2023 22:06:10.411237955 CET2234449701185.11.61.125192.168.2.3
                                                                                                                                                                                                    Mar 18, 2023 22:06:10.411282063 CET2234449701185.11.61.125192.168.2.3
                                                                                                                                                                                                    Mar 18, 2023 22:06:10.411313057 CET4970122344192.168.2.3185.11.61.125
                                                                                                                                                                                                    Mar 18, 2023 22:06:10.411329031 CET2234449701185.11.61.125192.168.2.3
                                                                                                                                                                                                    Mar 18, 2023 22:06:10.411367893 CET4970122344192.168.2.3185.11.61.125
                                                                                                                                                                                                    Mar 18, 2023 22:06:10.468873978 CET4970122344192.168.2.3185.11.61.125
                                                                                                                                                                                                    Mar 18, 2023 22:06:21.734165907 CET4970122344192.168.2.3185.11.61.125
                                                                                                                                                                                                    Mar 18, 2023 22:06:21.796538115 CET2234449701185.11.61.125192.168.2.3
                                                                                                                                                                                                    Mar 18, 2023 22:06:21.796591997 CET2234449701185.11.61.125192.168.2.3
                                                                                                                                                                                                    Mar 18, 2023 22:06:21.796624899 CET2234449701185.11.61.125192.168.2.3
                                                                                                                                                                                                    Mar 18, 2023 22:06:21.796658993 CET2234449701185.11.61.125192.168.2.3
                                                                                                                                                                                                    Mar 18, 2023 22:06:21.798943996 CET2234449701185.11.61.125192.168.2.3
                                                                                                                                                                                                    Mar 18, 2023 22:06:21.815443039 CET4970122344192.168.2.3185.11.61.125

                                                                                                                                                                                                    Statistics

                                                                                                                                                                                                    No statistics

                                                                                                                                                                                                    System Behavior

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:0
                                                                                                                                                                                                    Start time:22:05:55
                                                                                                                                                                                                    Start date:18/03/2023
                                                                                                                                                                                                    Path:C:\Users\user\Desktop\o6B2U4HjCJ.exe
                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                    Commandline:C:\Users\user\Desktop\o6B2U4HjCJ.exe
                                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                                    File size:435712 bytes
                                                                                                                                                                                                    MD5 hash:DCB518ED1ED68C30A11CB79D50A0FE69
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.295675318.0000000004DD0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.295675318.0000000004DD0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.295096246.0000000004955000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.295520420.0000000004C40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.295520420.0000000004C40000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.239241764.0000000002F47000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.294617353.0000000002ED8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.238934056.0000000002E10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000003.238934056.0000000002E10000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.293546962.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.293546962.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.294046050.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.294046050.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                    Reputation:low

                                                                                                                                                                                                    Disassembly

                                                                                                                                                                                                    No disassembly