Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
qu0t4ukLoN.exe

Overview

General Information

Sample Name:qu0t4ukLoN.exe
Original Sample Name:1df346c349b9b71b11825690be73e635.exe
Analysis ID:876163
MD5:1df346c349b9b71b11825690be73e635
SHA1:13df3b1666b674f48b1fc2a836fee8ce99381fb5
SHA256:8e96ef86e327dd3bbc1dab16ce1e57e8f380d9b2df919158f1b6786cfd6f717e
Tags:exeRedLineStealer
Infos:

Detection

Amadey, RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Yara detected Amadeys stealer DLL
Antivirus detection for dropped file
Snort IDS alert for network traffic
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Disable Windows Defender real time protection (registry)
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Disable Windows Defender notifications (registry)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
.NET source code references suspicious native API functions
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Found evasive API chain checking for process token information
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • qu0t4ukLoN.exe (PID: 4908 cmdline: C:\Users\user\Desktop\qu0t4ukLoN.exe MD5: 1DF346C349B9B71B11825690BE73E635)
    • v7020033.exe (PID: 5988 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\v7020033.exe MD5: A9A0FDF699EB764206C59FF3CA3FAC53)
      • v6434086.exe (PID: 2336 cmdline: C:\Users\user\AppData\Local\Temp\IXP001.TMP\v6434086.exe MD5: 4D67FD4D3D62A45215D1FBDF9CA87397)
        • a4758283.exe (PID: 6988 cmdline: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exe MD5: 1BE37E0816A88025F557178CA7FC03C8)
          • conhost.exe (PID: 6104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • AppLaunch.exe (PID: 6072 cmdline: C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)
        • b7687179.exe (PID: 3320 cmdline: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exe MD5: 927C5B1DEF98D855184A0ED56D8A2787)
  • rundll32.exe (PID: 5760 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)
  • rundll32.exe (PID: 5116 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)
  • rundll32.exe (PID: 5296 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: Amadey

{"C2 url": "77.91.68.62/wings/game/index.php", "Version": "3.83"}

Threatname: RedLine

{"C2 url": "83.97.73.122:19062", "Bot Id": "misa", "Authorization Header": "9e79529a6bdb4962f44d12b0d6d62d32"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
        • 0xd00:$pat14: , CommandLine:
        • 0x140e6:$v2_1: ListOfProcesses
        • 0x13e9a:$v4_3: base64str
        • 0x14b69:$v4_4: stringKey
        • 0x1269c:$v4_5: BytesToStringConverted
        • 0x113ef:$v4_6: FromBase64
        • 0x12bd4:$v4_8: procName
        C:\Users\user\AppData\Local\Temp\IXP001.TMP\c6803120.exeJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000001.00000003.357315003.0000000004D41000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
            00000006.00000000.361157707.0000000000E82000.00000002.00000001.01000000.00000008.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                00000002.00000003.358780202.0000000004C12000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  Process Memory Space: b7687179.exe PID: 3320JoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    Click to see the 1 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    1.3.v7020033.exe.4d85c20.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                      2.3.v6434086.exe.4c3f81e.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                        2.3.v6434086.exe.4c3f81e.0.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                        • 0xd00:$pat14: , CommandLine:
                        • 0x140e6:$v2_1: ListOfProcesses
                        • 0x13e9a:$v4_3: base64str
                        • 0x14b69:$v4_4: stringKey
                        • 0x1269c:$v4_5: BytesToStringConverted
                        • 0x113ef:$v4_6: FromBase64
                        • 0x12bd4:$v4_8: procName
                        1.3.v7020033.exe.4d85c20.0.raw.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                          2.3.v6434086.exe.4c3f81e.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                            Click to see the 3 entries

                            Sigma Signatures

                            No Sigma rule has matched

                            Snort Signatures

                            Timestamp:192.168.2.383.97.73.12249697190622043231 05/26/23-11:40:50.159297
                            SID:2043231
                            Source Port:49697
                            Destination Port:19062
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:192.168.2.383.97.73.12249697190622043233 05/26/23-11:40:32.455619
                            SID:2043233
                            Source Port:49697
                            Destination Port:19062
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:83.97.73.122192.168.2.319062496972043234 05/26/23-11:40:36.975680
                            SID:2043234
                            Source Port:19062
                            Destination Port:49697
                            Protocol:TCP
                            Classtype:A Network Trojan was detected

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus detection for dropped file
                            Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\d4851931.exeAvira: detection malicious, Label: HEUR/AGEN.1311185
                            Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\c6803120.exeAvira: detection malicious, Label: HEUR/AGEN.1317762
                            Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\v7020033.exeAvira: detection malicious, Label: HEUR/AGEN.1307453
                            Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\v6434086.exeAvira: detection malicious, Label: HEUR/AGEN.1307453
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeAvira: detection malicious, Label: HEUR/AGEN.1307453
                            Found malware configuration
                            Source: 00000002.00000003.358780202.0000000004C12000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "83.97.73.122:19062", "Bot Id": "misa", "Authorization Header": "9e79529a6bdb4962f44d12b0d6d62d32"}
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackMalware Configuration Extractor: Amadey {"C2 url": "77.91.68.62/wings/game/index.php", "Version": "3.83"}
                            Multi AV Scanner detection for submitted file
                            Source: qu0t4ukLoN.exeReversingLabs: Detection: 52%
                            Source: qu0t4ukLoN.exeVirustotal: Detection: 52%Perma Link
                            Antivirus / Scanner detection for submitted sample
                            Source: qu0t4ukLoN.exeAvira: detected
                            Multi AV Scanner detection for dropped file
                            Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\d4851931.exeReversingLabs: Detection: 50%
                            Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\v7020033.exeReversingLabs: Detection: 50%
                            Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\c6803120.exeReversingLabs: Detection: 69%
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeReversingLabs: Detection: 38%
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeReversingLabs: Detection: 77%
                            Machine Learning detection for sample
                            Source: qu0t4ukLoN.exeJoe Sandbox ML: detected
                            Sample uses string decryption to hide its real strings
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: 77.91.68.62
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: /wings/game/index.php
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: 3.83
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: a9e2a16078
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: metado.exe
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: SCHTASKS
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: /Create /SC MINUTE /MO 1 /TN
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: /TR "
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: " /F
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: Startup
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: cmd /C RMDIR /s/q
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: rundll32
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: /Delete /TN "
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: Programs
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: %USERPROFILE%
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: \App
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: POST
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: &vs=
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: &sd=
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: &os=
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: &bi=
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: &ar=
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: &pc=
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: &un=
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: &dm=
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: &av=
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: &lv=
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: &og=
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: cred.dll|clip.dll|
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: Main
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: http://
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: https://
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: Plugins/
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: &unit=
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: shell32.dll
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: kernel32.dll
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: GetNativeSystemInfo
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: ProgramData\
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: AVAST Software
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: Avira
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: Kaspersky Lab
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: ESET
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: Panda Security
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: Doctor Web
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: 360TotalSecurity
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: Bitdefender
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: Norton
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: Sophos
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: Comodo
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: WinDefender
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: 0123456789
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: Content-Type: multipart/form-data; boundary=----
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: ------
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: ?scr=1
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: .jpg
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: Content-Type: application/x-www-form-urlencoded
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: ComputerName
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: -unicode-
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: VideoID
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: \0000
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: DefaultSettings.XResolution
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: DefaultSettings.YResolution
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: ProductName
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: 2019
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: 2022
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: 2016
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: CurrentBuild
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: echo Y|CACLS "
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: " /P "
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: CACLS "
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: :R" /E
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: :F" /E
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: &&Exit
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: rundll32.exe
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: "taskkill /f /im "
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: " && timeout 1 && del
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: && Exit"
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: " && ren
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: &&
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: Powershell.exe
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: -executionpolicy remotesigned -File "
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor:
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: =
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: (E+8
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor:
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: G
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: KM
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: &VqP
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: &VeP
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor:
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: =
                            Source: 1.3.v7020033.exe.4d85c20.0.raw.unpackString decryptor: Au
                            Machine Learning detection for dropped file
                            Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\d4851931.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\c6803120.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\v7020033.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\v6434086.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\Desktop\qu0t4ukLoN.exeCode function: 0_2_00A92F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,
                            Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\v7020033.exeCode function: 1_2_00212F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,
                            Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\v6434086.exeCode function: 2_2_00BC2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,
                            Source: qu0t4ukLoN.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: qu0t4ukLoN.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                            Source: Binary string: wextract.pdb source: qu0t4ukLoN.exe, v7020033.exe.0.dr, v6434086.exe.1.dr
                            Source: Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: v7020033.exe, 00000001.00000003.357315003.0000000004D41000.00000004.00000020.00020000.00000000.sdmp, v7020033.exe, 00000001.00000003.357393527.00000000030CD000.00000004.00000020.00020000.00000000.sdmp, c6803120.exe.1.dr
                            Source: Binary string: wextract.pdbGCTL source: qu0t4ukLoN.exe, v7020033.exe.0.dr, v6434086.exe.1.dr
                            Source: Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: a4758283.exe, 00000003.00000002.361022103.0000000000426000.00000004.00000001.01000000.00000006.sdmp, a4758283.exe, 00000003.00000003.360898057.0000000000472000.00000040.00001000.00020000.00000000.sdmp, AppLaunch.exe, 00000005.00000002.383174563.0000000004182000.00000020.00000400.00020000.00000000.sdmp
                            Source: C:\Users\user\Desktop\qu0t4ukLoN.exeCode function: 0_2_00A92390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
                            Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\v7020033.exeCode function: 1_2_00212390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
                            Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\v6434086.exeCode function: 2_2_00BC2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

                            Networking

                            barindex
                            Snort IDS alert for network traffic
                            Source: TrafficSnort IDS: 2043233 ET TROJAN RedLine Stealer TCP CnC net.tcp Init 192.168.2.3:49697 -> 83.97.73.122:19062
                            Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.3:49697 -> 83.97.73.122:19062
                            Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 83.97.73.122:19062 -> 192.168.2.3:49697
                            Connects to many ports of the same IP (likely port scanning)
                            Source: global trafficTCP traffic: 83.97.73.122 ports 19062,0,1,2,6,9
                            C2 URLs / IPs found in malware configuration
                            Source: Malware configuration extractorURLs: 77.91.68.62/wings/game/index.php
                            Source: Malware configuration extractorURLs: 83.97.73.122:19062
                            Source: Joe Sandbox ViewASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG
                            Source: Joe Sandbox ViewIP Address: 83.97.73.122 83.97.73.122
                            Source: global trafficTCP traffic: 192.168.2.3:49697 -> 83.97.73.122:19062
                            Source: qu0t4ukLoN.exe, 00000000.00000003.356607577.00000000031D5000.00000004.00000020.00020000.00000000.sdmp, qu0t4ukLoN.exe, 00000000.00000003.356501749.0000000004FC4000.00000004.00000020.00020000.00000000.sdmp, v6434086.exe, 00000002.00000003.358780202.0000000004C12000.00000004.00000020.00020000.00000000.sdmp, d4851931.exe.0.dr, a4758283.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                            Source: qu0t4ukLoN.exe, 00000000.00000003.356607577.00000000031D5000.00000004.00000020.00020000.00000000.sdmp, qu0t4ukLoN.exe, 00000000.00000003.356501749.0000000004FC4000.00000004.00000020.00020000.00000000.sdmp, v6434086.exe, 00000002.00000003.358780202.0000000004C12000.00000004.00000020.00020000.00000000.sdmp, d4851931.exe.0.dr, a4758283.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                            Source: qu0t4ukLoN.exe, 00000000.00000003.356607577.00000000031D5000.00000004.00000020.00020000.00000000.sdmp, qu0t4ukLoN.exe, 00000000.00000003.356501749.0000000004FC4000.00000004.00000020.00020000.00000000.sdmp, v6434086.exe, 00000002.00000003.358780202.0000000004C12000.00000004.00000020.00020000.00000000.sdmp, d4851931.exe.0.dr, a4758283.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                            Source: qu0t4ukLoN.exe, 00000000.00000003.356607577.00000000031D5000.00000004.00000020.00020000.00000000.sdmp, qu0t4ukLoN.exe, 00000000.00000003.356501749.0000000004FC4000.00000004.00000020.00020000.00000000.sdmp, v6434086.exe, 00000002.00000003.358780202.0000000004C12000.00000004.00000020.00020000.00000000.sdmp, d4851931.exe.0.dr, a4758283.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                            Source: qu0t4ukLoN.exe, 00000000.00000003.356607577.00000000031D5000.00000004.00000020.00020000.00000000.sdmp, qu0t4ukLoN.exe, 00000000.00000003.356501749.0000000004FC4000.00000004.00000020.00020000.00000000.sdmp, v6434086.exe, 00000002.00000003.358780202.0000000004C12000.00000004.00000020.00020000.00000000.sdmp, d4851931.exe.0.dr, a4758283.exe.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                            Source: qu0t4ukLoN.exe, 00000000.00000003.356607577.00000000031D5000.00000004.00000020.00020000.00000000.sdmp, qu0t4ukLoN.exe, 00000000.00000003.356501749.0000000004FC4000.00000004.00000020.00020000.00000000.sdmp, v6434086.exe, 00000002.00000003.358780202.0000000004C12000.00000004.00000020.00020000.00000000.sdmp, d4851931.exe.0.dr, a4758283.exe.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                            Source: qu0t4ukLoN.exe, 00000000.00000003.356607577.00000000031D5000.00000004.00000020.00020000.00000000.sdmp, qu0t4ukLoN.exe, 00000000.00000003.356501749.0000000004FC4000.00000004.00000020.00020000.00000000.sdmp, v6434086.exe, 00000002.00000003.358780202.0000000004C12000.00000004.00000020.00020000.00000000.sdmp, d4851931.exe.0.dr, a4758283.exe.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                            Source: a4758283.exe.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                            Source: qu0t4ukLoN.exe, 00000000.00000003.356607577.00000000031D5000.00000004.00000020.00020000.00000000.sdmp, qu0t4ukLoN.exe, 00000000.00000003.356501749.0000000004FC4000.00000004.00000020.00020000.00000000.sdmp, v6434086.exe, 00000002.00000003.358780202.0000000004C12000.00000004.00000020.00020000.00000000.sdmp, d4851931.exe.0.dr, a4758283.exe.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                            Source: qu0t4ukLoN.exe, 00000000.00000003.356607577.00000000031D5000.00000004.00000020.00020000.00000000.sdmp, qu0t4ukLoN.exe, 00000000.00000003.356501749.0000000004FC4000.00000004.00000020.00020000.00000000.sdmp, v6434086.exe, 00000002.00000003.358780202.0000000004C12000.00000004.00000020.00020000.00000000.sdmp, d4851931.exe.0.dr, a4758283.exe.2.drString found in binary or memory: http://ocsp.digicert.com0
                            Source: qu0t4ukLoN.exe, 00000000.00000003.356607577.00000000031D5000.00000004.00000020.00020000.00000000.sdmp, qu0t4ukLoN.exe, 00000000.00000003.356501749.0000000004FC4000.00000004.00000020.00020000.00000000.sdmp, v6434086.exe, 00000002.00000003.358780202.0000000004C12000.00000004.00000020.00020000.00000000.sdmp, d4851931.exe.0.dr, a4758283.exe.2.drString found in binary or memory: http://ocsp.digicert.com0A
                            Source: qu0t4ukLoN.exe, 00000000.00000003.356607577.00000000031D5000.00000004.00000020.00020000.00000000.sdmp, qu0t4ukLoN.exe, 00000000.00000003.356501749.0000000004FC4000.00000004.00000020.00020000.00000000.sdmp, v6434086.exe, 00000002.00000003.358780202.0000000004C12000.00000004.00000020.00020000.00000000.sdmp, d4851931.exe.0.dr, a4758283.exe.2.drString found in binary or memory: http://ocsp.digicert.com0C
                            Source: qu0t4ukLoN.exe, 00000000.00000003.356607577.00000000031D5000.00000004.00000020.00020000.00000000.sdmp, qu0t4ukLoN.exe, 00000000.00000003.356501749.0000000004FC4000.00000004.00000020.00020000.00000000.sdmp, v6434086.exe, 00000002.00000003.358780202.0000000004C12000.00000004.00000020.00020000.00000000.sdmp, d4851931.exe.0.dr, a4758283.exe.2.drString found in binary or memory: http://ocsp.digicert.com0X
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultP
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000032B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                            Source: b7687179.exe, 00000006.00000002.426987259.0000000003522000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000032AB000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                            Source: b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id40
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000032B3000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                            Source: b7687179.exe, 00000006.00000002.426987259.00000000032B3000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                            Source: qu0t4ukLoN.exe, 00000000.00000003.356607577.00000000031D5000.00000004.00000020.00020000.00000000.sdmp, qu0t4ukLoN.exe, 00000000.00000003.356501749.0000000004FC4000.00000004.00000020.00020000.00000000.sdmp, v6434086.exe, 00000002.00000003.358780202.0000000004C12000.00000004.00000020.00020000.00000000.sdmp, d4851931.exe.0.dr, a4758283.exe.2.drString found in binary or memory: http://www.digicert.com/CPS0
                            Source: b7687179.exe, 00000006.00000002.434854527.0000000004204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                            Source: v6434086.exe, 00000002.00000003.358780202.0000000004C12000.00000004.00000020.00020000.00000000.sdmp, b7687179.exe, 00000006.00000000.361157707.0000000000E82000.00000002.00000001.01000000.00000008.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe.2.drString found in binary or memory: https://api.ip.sb/ip
                            Source: b7687179.exe, 00000006.00000002.434854527.0000000004204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                            Source: b7687179.exe, 00000006.00000002.434854527.0000000004204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                            Source: b7687179.exe, 00000006.00000002.434854527.0000000004375000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.00000000043F3000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.00000000042DA000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.00000000032DF000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.0000000003488000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.00000000042F7000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004453000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.00000000043D6000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000003.422839734.0000000004482000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004470000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000336E000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.0000000003515000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004273000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004358000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000003.422839734.000000000449F000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                            Source: b7687179.exe, 00000006.00000002.434854527.0000000004204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                            Source: b7687179.exe, 00000006.00000002.434854527.0000000004375000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.00000000043F3000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.00000000042DA000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.00000000032DF000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.0000000003488000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.00000000042F7000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004453000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.00000000043D6000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000003.422839734.0000000004482000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004470000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000336E000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.0000000003515000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004273000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004358000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000003.422839734.000000000449F000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                            Source: b7687179.exe, 00000006.00000002.434854527.0000000004375000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.00000000043F3000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.00000000042DA000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.00000000032DF000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.0000000003488000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.00000000042F7000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004453000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.00000000043D6000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000003.422839734.0000000004482000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004470000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000336E000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.0000000003515000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004273000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004358000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000003.422839734.000000000449F000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
                            Source: b7687179.exe, 00000006.00000002.434854527.0000000004375000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.00000000043F3000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.00000000042F7000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004470000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000003.422839734.000000000449F000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
                            Source: b7687179.exe, 00000006.00000002.434854527.0000000004375000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.00000000043F3000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.00000000042DA000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.00000000032DF000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.0000000003488000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.00000000042F7000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004453000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.00000000043D6000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000003.422839734.0000000004482000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004470000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000336E000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.0000000003515000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004273000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004358000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000003.422839734.000000000449F000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
                            Source: b7687179.exe, 00000006.00000002.434854527.0000000004375000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.00000000043F3000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.00000000042DA000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.00000000032DF000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.0000000003488000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.00000000042F7000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004453000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.00000000043D6000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000003.422839734.0000000004482000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004470000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000336E000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.0000000003515000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004273000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004358000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000003.422839734.000000000449F000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                            Source: unknownTCP traffic detected without corresponding DNS query: 83.97.73.122
                            Source: unknownTCP traffic detected without corresponding DNS query: 83.97.73.122
                            Source: unknownTCP traffic detected without corresponding DNS query: 83.97.73.122
                            Source: unknownTCP traffic detected without corresponding DNS query: 83.97.73.122
                            Source: unknownTCP traffic detected without corresponding DNS query: 83.97.73.122
                            Source: unknownTCP traffic detected without corresponding DNS query: 83.97.73.122
                            Source: unknownTCP traffic detected without corresponding DNS query: 83.97.73.122
                            Source: unknownTCP traffic detected without corresponding DNS query: 83.97.73.122
                            Source: unknownTCP traffic detected without corresponding DNS query: 83.97.73.122
                            Source: unknownTCP traffic detected without corresponding DNS query: 83.97.73.122
                            Source: unknownTCP traffic detected without corresponding DNS query: 83.97.73.122
                            Source: unknownTCP traffic detected without corresponding DNS query: 83.97.73.122
                            Source: unknownTCP traffic detected without corresponding DNS query: 83.97.73.122
                            Source: unknownTCP traffic detected without corresponding DNS query: 83.97.73.122
                            Source: unknownTCP traffic detected without corresponding DNS query: 83.97.73.122
                            Source: unknownTCP traffic detected without corresponding DNS query: 83.97.73.122
                            Source: unknownTCP traffic detected without corresponding DNS query: 83.97.73.122
                            Source: unknownTCP traffic detected without corresponding DNS query: 83.97.73.122
                            Source: unknownTCP traffic detected without corresponding DNS query: 83.97.73.122
                            Source: unknownTCP traffic detected without corresponding DNS query: 83.97.73.122
                            Source: unknownTCP traffic detected without corresponding DNS query: 83.97.73.122
                            Source: unknownTCP traffic detected without corresponding DNS query: 83.97.73.122
                            Source: unknownTCP traffic detected without corresponding DNS query: 83.97.73.122
                            Source: unknownTCP traffic detected without corresponding DNS query: 83.97.73.122
                            Source: unknownTCP traffic detected without corresponding DNS query: 83.97.73.122
                            Source: unknownTCP traffic detected without corresponding DNS query: 83.97.73.122
                            Source: unknownTCP traffic detected without corresponding DNS query: 83.97.73.122
                            Source: unknownTCP traffic detected without corresponding DNS query: 83.97.73.122
                            Source: unknownTCP traffic detected without corresponding DNS query: 83.97.73.122
                            Source: unknownTCP traffic detected without corresponding DNS query: 83.97.73.122
                            Source: unknownTCP traffic detected without corresponding DNS query: 83.97.73.122
                            Source: unknownTCP traffic detected without corresponding DNS query: 83.97.73.122
                            Source: unknownTCP traffic detected without corresponding DNS query: 83.97.73.122
                            Source: a4758283.exe, 00000003.00000002.361052449.00000000004DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                            System Summary

                            barindex
                            Malicious sample detected (through community Yara rule)
                            Source: 2.3.v6434086.exe.4c3f81e.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                            Source: 2.3.v6434086.exe.4c3f81e.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                            Source: 6.0.b7687179.exe.e80000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exe, type: DROPPEDMatched rule: Detects RedLine infostealer Author: ditekSHen
                            Source: C:\Users\user\Desktop\qu0t4ukLoN.exeCode function: 0_2_00A93BA2
                            Source: C:\Users\user\Desktop\qu0t4ukLoN.exeCode function: 0_2_00A95C9E
                            Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\v7020033.exeCode function: 1_2_00213BA2
                            Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\v7020033.exeCode function: 1_2_00215C9E
                            Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\v6434086.exeCode function: 2_2_00BC3BA2
                            Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\v6434086.exeCode function: 2_2_00BC5C9E
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: 3_2_004068A0
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: 3_2_00405132
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: 3_2_004059DB
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: 3_2_004151A9
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: 3_2_00406207
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: 3_2_0040DBBF
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: 3_2_00414C65
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: 3_2_00415DE5
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: 3_2_00405DE7
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: 3_2_00405607
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: 3_2_004156ED
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: 3_2_00416E91
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeCode function: 6_2_017BF388
                            Source: qu0t4ukLoN.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: 2.3.v6434086.exe.4c3f81e.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                            Source: 2.3.v6434086.exe.4c3f81e.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                            Source: 6.0.b7687179.exe.e80000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exe, type: DROPPEDMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                            Source: C:\Users\user\Desktop\qu0t4ukLoN.exeCode function: 0_2_00A91F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,
                            Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\v7020033.exeCode function: 1_2_00211F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,
                            Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\v6434086.exeCode function: 2_2_00BC1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: String function: 0040D294 appears 48 times
                            Source: qu0t4ukLoN.exeStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 635732 bytes, 2 files, at 0x2c +A "v7020033.exe" +A "d4851931.exe", ID 1672, number 1, 24 datablocks, 0x1503 compression
                            Source: v7020033.exe.0.drStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 310750 bytes, 2 files, at 0x2c +A "v6434086.exe" +A "c6803120.exe", ID 1676, number 1, 16 datablocks, 0x1503 compression
                            Source: v6434086.exe.1.drStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 135234 bytes, 2 files, at 0x2c +A "a4758283.exe" +A "b7687179.exe", ID 1685, number 1, 11 datablocks, 0x1503 compression
                            Source: v6434086.exe.1.drStatic PE information: Resource name: RT_RCDATA type: x86 executable not stripped
                            Source: qu0t4ukLoN.exe, 00000000.00000003.356607577.00000000031D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeiP5ufeu: vs qu0t4ukLoN.exe
                            Source: qu0t4ukLoN.exe, 00000000.00000003.356501749.0000000004FC4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs qu0t4ukLoN.exe
                            Source: qu0t4ukLoN.exe, 00000000.00000003.356501749.0000000004FC4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeiP5ufeu: vs qu0t4ukLoN.exe
                            Source: qu0t4ukLoN.exeBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs qu0t4ukLoN.exe
                            Source: qu0t4ukLoN.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.logJump to behavior
                            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@15/8@0/1
                            Source: C:\Users\user\Desktop\qu0t4ukLoN.exeCode function: 0_2_00A93FEF CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,GetLastError,FormatMessageA,
                            Source: C:\Users\user\Desktop\qu0t4ukLoN.exeCode function: 0_2_00A94FE0 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,FreeResource,SendMessageA,
                            Source: qu0t4ukLoN.exeReversingLabs: Detection: 52%
                            Source: qu0t4ukLoN.exeVirustotal: Detection: 52%
                            Source: C:\Users\user\Desktop\qu0t4ukLoN.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                            Source: unknownProcess created: C:\Users\user\Desktop\qu0t4ukLoN.exe C:\Users\user\Desktop\qu0t4ukLoN.exe
                            Source: C:\Users\user\Desktop\qu0t4ukLoN.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\v7020033.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\v7020033.exe
                            Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\v7020033.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\v6434086.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\v6434086.exe
                            Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\v6434086.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exe
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe
                            Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\v6434086.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exe
                            Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                            Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\
                            Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\
                            Source: C:\Users\user\Desktop\qu0t4ukLoN.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\v7020033.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\v7020033.exe
                            Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\v7020033.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\v6434086.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\v6434086.exe
                            Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\v6434086.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exe
                            Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\v6434086.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exe
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                            Source: C:\Users\user\Desktop\qu0t4ukLoN.exeCode function: 0_2_00A91F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,
                            Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\v7020033.exeCode function: 1_2_00211F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,
                            Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\v6434086.exeCode function: 2_2_00BC1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                            Source: C:\Users\user\Desktop\qu0t4ukLoN.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMPJump to behavior
                            Source: C:\Users\user\Desktop\qu0t4ukLoN.exeCode function: 0_2_00A9597D GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,
                            Source: b7687179.exe, 00000006.00000002.426987259.0000000003690000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000003.422839734.000000000437B000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000003.422839734.000000000441D000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000003.422839734.00000000043CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                            Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                            Source: b7687179.exe.2.dr, SystemNetNetResA.csBase64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV
                            Source: 6.0.b7687179.exe.e80000.0.unpack, SystemNetNetResA.csBase64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6104:120:WilError_01
                            Source: C:\Users\user\Desktop\qu0t4ukLoN.exeCommand line argument: Kernel32.dll
                            Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\v7020033.exeCommand line argument: Kernel32.dll
                            Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\v6434086.exeCommand line argument: Kernel32.dll
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCommand line argument: P:A
                            Source: C:\Users\user\Desktop\qu0t4ukLoN.exeAutomated click: OK
                            Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\v7020033.exeAutomated click: OK
                            Source: qu0t4ukLoN.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                            Source: qu0t4ukLoN.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                            Source: qu0t4ukLoN.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                            Source: qu0t4ukLoN.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                            Source: qu0t4ukLoN.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                            Source: qu0t4ukLoN.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                            Source: qu0t4ukLoN.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                            Source: qu0t4ukLoN.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                            Source: Binary string: wextract.pdb source: qu0t4ukLoN.exe, v7020033.exe.0.dr, v6434086.exe.1.dr
                            Source: Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: v7020033.exe, 00000001.00000003.357315003.0000000004D41000.00000004.00000020.00020000.00000000.sdmp, v7020033.exe, 00000001.00000003.357393527.00000000030CD000.00000004.00000020.00020000.00000000.sdmp, c6803120.exe.1.dr
                            Source: Binary string: wextract.pdbGCTL source: qu0t4ukLoN.exe, v7020033.exe.0.dr, v6434086.exe.1.dr
                            Source: Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: a4758283.exe, 00000003.00000002.361022103.0000000000426000.00000004.00000001.01000000.00000006.sdmp, a4758283.exe, 00000003.00000003.360898057.0000000000472000.00000040.00001000.00020000.00000000.sdmp, AppLaunch.exe, 00000005.00000002.383174563.0000000004182000.00000020.00000400.00020000.00000000.sdmp
                            Source: C:\Users\user\Desktop\qu0t4ukLoN.exeCode function: 0_2_00A9724D push ecx; ret
                            Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\v7020033.exeCode function: 1_2_0021724D push ecx; ret
                            Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\v6434086.exeCode function: 2_2_00BC724D push ecx; ret
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: 3_2_0040D2D9 push ecx; ret
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: 3_2_00406D88 push ecx; ret
                            Source: C:\Users\user\Desktop\qu0t4ukLoN.exeCode function: 0_2_00A9202A memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,GetModuleFileNameA,LocalAlloc,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,
                            Source: b7687179.exe.2.drStatic PE information: 0x9F8A3121 [Mon Oct 26 13:24:49 2054 UTC]
                            Source: d4851931.exe.0.drStatic PE information: section name: .OuoYr
                            Source: a4758283.exe.2.drStatic PE information: section name: .miJql
                            Source: C:\Users\user\Desktop\qu0t4ukLoN.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\v7020033.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\v6434086.exeFile created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeJump to dropped file
                            Source: C:\Users\user\Desktop\qu0t4ukLoN.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\d4851931.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\v6434086.exeFile created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\v7020033.exeFile created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\c6803120.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\v7020033.exeFile created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\v6434086.exeJump to dropped file
                            Source: C:\Users\user\Desktop\qu0t4ukLoN.exeCode function: 0_2_00A91AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,
                            Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\v7020033.exeCode function: 1_2_00211AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,
                            Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\v6434086.exeCode function: 2_2_00BC1AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX

                            Malware Analysis System Evasion

                            barindex
                            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7016Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exe TID: 3952Thread sleep time: -1844674407370954s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exe TID: 4184Thread sleep count: 1813 > 30
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exe TID: 2104Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeWindow / User API: threadDelayed 1813
                            Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\v7020033.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                            Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\v6434086.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                            Source: C:\Users\user\Desktop\qu0t4ukLoN.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                            Source: C:\Users\user\Desktop\qu0t4ukLoN.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\d4851931.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\v7020033.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP001.TMP\c6803120.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeRegistry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeThread delayed: delay time: 922337203685477
                            Source: b7687179.exe, 00000006.00000003.422596878.00000000015B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
                            Source: b7687179.exe, 00000006.00000003.422596878.00000000015BF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
                            Source: b7687179.exe, 00000006.00000003.422596878.00000000015B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMware62M6346KWin32_VideoControllerCWXSDRRHVideoController120060621000000.000000-000.3874714display.infMSBDAGU18O1FLPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsEYYOVXXW
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information queried: ProcessInformation
                            Source: C:\Users\user\Desktop\qu0t4ukLoN.exeCode function: 0_2_00A95467 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,
                            Source: C:\Users\user\Desktop\qu0t4ukLoN.exeCode function: 0_2_00A92390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
                            Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\v7020033.exeCode function: 1_2_00212390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
                            Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\v6434086.exeCode function: 2_2_00BC2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
                            Source: C:\Users\user\Desktop\qu0t4ukLoN.exeCode function: 0_2_00A9202A memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,GetModuleFileNameA,LocalAlloc,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: 3_2_00406CDA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeProcess token adjusted: Debug
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory allocated: page read and write | page guard
                            Source: C:\Users\user\Desktop\qu0t4ukLoN.exeCode function: 0_2_00A96F40 SetUnhandledExceptionFilter,
                            Source: C:\Users\user\Desktop\qu0t4ukLoN.exeCode function: 0_2_00A96CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                            Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\v7020033.exeCode function: 1_2_00216F40 SetUnhandledExceptionFilter,
                            Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\v7020033.exeCode function: 1_2_00216CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                            Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\v6434086.exeCode function: 2_2_00BC6F40 SetUnhandledExceptionFilter,
                            Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\v6434086.exeCode function: 2_2_00BC6CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: 3_2_0040885A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: 3_2_0040C4CD SetUnhandledExceptionFilter,
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: 3_2_00406CDA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: 3_2_00403D40 _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: 3_2_00404D05 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                            HIPS / PFW / Operating System Protection Evasion

                            barindex
                            Allocates memory in foreign processes
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 4180000 protect: page execute and read and write
                            Injects a PE file into a foreign processes
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 4180000 value starts with: 4D5A
                            Writes to foreign memory regions
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 4180000
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 43FB008
                            .NET source code references suspicious native API functions
                            Source: b7687179.exe.2.dr, SystemDataCommonTimeSpanStorager.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibraryA@kernel32.dll')
                            Source: 3.3.a4758283.exe.470000.0.unpack, Program.csReference to suspicious API methods: ('OpenProcessToken', 'OpenProcessToken@advapi32.dll')
                            Source: 5.2.AppLaunch.exe.4180000.0.unpack, Program.csReference to suspicious API methods: ('OpenProcessToken', 'OpenProcessToken@advapi32.dll')
                            Source: 6.0.b7687179.exe.e80000.0.unpack, SystemDataCommonTimeSpanStorager.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibraryA@kernel32.dll')
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe
                            Source: C:\Users\user\Desktop\qu0t4ukLoN.exeCode function: 0_2_00A918A3 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle,
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: GetLocaleInfoA,
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: GetLocaleInfoA,
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeQueries volume information: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exe VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                            Source: C:\Users\user\Desktop\qu0t4ukLoN.exeCode function: 0_2_00A97155 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                            Source: C:\Users\user\Desktop\qu0t4ukLoN.exeCode function: 0_2_00A92BFB GetVersion,GetModuleHandleW,GetProcAddress,CloseHandle,

                            Lowering of HIPS / PFW / Operating System Security Settings

                            barindex
                            Disable Windows Defender real time protection (registry)
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection DisableIOAVProtection 1Jump to behavior
                            Disable Windows Defender notifications (registry)
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                            Source: b7687179.exe, 00000006.00000002.438530061.000000000649C000.00000004.00000020.00020000.00000000.sdmp, b7687179.exe, 00000006.00000003.424683183.000000000649B000.00000004.00000020.00020000.00000000.sdmp, b7687179.exe, 00000006.00000003.422596878.00000000015BF000.00000004.00000020.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426655979.00000000015C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                            Stealing of Sensitive Information

                            barindex
                            Yara detected RedLine Stealer
                            Source: Yara matchFile source: dump.pcap, type: PCAP
                            Source: Yara matchFile source: 2.3.v6434086.exe.4c3f81e.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.3.v6434086.exe.4c3f81e.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.b7687179.exe.e80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000006.00000000.361157707.0000000000E82000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000003.358780202.0000000004C12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: b7687179.exe PID: 3320, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exe, type: DROPPED
                            Yara detected Amadeys stealer DLL
                            Source: Yara matchFile source: 1.3.v7020033.exe.4d85c20.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.3.v7020033.exe.4d85c20.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000001.00000003.357315003.0000000004D41000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\c6803120.exe, type: DROPPED
                            Tries to harvest and steal browser information (history, passwords, etc)
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                            Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                            Source: Yara matchFile source: Process Memory Space: b7687179.exe PID: 3320, type: MEMORYSTR

                            Remote Access Functionality

                            barindex
                            Yara detected RedLine Stealer
                            Source: Yara matchFile source: dump.pcap, type: PCAP
                            Source: Yara matchFile source: 2.3.v6434086.exe.4c3f81e.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.3.v6434086.exe.4c3f81e.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.b7687179.exe.e80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000006.00000000.361157707.0000000000E82000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000003.358780202.0000000004C12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: b7687179.exe PID: 3320, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exe, type: DROPPED

                            Mitre Att&ck Matrix

                            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                            Valid Accounts221
                            Windows Management Instrumentation                            		Path Interception2
                            Bypass User Access Control                            		21
                            Disable or Modify Tools                            		1
                            OS Credential Dumping                            		1
                            System Time Discovery                            		Remote Services1
                            Archive Collected Data                            		Exfiltration Over Other Network Medium2
                            Encrypted Channel                            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
                            System Shutdown/Reboot
                            Default Accounts13
                            Native API                            		Boot or Logon Initialization Scripts1
                            Access Token Manipulation                            		1
                            Deobfuscate/Decode Files or Information                            		1
                            Input Capture                            		1
                            File and Directory Discovery                            		Remote Desktop Protocol1
                            Data from Local System                            		Exfiltration Over Bluetooth1
                            Non-Standard Port                            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                            Domain Accounts2
                            Command and Scripting Interpreter                            		Logon Script (Windows)311
                            Process Injection                            		21
                            Obfuscated Files or Information                            		Security Account Manager137
                            System Information Discovery                            		SMB/Windows Admin Shares1
                            Input Capture                            		Automated Exfiltration1
                            Application Layer Protocol                            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                            Timestomp                            		NTDS341
                            Security Software Discovery                            		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
                            Bypass User Access Control                            		LSA Secrets11
                            Process Discovery                            		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                            Replication Through Removable MediaLaunchdRc.commonRc.common1
                            Masquerading                            		Cached Domain Credentials231
                            Virtualization/Sandbox Evasion                            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                            External Remote ServicesScheduled TaskStartup ItemsStartup Items231
                            Virtualization/Sandbox Evasion                            		DCSync1
                            Application Window Discovery                            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                            Access Token Manipulation                            		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)311
                            Process Injection                            		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
                            Rundll32                            		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 signatures2 2 Behavior Graph ID: 876163 Sample: qu0t4ukLoN.exe Startdate: 26/05/2023 Architecture: WINDOWS Score: 100 55 Snort IDS alert for network traffic 2->55 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 12 other signatures 2->61 9 qu0t4ukLoN.exe 1 4 2->9         started        12 rundll32.exe 2->12         started        14 rundll32.exe 2->14         started        16 rundll32.exe 2->16         started        process3 file4 45 C:\Users\user\AppData\Local\...\v7020033.exe, PE32 9->45 dropped 47 C:\Users\user\AppData\Local\...\d4851931.exe, PE32 9->47 dropped 18 v7020033.exe 1 4 9->18         started        process5 file6 37 C:\Users\user\AppData\Local\...\v6434086.exe, PE32 18->37 dropped 39 C:\Users\user\AppData\Local\...\c6803120.exe, PE32 18->39 dropped 63 Antivirus detection for dropped file 18->63 65 Multi AV Scanner detection for dropped file 18->65 67 Machine Learning detection for dropped file 18->67 22 v6434086.exe 1 4 18->22         started        signatures7 process8 file9 41 C:\Users\user\AppData\Local\...\b7687179.exe, PE32 22->41 dropped 43 C:\Users\user\AppData\Local\...\a4758283.exe, PE32 22->43 dropped 69 Antivirus detection for dropped file 22->69 71 Machine Learning detection for dropped file 22->71 26 a4758283.exe 1 22->26         started        29 b7687179.exe 4 22->29         started        signatures10 process11 dnsIp12 73 Multi AV Scanner detection for dropped file 26->73 75 Machine Learning detection for dropped file 26->75 77 Writes to foreign memory regions 26->77 87 2 other signatures 26->87 32 AppLaunch.exe 9 1 26->32         started        35 conhost.exe 26->35         started        49 83.97.73.122, 19062, 49697 UNACS-AS-BG8000BurgasBG Germany 29->49 79 Antivirus detection for dropped file 29->79 81 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 29->81 83 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 29->83 85 Tries to harvest and steal browser information (history, passwords, etc) 29->85 signatures13 process14 signatures15 51 Disable Windows Defender notifications (registry) 32->51 53 Disable Windows Defender real time protection (registry) 32->53

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            qu0t4ukLoN.exe53%ReversingLabsByteCode-MSIL.Trojan.RedLineStealer
                            qu0t4ukLoN.exe53%VirustotalBrowse
                            qu0t4ukLoN.exe100%AviraHEUR/AGEN.1307453
                            qu0t4ukLoN.exe100%Joe Sandbox ML

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\Users\user\AppData\Local\Temp\IXP000.TMP\d4851931.exe100%AviraHEUR/AGEN.1311185
                            C:\Users\user\AppData\Local\Temp\IXP001.TMP\c6803120.exe100%AviraHEUR/AGEN.1317762
                            C:\Users\user\AppData\Local\Temp\IXP000.TMP\v7020033.exe100%AviraHEUR/AGEN.1307453
                            C:\Users\user\AppData\Local\Temp\IXP001.TMP\v6434086.exe100%AviraHEUR/AGEN.1307453
                            C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exe100%AviraHEUR/AGEN.1307453
                            C:\Users\user\AppData\Local\Temp\IXP000.TMP\d4851931.exe100%Joe Sandbox ML
                            C:\Users\user\AppData\Local\Temp\IXP001.TMP\c6803120.exe100%Joe Sandbox ML
                            C:\Users\user\AppData\Local\Temp\IXP000.TMP\v7020033.exe100%Joe Sandbox ML
                            C:\Users\user\AppData\Local\Temp\IXP001.TMP\v6434086.exe100%Joe Sandbox ML
                            C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exe100%Joe Sandbox ML
                            C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exe100%Joe Sandbox ML
                            C:\Users\user\AppData\Local\Temp\IXP000.TMP\d4851931.exe50%ReversingLabsByteCode-MSIL.Trojan.RedLineStealer
                            C:\Users\user\AppData\Local\Temp\IXP000.TMP\v7020033.exe50%ReversingLabsByteCode-MSIL.Trojan.RedLineStealer
                            C:\Users\user\AppData\Local\Temp\IXP001.TMP\c6803120.exe69%ReversingLabsWin32.Trojan.Amadey
                            C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exe39%ReversingLabsWin32.Trojan.Plugx
                            C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exe78%ReversingLabsByteCode-MSIL.Trojan.RedLineStealer

                            Unpacked PE Files

                            No Antivirus matches

                            Domains

                            No Antivirus matches

                            URLs

                            SourceDetectionScannerLabelLink
                            http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
                            http://tempuri.org/0%URL Reputationsafe
                            http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                            http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                            http://tempuri.org/Entity/Id90%URL Reputationsafe
                            http://tempuri.org/Entity/Id80%URL Reputationsafe
                            http://tempuri.org/Entity/Id50%URL Reputationsafe
                            http://tempuri.org/Entity/Id70%URL Reputationsafe
                            http://tempuri.org/Entity/Id60%URL Reputationsafe
                            http://tempuri.org/Entity/Id19Response0%URL Reputationsafe
                            http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
                            http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
                            https://api.ip.sb/ip0%URL Reputationsafe
                            83.97.73.122:190620%URL Reputationsafe
                            http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
                            http://tempuri.org/Entity/Id200%URL Reputationsafe
                            http://tempuri.org/Entity/Id210%URL Reputationsafe
                            http://tempuri.org/Entity/Id220%URL Reputationsafe
                            http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                            http://tempuri.org/Entity/Id100%URL Reputationsafe
                            http://tempuri.org/Entity/Id100%URL Reputationsafe
                            http://tempuri.org/Entity/Id110%URL Reputationsafe
                            http://tempuri.org/Entity/Id110%URL Reputationsafe
                            http://tempuri.org/Entity/Id120%URL Reputationsafe
                            http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
                            http://tempuri.org/Entity/Id130%URL Reputationsafe
                            http://tempuri.org/Entity/Id130%URL Reputationsafe
                            http://tempuri.org/Entity/Id140%URL Reputationsafe
                            http://tempuri.org/Entity/Id150%URL Reputationsafe
                            http://tempuri.org/Entity/Id160%URL Reputationsafe
                            http://tempuri.org/Entity/Id170%URL Reputationsafe
                            http://tempuri.org/Entity/Id180%URL Reputationsafe
                            http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
                            http://tempuri.org/Entity/Id190%URL Reputationsafe
                            http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
                            http://tempuri.org/Entity/Id8Response0%URL Reputationsafe
                            http://tempuri.org/Entity/Id400%URL Reputationsafe
                            http://tempuri.org/Entity/Id17Response0%URL Reputationsafe

                            Domains and IPs

                            Contacted Domains

                            No contacted domains info

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            83.97.73.122:19062true
                            • URL Reputation: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Textb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/02/sc/sctb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2004/08/addressing/faultPb7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://duckduckgo.com/chrome_newtabb7687179.exe, 00000006.00000002.434854527.0000000004375000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.00000000043F3000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.00000000042DA000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.00000000032DF000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.0000000003488000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.00000000042F7000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004453000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.00000000043D6000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000003.422839734.0000000004482000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004470000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000336E000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.0000000003515000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004273000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004358000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000003.422839734.000000000449F000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004204000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://duckduckgo.com/ac/?q=b7687179.exe, 00000006.00000002.434854527.0000000004204000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id12Responseb7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://tempuri.org/b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://tempuri.org/Entity/Id2Responseb7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://tempuri.org/Entity/Id21Responseb7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrapb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://tempuri.org/Entity/Id9b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://tempuri.org/Entity/Id8b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://tempuri.org/Entity/Id5b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepareb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://tempuri.org/Entity/Id7b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://tempuri.org/Entity/Id6b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://tempuri.org/Entity/Id19Responseb7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issueb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Abortedb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceb7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/faultb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2004/10/wsatb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://tempuri.org/Entity/Id15Responseb7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameb7687179.exe, 00000006.00000002.426987259.00000000032B3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renewb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/Registerb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://tempuri.org/Entity/Id6Responseb7687179.exe, 00000006.00000002.426987259.00000000032B3000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://api.ip.sb/ipv6434086.exe, 00000002.00000003.358780202.0000000004C12000.00000004.00000020.00020000.00000000.sdmp, b7687179.exe, 00000006.00000000.361157707.0000000000E82000.00000002.00000001.01000000.00000008.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe.2.drfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://schemas.xmlsoap.org/ws/2004/04/scb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancelb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://tempuri.org/Entity/Id9Responseb7687179.exe, 00000006.00000002.426987259.00000000032B3000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=b7687179.exe, 00000006.00000002.434854527.0000000004204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://tempuri.org/Entity/Id20b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://tempuri.org/Entity/Id21b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://tempuri.org/Entity/Id22b7687179.exe, 00000006.00000002.426987259.00000000032AB000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issueb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://tempuri.org/Entity/Id1Responseb7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=b7687179.exe, 00000006.00000002.434854527.0000000004375000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.00000000043F3000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.00000000042DA000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.00000000032DF000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.0000000003488000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.00000000042F7000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004453000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.00000000043D6000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000003.422839734.0000000004482000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004470000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000336E000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.0000000003515000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004273000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004358000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000003.422839734.000000000449F000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedb7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/Replayb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegob7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binaryb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2004/08/addressingb7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issueb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Completionb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/trustb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://tempuri.org/Entity/Id10b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id11b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id12b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id16Responseb7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancelb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://tempuri.org/Entity/Id13b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://tempuri.org/Entity/Id14b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://tempuri.org/Entity/Id15b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://tempuri.org/Entity/Id16b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/Nonceb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://tempuri.org/Entity/Id17b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://tempuri.org/Entity/Id18b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://tempuri.org/Entity/Id5Responseb7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://tempuri.org/Entity/Id19b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsb7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://tempuri.org/Entity/Id10Responseb7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/Renewb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://tempuri.org/Entity/Id8Responseb7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://schemas.xmlsoap.org/ws/2006/02/addressingidentityb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://schemas.xmlsoap.org/soap/envelope/b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://tempuri.org/Entity/Id40b7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      https://search.yahoo.com?fr=crmas_sfpfb7687179.exe, 00000006.00000002.434854527.0000000004375000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.00000000043F3000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.00000000042DA000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.00000000032DF000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.0000000003488000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.00000000042F7000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004453000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.00000000043D6000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000003.422839734.0000000004482000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004470000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000336E000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.0000000003515000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004273000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004358000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000003.422839734.000000000449F000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.434854527.0000000004204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trustb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollbackb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/06/addressingexb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wscoorb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonceb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponseb7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renewb7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://tempuri.org/Entity/Id17Responseb7687179.exe, 00000006.00000002.426987259.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                            		unknown
                                                                                                                                                            http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510b7687179.exe, 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high

                                                                                                                                                              World Map of Contacted IPs

                                                                                                                                                              • No. of IPs < 25%
                                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                                              • 75% < No. of IPs

                                                                                                                                                              Public IPs

                                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                              83.97.73.122
                                                                                                                                                              		unknownGermany
                                                                                                                                                              		25206UNACS-AS-BG8000BurgasBGtrue

                                                                                                                                                              General Information

                                                                                                                                                              Joe Sandbox Version:37.1.0 Beryl
                                                                                                                                                              Analysis ID:876163
                                                                                                                                                              Start date and time:2023-05-26 11:39:25 +02:00
                                                                                                                                                              Joe Sandbox Product:CloudBasic
                                                                                                                                                              Overall analysis duration:0h 10m 12s
                                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                                              Report type:light
                                                                                                                                                              Cookbook file name:default.jbs
                                                                                                                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                              Number of analysed new started processes analysed:14
                                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                                              Technologies:
                                                                                                                                                              • HCA enabled
                                                                                                                                                              • EGA enabled
                                                                                                                                                              • HDC enabled
                                                                                                                                                              • AMSI enabled
                                                                                                                                                              Analysis Mode:default
                                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                                              Sample file name:qu0t4ukLoN.exe
                                                                                                                                                              Original Sample Name:1df346c349b9b71b11825690be73e635.exe
                                                                                                                                                              Detection:MAL
                                                                                                                                                              Classification:mal100.troj.spyw.evad.winEXE@15/8@0/1
                                                                                                                                                              EGA Information:
                                                                                                                                                              • Successful, ratio: 80%
                                                                                                                                                              HDC Information:
                                                                                                                                                              • Successful, ratio: 99.8% (good quality ratio 96.9%)
                                                                                                                                                              • Quality average: 82.6%
                                                                                                                                                              • Quality standard deviation: 24.1%
                                                                                                                                                              HCA Information:
                                                                                                                                                              • Successful, ratio: 99%
                                                                                                                                                              • Number of executed functions: 0
                                                                                                                                                              • Number of non-executed functions: 0
                                                                                                                                                              Cookbook Comments:
                                                                                                                                                              • Found application associated with file extension: .exe
                                                                                                                                                              • Override analysis time to 240s for rundll32

                                                                                                                                                              Warnings

                                                                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe
                                                                                                                                                              • Execution Graph export aborted for target b7687179.exe, PID 3320 because it is empty
                                                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                              Simulations

                                                                                                                                                              Behavior and APIs

                                                                                                                                                              TimeTypeDescription
                                                                                                                                                              11:40:47API Interceptor11x Sleep call for process: b7687179.exe modified

                                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                                              IPs

                                                                                                                                                              No context

                                                                                                                                                              Domains

                                                                                                                                                              No context

                                                                                                                                                              ASNs

                                                                                                                                                              No context

                                                                                                                                                              JA3 Fingerprints

                                                                                                                                                              No context

                                                                                                                                                              Dropped Files

                                                                                                                                                              No context

                                                                                                                                                              Created / dropped Files

                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                              File Type:CSV text
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):226
                                                                                                                                                              Entropy (8bit):5.3467126928258955
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2LDY3U21v:Q3La/KDLI4MWuPk21v
                                                                                                                                                              MD5:DD8B7A943A5D834CEEAB90A6BBBF4781
                                                                                                                                                              SHA1:2BED8D47DF1C0FF76B40811E5F11298BD2D06389
                                                                                                                                                              SHA-256:E1D0A304B16BE51AE361E392A678D887AB0B76630B42A12D252EDC0484F0333B
                                                                                                                                                              SHA-512:24167174EA259CAF57F65B9B9B9C113DD944FC957DB444C2F66BC656EC2E6565EFE4B4354660A5BE85CE4847434B3BDD4F7E05A9E9D61F4CC99FF0284DAA1C87
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:high, very likely benign file
                                                                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..

                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\b7687179.exe.log

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exe
                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):2843
                                                                                                                                                              Entropy (8bit):5.3371553026862095
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:48:MxHKXeHKlEHU0YHKhQnouHIWUfHKhBHKdHKBfHK5AHKzvQTHmtHoxHImHK1HG1qX:iqXeqm00YqhQnouOqLqdqNq2qzcGtIxk
                                                                                                                                                              MD5:EBF4AEAE98F14F4480152E9EDBB24123
                                                                                                                                                              SHA1:21F9D2A708D7709FECD4A837536B588D953FA6FC
                                                                                                                                                              SHA-256:6278F6B29B841FD578D1F01D6BA7CD9FD7A3D977BE1D503A2E19C9B2017EA1B7
                                                                                                                                                              SHA-512:F7A1EEA0AB96145F8AA49D43CC8C8E171137FA89E4780DCF7FC236488747518C42BCABED71CB8CB6DAF35DDF701CB1BC01A122A4E8E553E028DAA0DC0287FDC9
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

                                                                                                                                                              C:\Users\user\AppData\Local\Temp\IXP000.TMP\d4851931.exe

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Users\user\Desktop\qu0t4ukLoN.exe
                                                                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):324094
                                                                                                                                                              Entropy (8bit):7.54372131384144
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:6144:xcDje7OxoovhLLDLjC4d8QvV+hdaLB4rOlEnQ2m3bR:iDyOVvhLLH24dBvmdaLBzEnQ2
                                                                                                                                                              MD5:AAE88589C2939D21D935B6DE0E73870B
                                                                                                                                                              SHA1:AA7CB7CFA1BCB86B52E105EA7D8D5D77A4013325
                                                                                                                                                              SHA-256:F6A7AE755C44744C961C5C054EE17E7E1209E9E97FBDA412BC406FBE61E2A90F
                                                                                                                                                              SHA-512:70AC1FC2670E5C1098E7994FD95751302619A800BF15C42CF065AC8E86E7B799CF6044D4C7DB96BFA9B0605794F94B15EE34BC3E220828503BAE33F852537AA5
                                                                                                                                                              Malicious:true
                                                                                                                                                              Antivirus:
                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 50%
                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........0..c..c..c..dc..c..uc..c..rcW..c.b.c..c...c..c..c...c..uc..c..ec..c..`c..cRich..c........PE..L....vpd............................Bl............@..........................................................................S..<.......(................S...........................................=..@...............X............................text....e.......f.................. ..`.OuoYr...............j.............. ..`.rdata...K.......L..................@..@.data...h{...`...\...:..............@....rsrc...(...........................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                              C:\Users\user\AppData\Local\Temp\IXP000.TMP\v7020033.exe

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Users\user\Desktop\qu0t4ukLoN.exe
                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):457216
                                                                                                                                                              Entropy (8bit):7.786373811719987
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:6144:Kpy+bnr+5p0yN90QEmoGpHE2TQYNCZje6TsbzxxTgINo2hUVE2MyrOGdKbert:TMrRy900oGpxTQaCjixxTy2bXat
                                                                                                                                                              MD5:A9A0FDF699EB764206C59FF3CA3FAC53
                                                                                                                                                              SHA1:2578C481B0D67C710FC64163712021043D49CAA8
                                                                                                                                                              SHA-256:B41DD10009E2BD916D9C7AFAB7D3D9E673D4E111278EFFDD05D44F68E9F84FE4
                                                                                                                                                              SHA-512:2D3784C01F16E11BA8D2DAC7D91BD6FCB3B1D5095578D4C6C82A788CFDAF278D18E31B1FF5FB284AA593AD96F39CA8789BF182FE030D6318CA080072CE3191E8
                                                                                                                                                              Malicious:true
                                                                                                                                                              Antivirus:
                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 50%
                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%...K..K..K...N..K...H..K...O..K...J..K..J...K...C..K.....K...I..K.Rich..K.........PE..L....`.b.................d..........`j............@..........................P............@...... ......................................xs...................@..........T...............................@............................................text....c.......d.................. ..`.data...H............h..............@....idata..R............j..............@..@.rsrc............t...|..............@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                              C:\Users\user\AppData\Local\Temp\IXP001.TMP\c6803120.exe

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\v7020033.exe
                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):210873
                                                                                                                                                              Entropy (8bit):6.33924537885446
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3072:meTRJ0kHbnpN23kQKp5XzutZXKGrpeN84LuZAIybiy3xEfbi:FTR2AnpN2wDurXBeBuZAIMEj
                                                                                                                                                              MD5:3ED5D8F4F6620DE95B8EF02F28C9C5E9
                                                                                                                                                              SHA1:EEFDA1DF3A3297B00D08475B93084495ECB7FD0A
                                                                                                                                                              SHA-256:3E2696E2C4CCC222063F06F6031DC8DACF54A3B0D923650135AF17C74789738A
                                                                                                                                                              SHA-512:C4CB8AFE75866A9D7346BD9241D9119B8478259A037A39663EC0A507E5ABE2F95B10393E412BA2DC15A93316F3DE0A4E043EBC1A53E298785DB431FC70B91D4C
                                                                                                                                                              Malicious:true
                                                                                                                                                              Yara Hits:
                                                                                                                                                              • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\c6803120.exe, Author: Joe Security
                                                                                                                                                              Antivirus:
                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 69%
                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]..M.o...o...o..B....o..B....o..B....o.......o.......o......5o..B....o...o...o.......o....m..o.......o..Rich.o..................PE..L...opod.................v...........V............@.......................................@.....................................d....@.......................P... ..`...p...................t...........@............................................text....t.......v.................. ..`.rdata..t|.......~...z..............@..@.data...h$..........................@....rsrc........@......................@..@.reloc... ...P..."..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                              C:\Users\user\AppData\Local\Temp\IXP001.TMP\v6434086.exe

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\v7020033.exe
                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):281600
                                                                                                                                                              Entropy (8bit):7.572515848405127
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:6144:KTy+bnr+0p0yN90QEsZjeETsbzxgggINo2wUME2aR:tMr0y90elixggy2P
                                                                                                                                                              MD5:4D67FD4D3D62A45215D1FBDF9CA87397
                                                                                                                                                              SHA1:FB686838CEC8323CE6EC87A133C48E9723C3DED5
                                                                                                                                                              SHA-256:0C36FA81B63A4C7D12FA7A0CF055BACCA0C423E7DFEDAD6EB55281C914CA0003
                                                                                                                                                              SHA-512:D3718984BC81E18624EE801AA01F5B482DDBB2551C3AB25772F88947BAADB637733F633F77D376EF46126C4FDE6629E9DE85D898425AF655E817C0466CB94574
                                                                                                                                                              Malicious:true
                                                                                                                                                              Antivirus:
                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%...K..K..K...N..K...H..K...O..K...J..K..J...K...C..K.....K...I..K.Rich..K.........PE..L....`.b.................d..........`j............@..................................C....@...... ......................................................................T...............................@............................................text....c.......d.................. ..`.data...H............h..............@....idata..R............j..............@..@.rsrc................|..............@..@.reloc...............B..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                              C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exe

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP001.TMP\v6434086.exe
                                                                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):186366
                                                                                                                                                              Entropy (8bit):6.898951882290762
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3072:lAZJrtymkLKh/gH2TPDXD1qk+yxXeOx5ITx:l+yvKdFPDXDM2D
                                                                                                                                                              MD5:1BE37E0816A88025F557178CA7FC03C8
                                                                                                                                                              SHA1:BE1947797AC7B4CDED7F3524B5AD1CD6A4B28CFC
                                                                                                                                                              SHA-256:F8DA12B0DDF6695F8669679E0148756B3676E55D2F1C9121E5A04DDAF78C6E6B
                                                                                                                                                              SHA-512:E3D189AE5918D6DC9128B8564FD90DE5FCDC2DD9BFDE5C3BFB2130BBB739CB348DD2A9B8B08D84D322C41A85F6C3409EA3C78173CA3894606B71DAF4584D8DFB
                                                                                                                                                              Malicious:true
                                                                                                                                                              Antivirus:
                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 39%
                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........0..c..c..c..dc..c..uc..c..rcW..c.b.c..c...c..c..c...c..uc..c..ec..c..`c..cRich..c........PE..L....vpd............................Bl............@..........................................................................S..<.......(................S...........................................=..@...............X............................text....e.......f.................. ..`.miJql...............j.............. ..`.rdata...K.......L..................@..@.data...hc...`...D...8..............@....rsrc...(............|..............@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                              C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exe

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP001.TMP\v6434086.exe
                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):148489
                                                                                                                                                              Entropy (8bit):5.412914556371622
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3072:LV+m5chQmRSZsBxioW/JruNFmRsZhCZR8e8ha:LjEx6U3ZhC7
                                                                                                                                                              MD5:927C5B1DEF98D855184A0ED56D8A2787
                                                                                                                                                              SHA1:EEB57B0120D4C1F6539CDC372A5E71A8947FDE3C
                                                                                                                                                              SHA-256:1A0C4908C739CF9C405A050A6FE29214525F46350E7BA49BD26F9BD7E60F6BC9
                                                                                                                                                              SHA-512:93957AD10BE2B54D2E5AB9E40B3C1A7767C9295A74E854A98FB9EDBD42D7F32C2F463913A0A7832C73697A3264F966A7E45713CBFEA8326A306DFED80FF9A1CB
                                                                                                                                                              Malicious:true
                                                                                                                                                              Yara Hits:
                                                                                                                                                              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exe, Author: Joe Security
                                                                                                                                                              • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exe, Author: ditekSHen
                                                                                                                                                              Antivirus:
                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 78%
                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!1................0.................. ........@.. ....................................@.....................................K.......N............................................................................ ............... ..H............text........ ...................... ..`.rsrc...N...........................@..@.reloc...............B..............@..B........................H.......X...H.......u...................................................a.u.t.o.f.i.l.l.P.r.o.f.i.l.e.s.T.o.t.a.l. .o.f. .R.A.M.V.P.E.n.t.i.t.y.1.2.N...A.p.p.D.a.t.a.\.L.o.c.a.l.\.....[.^.\.u.0.0.2.0.-.\.u.0.0.7.F.].U.N.K.N.O.W.N...L.o.c.a.l. .S.t.a.t.e...P.r.o.c.e.s.s.I.d.......1.*...1.l.1.d.1.b.......P.r.o.f.i.l.e._.%.a.p.p.d.a.t.a.%.\.....l.o.g.i.n.s.....{.0.}.\.F.i.l.e.Z.i.l.l.a.\.r.e.c.e.n.t.s.e.r.v.e.r.s...x.m.l...%.a.p.p.d.a.t.a.%.\.d.i.s.c.o.r.d.\.L.o.c.a.l. .S.t.o.r.

                                                                                                                                                              Static File Info

                                                                                                                                                              General

                                                                                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                              Entropy (8bit):7.902876514651296
                                                                                                                                                              TrID:
                                                                                                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                              File name:qu0t4ukLoN.exe
                                                                                                                                                              File size:782336
                                                                                                                                                              MD5:1df346c349b9b71b11825690be73e635
                                                                                                                                                              SHA1:13df3b1666b674f48b1fc2a836fee8ce99381fb5
                                                                                                                                                              SHA256:8e96ef86e327dd3bbc1dab16ce1e57e8f380d9b2df919158f1b6786cfd6f717e
                                                                                                                                                              SHA512:96ffdf2aa68e54bbbfa32659d5683851adba4c50f19ab348233af6a5c284cbbb45b19344cc3668990e51ca66ddfb7c66cf1186d01a793380187a37553967fc8f
                                                                                                                                                              SSDEEP:12288:vMrGy90d/w92r1bjyeDmpa2lixNTy2Iuuomfds+nnII4d22mdQLBNEFz:VyqFvrNTy2dm1zn94Q2mdUS
                                                                                                                                                              TLSH:56F42353A3D82133D8F81F7088FA028B1B397E616A78072B3745A99D1CF3D946576B27
                                                                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%...K...K...K...N...K...H...K...O...K...J...K...J...K...C...K.......K...I...K.Rich..K.........PE..L....`.b.................d.

                                                                                                                                                              File Icon

                                                                                                                                                              Icon Hash:3b6120282c4c5a1f

                                                                                                                                                              Static PE Info

                                                                                                                                                              General

                                                                                                                                                              Entrypoint:0x406a60
                                                                                                                                                              Entrypoint Section:.text
                                                                                                                                                              Digitally signed:false
                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                              Subsystem:windows gui
                                                                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                                                              Time Stamp:0x628D60E2 [Tue May 24 22:49:06 2022 UTC]
                                                                                                                                                              TLS Callbacks:
                                                                                                                                                              CLR (.Net) Version:
                                                                                                                                                              OS Version Major:10
                                                                                                                                                              OS Version Minor:0
                                                                                                                                                              File Version Major:10
                                                                                                                                                              File Version Minor:0
                                                                                                                                                              Subsystem Version Major:10
                                                                                                                                                              Subsystem Version Minor:0
                                                                                                                                                              Import Hash:646167cce332c1c252cdcb1839e0cf48

                                                                                                                                                              Entrypoint Preview

                                                                                                                                                              Instruction
                                                                                                                                                              call 00007FEAA9141CD5h
                                                                                                                                                              jmp 00007FEAA91415E5h
                                                                                                                                                              push 00000058h
                                                                                                                                                              push 004072B8h
                                                                                                                                                              call 00007FEAA9141D77h
                                                                                                                                                              xor ebx, ebx
                                                                                                                                                              mov dword ptr [ebp-20h], ebx
                                                                                                                                                              lea eax, dword ptr [ebp-68h]
                                                                                                                                                              push eax
                                                                                                                                                              call dword ptr [0040A184h]
                                                                                                                                                              mov dword ptr [ebp-04h], ebx
                                                                                                                                                              mov eax, dword ptr fs:[00000018h]
                                                                                                                                                              mov esi, dword ptr [eax+04h]
                                                                                                                                                              mov edi, ebx
                                                                                                                                                              mov edx, 004088ACh
                                                                                                                                                              mov ecx, esi
                                                                                                                                                              xor eax, eax
                                                                                                                                                              lock cmpxchg dword ptr [edx], ecx
                                                                                                                                                              test eax, eax
                                                                                                                                                              je 00007FEAA91415FAh
                                                                                                                                                              cmp eax, esi
                                                                                                                                                              jne 00007FEAA91415E9h
                                                                                                                                                              xor esi, esi
                                                                                                                                                              inc esi
                                                                                                                                                              mov edi, esi
                                                                                                                                                              jmp 00007FEAA91415F2h
                                                                                                                                                              push 000003E8h
                                                                                                                                                              call dword ptr [0040A188h]
                                                                                                                                                              jmp 00007FEAA91415B9h
                                                                                                                                                              xor esi, esi
                                                                                                                                                              inc esi
                                                                                                                                                              cmp dword ptr [004088B0h], esi
                                                                                                                                                              jne 00007FEAA91415ECh
                                                                                                                                                              push 0000001Fh
                                                                                                                                                              call 00007FEAA9141B0Bh
                                                                                                                                                              pop ecx
                                                                                                                                                              jmp 00007FEAA914161Ch
                                                                                                                                                              cmp dword ptr [004088B0h], ebx
                                                                                                                                                              jne 00007FEAA914160Eh
                                                                                                                                                              mov dword ptr [004088B0h], esi
                                                                                                                                                              push 004010C4h
                                                                                                                                                              push 004010B8h
                                                                                                                                                              call 00007FEAA9141736h
                                                                                                                                                              pop ecx
                                                                                                                                                              pop ecx
                                                                                                                                                              test eax, eax
                                                                                                                                                              je 00007FEAA91415F9h
                                                                                                                                                              mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                                                                              mov eax, 000000FFh
                                                                                                                                                              jmp 00007FEAA9141719h
                                                                                                                                                              mov dword ptr [004081E4h], esi
                                                                                                                                                              cmp dword ptr [004088B0h], esi
                                                                                                                                                              jne 00007FEAA91415FDh
                                                                                                                                                              push 004010B4h
                                                                                                                                                              push 004010ACh
                                                                                                                                                              call 00007FEAA9141CC5h
                                                                                                                                                              pop ecx
                                                                                                                                                              pop ecx
                                                                                                                                                              mov dword ptr [000088B0h], 00000000h

                                                                                                                                                              Data Directories

                                                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xa28c0xb4.idata
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000xb68ec.rsrc
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xc30000x888.reloc
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x14100x54.text
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x10080x40.text
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0xa0000x288.idata
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                              Sections

                                                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                              .text0x10000x63140x6400False0.5744140625data6.314163792045976IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                              .data0x80000x1a480x200False0.609375data4.970639543960129IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                              .idata0xa0000x10520x1200False0.4140625data5.025949912909207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                              .rsrc0xc0000xb70000xb6a00False0.95906191178987data7.930785235213812IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                              .reloc0xc30000x8880xa00False0.746484375data6.222637930812128IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                              Resources

                                                                                                                                                              NameRVASizeTypeLanguageCountry
                                                                                                                                                              AVI0xc9f80x2e1aRIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bppEnglishUnited States
                                                                                                                                                              RT_ICON0xf8140x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States
                                                                                                                                                              RT_ICON0xfe7c0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States
                                                                                                                                                              RT_ICON0x101640x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288EnglishUnited States
                                                                                                                                                              RT_ICON0x1034c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States
                                                                                                                                                              RT_ICON0x104740xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States
                                                                                                                                                              RT_ICON0x1131c0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States
                                                                                                                                                              RT_ICON0x11bc40x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States
                                                                                                                                                              RT_ICON0x1228c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States
                                                                                                                                                              RT_ICON0x127f40xd9d2PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                                                                                                              RT_ICON0x201c80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States
                                                                                                                                                              RT_ICON0x227700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States
                                                                                                                                                              RT_ICON0x238180x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States
                                                                                                                                                              RT_ICON0x241a00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States
                                                                                                                                                              RT_DIALOG0x246080x2f2dataEnglishUnited States
                                                                                                                                                              RT_DIALOG0x248fc0x1b0dataEnglishUnited States
                                                                                                                                                              RT_DIALOG0x24aac0x166dataEnglishUnited States
                                                                                                                                                              RT_DIALOG0x24c140x1c0dataEnglishUnited States
                                                                                                                                                              RT_DIALOG0x24dd40x130dataEnglishUnited States
                                                                                                                                                              RT_DIALOG0x24f040x120dataEnglishUnited States
                                                                                                                                                              RT_STRING0x250240x8cMatlab v4 mat-file (little endian) l, numeric, rows 0, columns 0EnglishUnited States
                                                                                                                                                              RT_STRING0x250b00x520dataEnglishUnited States
                                                                                                                                                              RT_STRING0x255d00x5ccdataEnglishUnited States
                                                                                                                                                              RT_STRING0x25b9c0x4b0dataEnglishUnited States
                                                                                                                                                              RT_STRING0x2604c0x44adataEnglishUnited States
                                                                                                                                                              RT_STRING0x264980x3cedataEnglishUnited States
                                                                                                                                                              RT_RCDATA0x268680x7ASCII text, with no line terminatorsEnglishUnited States
                                                                                                                                                              RT_RCDATA0x268700x9b354Microsoft Cabinet archive data, many, 635732 bytes, 2 files, at 0x2c +A "v7020033.exe" +A "d4851931.exe", ID 1672, number 1, 24 datablocks, 0x1503 compressionEnglishUnited States
                                                                                                                                                              RT_RCDATA0xc1bc40x4dataEnglishUnited States
                                                                                                                                                              RT_RCDATA0xc1bc80x24dataEnglishUnited States
                                                                                                                                                              RT_RCDATA0xc1bec0x7ASCII text, with no line terminatorsEnglishUnited States
                                                                                                                                                              RT_RCDATA0xc1bf40x7ASCII text, with no line terminatorsEnglishUnited States
                                                                                                                                                              RT_RCDATA0xc1bfc0x4dataEnglishUnited States
                                                                                                                                                              RT_RCDATA0xc1c000xdASCII text, with no line terminatorsEnglishUnited States
                                                                                                                                                              RT_RCDATA0xc1c100x4dataEnglishUnited States
                                                                                                                                                              RT_RCDATA0xc1c140xdASCII text, with no line terminatorsEnglishUnited States
                                                                                                                                                              RT_RCDATA0xc1c240x4dataEnglishUnited States
                                                                                                                                                              RT_RCDATA0xc1c280x9ASCII text, with no line terminatorsEnglishUnited States
                                                                                                                                                              RT_RCDATA0xc1c340x7ASCII text, with no line terminatorsEnglishUnited States
                                                                                                                                                              RT_RCDATA0xc1c3c0x7ASCII text, with no line terminatorsEnglishUnited States
                                                                                                                                                              RT_GROUP_ICON0xc1c440xbcdataEnglishUnited States
                                                                                                                                                              RT_VERSION0xc1d000x408dataEnglishUnited States
                                                                                                                                                              RT_MANIFEST0xc21080x7e2XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

                                                                                                                                                              Imports

                                                                                                                                                              DLLImport
                                                                                                                                                              ADVAPI32.dllGetTokenInformation, RegDeleteValueA, RegOpenKeyExA, RegQueryInfoKeyA, FreeSid, OpenProcessToken, RegSetValueExA, RegCreateKeyExA, LookupPrivilegeValueA, AllocateAndInitializeSid, RegQueryValueExA, EqualSid, RegCloseKey, AdjustTokenPrivileges
                                                                                                                                                              KERNEL32.dll_lopen, _llseek, CompareStringA, GetLastError, GetFileAttributesA, GetSystemDirectoryA, LoadLibraryA, DeleteFileA, GlobalAlloc, GlobalFree, CloseHandle, WritePrivateProfileStringA, IsDBCSLeadByte, GetWindowsDirectoryA, SetFileAttributesA, GetProcAddress, GlobalLock, LocalFree, RemoveDirectoryA, FreeLibrary, _lclose, CreateDirectoryA, GetPrivateProfileIntA, GetPrivateProfileStringA, GlobalUnlock, ReadFile, SizeofResource, WriteFile, GetDriveTypeA, lstrcmpA, SetFileTime, SetFilePointer, FindResourceA, CreateMutexA, GetVolumeInformationA, ExpandEnvironmentStringsA, GetCurrentDirectoryA, FreeResource, GetVersion, SetCurrentDirectoryA, GetTempPathA, LocalFileTimeToFileTime, CreateFileA, SetEvent, TerminateThread, GetVersionExA, LockResource, GetSystemInfo, CreateThread, ResetEvent, LoadResource, ExitProcess, GetModuleHandleW, CreateProcessA, FormatMessageA, GetTempFileNameA, DosDateTimeToFileTime, CreateEventA, GetExitCodeProcess, FindNextFileA, LocalAlloc, GetShortPathNameA, MulDiv, GetDiskFreeSpaceA, EnumResourceLanguagesA, GetTickCount, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetStartupInfoW, Sleep, FindClose, GetCurrentProcess, FindFirstFileA, WaitForSingleObject, GetModuleFileNameA, LoadLibraryExA
                                                                                                                                                              GDI32.dllGetDeviceCaps
                                                                                                                                                              USER32.dllSetWindowLongA, GetDlgItemTextA, DialogBoxIndirectParamA, ShowWindow, MsgWaitForMultipleObjects, SetWindowPos, GetDC, GetWindowRect, DispatchMessageA, GetDesktopWindow, CharUpperA, SetDlgItemTextA, ExitWindowsEx, MessageBeep, EndDialog, CharPrevA, LoadStringA, CharNextA, EnableWindow, ReleaseDC, SetForegroundWindow, PeekMessageA, GetDlgItem, SendMessageA, SendDlgItemMessageA, MessageBoxA, SetWindowTextA, GetWindowLongA, CallWindowProcA, GetSystemMetrics
                                                                                                                                                              msvcrt.dll_controlfp, ?terminate@@YAXXZ, _acmdln, _initterm, __setusermatherr, _except_handler4_common, memcpy, _ismbblead, __p__fmode, _cexit, _exit, exit, __set_app_type, __getmainargs, _amsg_exit, __p__commode, _XcptFilter, memcpy_s, _vsnprintf, memset
                                                                                                                                                              COMCTL32.dll
                                                                                                                                                              Cabinet.dll
                                                                                                                                                              VERSION.dllGetFileVersionInfoA, VerQueryValueA, GetFileVersionInfoSizeA

                                                                                                                                                              Possible Origin

                                                                                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                                                                                              EnglishUnited States

                                                                                                                                                              Network Behavior

                                                                                                                                                              Snort IDS Alerts

                                                                                                                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                              192.168.2.383.97.73.12249697190622043231 05/26/23-11:40:50.159297TCP2043231ET TROJAN Redline Stealer TCP CnC Activity4969719062192.168.2.383.97.73.122
                                                                                                                                                              192.168.2.383.97.73.12249697190622043233 05/26/23-11:40:32.455619TCP2043233ET TROJAN RedLine Stealer TCP CnC net.tcp Init4969719062192.168.2.383.97.73.122
                                                                                                                                                              83.97.73.122192.168.2.319062496972043234 05/26/23-11:40:36.975680TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response190624969783.97.73.122192.168.2.3

                                                                                                                                                              Network Port Distribution

                                                                                                                                                              TCP Packets

                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                              May 26, 2023 11:40:31.586014032 CEST4969719062192.168.2.383.97.73.122
                                                                                                                                                              May 26, 2023 11:40:31.643364906 CEST190624969783.97.73.122192.168.2.3
                                                                                                                                                              May 26, 2023 11:40:31.645324945 CEST4969719062192.168.2.383.97.73.122
                                                                                                                                                              May 26, 2023 11:40:32.455619097 CEST4969719062192.168.2.383.97.73.122
                                                                                                                                                              May 26, 2023 11:40:32.512979031 CEST190624969783.97.73.122192.168.2.3
                                                                                                                                                              May 26, 2023 11:40:32.562242985 CEST4969719062192.168.2.383.97.73.122
                                                                                                                                                              May 26, 2023 11:40:36.918205976 CEST4969719062192.168.2.383.97.73.122
                                                                                                                                                              May 26, 2023 11:40:36.975680113 CEST190624969783.97.73.122192.168.2.3
                                                                                                                                                              May 26, 2023 11:40:37.062699080 CEST4969719062192.168.2.383.97.73.122
                                                                                                                                                              May 26, 2023 11:40:43.996256113 CEST4969719062192.168.2.383.97.73.122
                                                                                                                                                              May 26, 2023 11:40:44.056159019 CEST190624969783.97.73.122192.168.2.3
                                                                                                                                                              May 26, 2023 11:40:44.056250095 CEST190624969783.97.73.122192.168.2.3
                                                                                                                                                              May 26, 2023 11:40:44.056337118 CEST190624969783.97.73.122192.168.2.3
                                                                                                                                                              May 26, 2023 11:40:44.056369066 CEST4969719062192.168.2.383.97.73.122
                                                                                                                                                              May 26, 2023 11:40:44.110127926 CEST4969719062192.168.2.383.97.73.122
                                                                                                                                                              May 26, 2023 11:40:45.734921932 CEST4969719062192.168.2.383.97.73.122
                                                                                                                                                              May 26, 2023 11:40:45.838387966 CEST190624969783.97.73.122192.168.2.3
                                                                                                                                                              May 26, 2023 11:40:45.844085932 CEST190624969783.97.73.122192.168.2.3
                                                                                                                                                              May 26, 2023 11:40:45.891550064 CEST4969719062192.168.2.383.97.73.122
                                                                                                                                                              May 26, 2023 11:40:45.927423954 CEST4969719062192.168.2.383.97.73.122
                                                                                                                                                              May 26, 2023 11:40:45.985167980 CEST190624969783.97.73.122192.168.2.3
                                                                                                                                                              May 26, 2023 11:40:46.022172928 CEST4969719062192.168.2.383.97.73.122
                                                                                                                                                              May 26, 2023 11:40:46.079714060 CEST190624969783.97.73.122192.168.2.3
                                                                                                                                                              May 26, 2023 11:40:46.082263947 CEST4969719062192.168.2.383.97.73.122
                                                                                                                                                              May 26, 2023 11:40:46.139978886 CEST190624969783.97.73.122192.168.2.3
                                                                                                                                                              May 26, 2023 11:40:46.188452959 CEST4969719062192.168.2.383.97.73.122
                                                                                                                                                              May 26, 2023 11:40:46.343362093 CEST4969719062192.168.2.383.97.73.122
                                                                                                                                                              May 26, 2023 11:40:46.400934935 CEST190624969783.97.73.122192.168.2.3
                                                                                                                                                              May 26, 2023 11:40:46.432321072 CEST4969719062192.168.2.383.97.73.122
                                                                                                                                                              May 26, 2023 11:40:46.489912987 CEST190624969783.97.73.122192.168.2.3
                                                                                                                                                              May 26, 2023 11:40:46.511499882 CEST4969719062192.168.2.383.97.73.122
                                                                                                                                                              May 26, 2023 11:40:46.569073915 CEST190624969783.97.73.122192.168.2.3
                                                                                                                                                              May 26, 2023 11:40:46.610366106 CEST4969719062192.168.2.383.97.73.122
                                                                                                                                                              May 26, 2023 11:40:46.665498018 CEST4969719062192.168.2.383.97.73.122
                                                                                                                                                              May 26, 2023 11:40:46.723166943 CEST190624969783.97.73.122192.168.2.3
                                                                                                                                                              May 26, 2023 11:40:46.731164932 CEST4969719062192.168.2.383.97.73.122
                                                                                                                                                              May 26, 2023 11:40:46.788501978 CEST190624969783.97.73.122192.168.2.3
                                                                                                                                                              May 26, 2023 11:40:46.790275097 CEST4969719062192.168.2.383.97.73.122
                                                                                                                                                              May 26, 2023 11:40:46.847825050 CEST190624969783.97.73.122192.168.2.3
                                                                                                                                                              May 26, 2023 11:40:46.880130053 CEST4969719062192.168.2.383.97.73.122
                                                                                                                                                              May 26, 2023 11:40:46.937726021 CEST190624969783.97.73.122192.168.2.3
                                                                                                                                                              May 26, 2023 11:40:46.985423088 CEST4969719062192.168.2.383.97.73.122
                                                                                                                                                              May 26, 2023 11:40:47.030561924 CEST4969719062192.168.2.383.97.73.122
                                                                                                                                                              May 26, 2023 11:40:47.087986946 CEST190624969783.97.73.122192.168.2.3
                                                                                                                                                              May 26, 2023 11:40:47.088042021 CEST190624969783.97.73.122192.168.2.3
                                                                                                                                                              May 26, 2023 11:40:47.141644955 CEST4969719062192.168.2.383.97.73.122
                                                                                                                                                              May 26, 2023 11:40:47.356575966 CEST4969719062192.168.2.383.97.73.122
                                                                                                                                                              May 26, 2023 11:40:47.413834095 CEST190624969783.97.73.122192.168.2.3
                                                                                                                                                              May 26, 2023 11:40:47.414064884 CEST190624969783.97.73.122192.168.2.3
                                                                                                                                                              May 26, 2023 11:40:47.414083004 CEST190624969783.97.73.122192.168.2.3
                                                                                                                                                              May 26, 2023 11:40:47.414403915 CEST190624969783.97.73.122192.168.2.3
                                                                                                                                                              May 26, 2023 11:40:47.469794989 CEST4969719062192.168.2.383.97.73.122
                                                                                                                                                              May 26, 2023 11:40:47.487380028 CEST4969719062192.168.2.383.97.73.122
                                                                                                                                                              May 26, 2023 11:40:47.545372009 CEST190624969783.97.73.122192.168.2.3
                                                                                                                                                              May 26, 2023 11:40:47.594831944 CEST4969719062192.168.2.383.97.73.122
                                                                                                                                                              May 26, 2023 11:40:50.101281881 CEST4969719062192.168.2.383.97.73.122
                                                                                                                                                              May 26, 2023 11:40:50.158529997 CEST190624969783.97.73.122192.168.2.3
                                                                                                                                                              May 26, 2023 11:40:50.158723116 CEST190624969783.97.73.122192.168.2.3
                                                                                                                                                              May 26, 2023 11:40:50.159296989 CEST4969719062192.168.2.383.97.73.122
                                                                                                                                                              May 26, 2023 11:40:50.216737986 CEST190624969783.97.73.122192.168.2.3
                                                                                                                                                              May 26, 2023 11:40:50.262445927 CEST4969719062192.168.2.383.97.73.122

                                                                                                                                                              Statistics

                                                                                                                                                              Behavior

                                                                                                                                                              Click to jump to process

                                                                                                                                                              System Behavior

                                                                                                                                                              General

                                                                                                                                                              Target ID:0
                                                                                                                                                              Start time:11:40:16
                                                                                                                                                              Start date:26/05/2023
                                                                                                                                                              Path:C:\Users\user\Desktop\qu0t4ukLoN.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:C:\Users\user\Desktop\qu0t4ukLoN.exe
                                                                                                                                                              Imagebase:0xa90000
                                                                                                                                                              File size:782336 bytes
                                                                                                                                                              MD5 hash:1DF346C349B9B71B11825690BE73E635
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:low

                                                                                                                                                              General

                                                                                                                                                              Target ID:1
                                                                                                                                                              Start time:11:40:17
                                                                                                                                                              Start date:26/05/2023
                                                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\IXP000.TMP\v7020033.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:C:\Users\user\AppData\Local\Temp\IXP000.TMP\v7020033.exe
                                                                                                                                                              Imagebase:0x210000
                                                                                                                                                              File size:457216 bytes
                                                                                                                                                              MD5 hash:A9A0FDF699EB764206C59FF3CA3FAC53
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Yara matches:
                                                                                                                                                              • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000003.357315003.0000000004D41000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                              Antivirus matches:
                                                                                                                                                              • Detection: 100%, Avira
                                                                                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                                                                                              • Detection: 50%, ReversingLabs
                                                                                                                                                              Reputation:low

                                                                                                                                                              General

                                                                                                                                                              Target ID:2
                                                                                                                                                              Start time:11:40:17
                                                                                                                                                              Start date:26/05/2023
                                                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\IXP001.TMP\v6434086.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:C:\Users\user\AppData\Local\Temp\IXP001.TMP\v6434086.exe
                                                                                                                                                              Imagebase:0xbc0000
                                                                                                                                                              File size:281600 bytes
                                                                                                                                                              MD5 hash:4D67FD4D3D62A45215D1FBDF9CA87397
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Yara matches:
                                                                                                                                                              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000003.358780202.0000000004C12000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                              Antivirus matches:
                                                                                                                                                              • Detection: 100%, Avira
                                                                                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                                                                                              Reputation:low

                                                                                                                                                              General

                                                                                                                                                              Target ID:3
                                                                                                                                                              Start time:11:40:18
                                                                                                                                                              Start date:26/05/2023
                                                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:C:\Users\user\AppData\Local\Temp\IXP002.TMP\a4758283.exe
                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                              File size:186366 bytes
                                                                                                                                                              MD5 hash:1BE37E0816A88025F557178CA7FC03C8
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Antivirus matches:
                                                                                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                                                                                              • Detection: 39%, ReversingLabs
                                                                                                                                                              Reputation:low

                                                                                                                                                              General

                                                                                                                                                              Target ID:4
                                                                                                                                                              Start time:11:40:18
                                                                                                                                                              Start date:26/05/2023
                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                              Imagebase:0x7ff745070000
                                                                                                                                                              File size:625664 bytes
                                                                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:high

                                                                                                                                                              General

                                                                                                                                                              Target ID:5
                                                                                                                                                              Start time:11:40:19
                                                                                                                                                              Start date:26/05/2023
                                                                                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe
                                                                                                                                                              Imagebase:0xe0000
                                                                                                                                                              File size:98912 bytes
                                                                                                                                                              MD5 hash:6807F903AC06FF7E1670181378690B22
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                                                                              Reputation:high

                                                                                                                                                              General

                                                                                                                                                              Target ID:6
                                                                                                                                                              Start time:11:40:19
                                                                                                                                                              Start date:26/05/2023
                                                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exe
                                                                                                                                                              Imagebase:0xe80000
                                                                                                                                                              File size:148489 bytes
                                                                                                                                                              MD5 hash:927C5B1DEF98D855184A0ED56D8A2787
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                                                                              Yara matches:
                                                                                                                                                              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000006.00000000.361157707.0000000000E82000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                                                              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000006.00000002.426987259.000000000325F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exe, Author: Joe Security
                                                                                                                                                              • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\b7687179.exe, Author: ditekSHen
                                                                                                                                                              Antivirus matches:
                                                                                                                                                              • Detection: 100%, Avira
                                                                                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                                                                                              • Detection: 78%, ReversingLabs
                                                                                                                                                              Reputation:low

                                                                                                                                                              General

                                                                                                                                                              Target ID:7
                                                                                                                                                              Start time:11:40:26
                                                                                                                                                              Start date:26/05/2023
                                                                                                                                                              Path:C:\Windows\System32\rundll32.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                                                                                                                              Imagebase:0x7ff658210000
                                                                                                                                                              File size:69632 bytes
                                                                                                                                                              MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:high

                                                                                                                                                              General

                                                                                                                                                              Target ID:8
                                                                                                                                                              Start time:11:40:35
                                                                                                                                                              Start date:26/05/2023
                                                                                                                                                              Path:C:\Windows\System32\rundll32.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\
                                                                                                                                                              Imagebase:0x7ff658210000
                                                                                                                                                              File size:69632 bytes
                                                                                                                                                              MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:high

                                                                                                                                                              General

                                                                                                                                                              Target ID:9
                                                                                                                                                              Start time:11:40:43
                                                                                                                                                              Start date:26/05/2023
                                                                                                                                                              Path:C:\Windows\System32\rundll32.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\
                                                                                                                                                              Imagebase:0x7ff658210000
                                                                                                                                                              File size:69632 bytes
                                                                                                                                                              MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:high

                                                                                                                                                              Disassembly

                                                                                                                                                              No disassembly