Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Igv6ymbAA3.exe

Overview

General Information

Sample Name:Igv6ymbAA3.exe
Original Sample Name:18ecf495a7e8dc91de0f57f60c9896f8.exe
Analysis ID:876997
MD5:18ecf495a7e8dc91de0f57f60c9896f8
SHA1:10a613527dc3d67c40957b9ee2eb8e0a4dd79fcc
SHA256:f4e57d6160cc7f2ad503c3b1627cb5176ccc6e20490399b3700cdf7eeef8beec
Tags:32exetrojan
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Detected unpacking (changes PE section rights)
Snort IDS alert for network traffic
Tries to steal Crypto Currency Wallets
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Found evasive API chain (may stop execution after checking a module file name)
Yara detected Credential Stealer
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • Igv6ymbAA3.exe (PID: 5896 cmdline: C:\Users\user\Desktop\Igv6ymbAA3.exe MD5: 18ECF495A7E8DC91DE0F57F60C9896F8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "51.210.170.199:23368", "Bot Id": "LogsDiller Cloud (Telegram: @logsdillabot)", "Authorization Header": "c2955ed3813a798683a185a82e949f88"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.400990974.0000000000400000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.400990974.0000000000400000.00000040.00000001.01000000.00000003.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
        • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
        • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
        • 0x1300:$s3: 83 EC 38 53 B0 B8 88 44 24 2B 88 44 24 2F B0 A6 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
        • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
        • 0x1fdd0:$s5: delete[]
        • 0x1f288:$s6: constructor or from DllMain.
        00000000.00000002.402241386.0000000002850000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.402241386.0000000002850000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
          • 0x1e462:$pat14: , CommandLine:
          • 0x14a52:$v2_1: ListOfProcesses
          • 0x13170:$v4_3: base64str
          • 0x1312f:$v4_4: stringKey
          • 0x1317a:$v4_5: BytesToStringConverted
          • 0x13165:$v4_6: FromBase64
          • 0x1470d:$v4_8: procName
          00000000.00000003.350331599.0000000002450000.00000004.00001000.00020000.00000000.sdmpMAL_Malware_Imphash_Mar23_1Detects malware by known bad imphash or rich_pe_header_hashArnim Rupp
            Click to see the 13 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.3.Igv6ymbAA3.exe.2450000.0.raw.unpackMAL_Malware_Imphash_Mar23_1Detects malware by known bad imphash or rich_pe_header_hashArnim Rupp
              0.3.Igv6ymbAA3.exe.2450000.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                0.3.Igv6ymbAA3.exe.2450000.0.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
                • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
                • 0x700:$s3: 83 EC 38 53 B0 B8 88 44 24 2B 88 44 24 2F B0 A6 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
                • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
                • 0x1e9d0:$s5: delete[]
                • 0x1de88:$s6: constructor or from DllMain.
                0.2.Igv6ymbAA3.exe.400000.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.2.Igv6ymbAA3.exe.400000.0.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                  • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
                  • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
                  • 0x1300:$s3: 83 EC 38 53 B0 B8 88 44 24 2B 88 44 24 2F B0 A6 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
                  • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
                  • 0x1fdd0:$s5: delete[]
                  • 0x1f288:$s6: constructor or from DllMain.
                  Click to see the 30 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  Timestamp:192.168.2.351.210.170.19949701233682043233 05/28/23-10:33:05.871920
                  SID:2043233
                  Source Port:49701
                  Destination Port:23368
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.351.210.170.19949701233682043231 05/28/23-10:33:20.355629
                  SID:2043231
                  Source Port:49701
                  Destination Port:23368
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:51.210.170.199192.168.2.323368497012043234 05/28/23-10:33:06.698130
                  SID:2043234
                  Source Port:23368
                  Destination Port:49701
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000000.00000003.350614100.00000000009EE000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "51.210.170.199:23368", "Bot Id": "LogsDiller Cloud (Telegram: @logsdillabot)", "Authorization Header": "c2955ed3813a798683a185a82e949f88"}
                  Multi AV Scanner detection for submitted file
                  Source: Igv6ymbAA3.exeVirustotal: Detection: 40%Perma Link
                  Machine Learning detection for sample
                  Source: Igv6ymbAA3.exeJoe Sandbox ML: detected

                  Compliance

                  barindex
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeUnpacked PE file: 0.2.Igv6ymbAA3.exe.400000.0.unpack
                  Source: Igv6ymbAA3.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                  Source: Binary string: R"C:\putomeru\rivigonahehu\nafuzul.pdb source: Igv6ymbAA3.exe
                  Source: Binary string: _.pdb source: Igv6ymbAA3.exe, 00000000.00000002.401980636.0000000002657000.00000004.00000020.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402147783.0000000002700000.00000004.08000000.00040000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000003.350614100.00000000009EE000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\putomeru\rivigonahehu\nafuzul.pdb source: Igv6ymbAA3.exe

                  Networking

                  barindex
                  Snort IDS alert for network traffic
                  Source: TrafficSnort IDS: 2043233 ET TROJAN RedLine Stealer TCP CnC net.tcp Init 192.168.2.3:49701 -> 51.210.170.199:23368
                  Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.3:49701 -> 51.210.170.199:23368
                  Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 51.210.170.199:23368 -> 192.168.2.3:49701
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 51.210.170.199:23368
                  Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                  Source: Joe Sandbox ViewIP Address: 51.210.170.199 51.210.170.199
                  Source: global trafficTCP traffic: 192.168.2.3:49701 -> 51.210.170.199:23368
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm8D
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002A96000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response$9
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response(
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002A96000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                  Source: Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003C43000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002BD8000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003AA7000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003C26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402241386.0000000002850000.00000004.08000000.00040000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.401980636.00000000025EE000.00000004.00000020.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402147783.0000000002700000.00000004.08000000.00040000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000003.350614100.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                  Source: Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003C43000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002BD8000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003AA7000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003C26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003C43000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002BD8000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003AA7000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003C26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003D22000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003D9F000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003D3F000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002C65000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003CA4000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003CC1000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003BA8000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003DBC000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002D7E000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003C43000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002BD8000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003AA7000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003C26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003C43000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002BD8000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003AA7000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003C26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003D22000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003D9F000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003D3F000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002C65000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003CA4000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003CC1000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003BA8000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003DBC000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002D7E000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003C43000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002BD8000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003AA7000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003C26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                  Source: Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003D22000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003D9F000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003D3F000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002C65000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003CA4000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003CC1000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003BA8000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003DBC000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002D7E000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003C43000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002BD8000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003AA7000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003C26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
                  Source: Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003D3F000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003CC1000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003DBC000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003C43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
                  Source: Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003D22000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003D9F000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003D3F000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002C65000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003CA4000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003CC1000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003BA8000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003DBC000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002D7E000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003C43000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002BD8000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003AA7000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003C26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
                  Source: Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003D22000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003D9F000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003D3F000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002C65000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003CA4000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003CC1000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003BA8000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003DBC000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002D7E000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003C43000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002BD8000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003AA7000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003C26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: Igv6ymbAA3.exe, 00000000.00000002.401213502.000000000097A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.3.Igv6ymbAA3.exe.2450000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.Igv6ymbAA3.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.Igv6ymbAA3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.Igv6ymbAA3.exe.262f71e.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.3.Igv6ymbAA3.exe.9ee370.1.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.Igv6ymbAA3.exe.2700ee8.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.Igv6ymbAA3.exe.2700000.4.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.Igv6ymbAA3.exe.262f71e.2.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.Igv6ymbAA3.exe.2850000.6.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.Igv6ymbAA3.exe.262e836.3.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.Igv6ymbAA3.exe.2700ee8.5.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.Igv6ymbAA3.exe.2410e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.Igv6ymbAA3.exe.262e836.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.Igv6ymbAA3.exe.2850000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.Igv6ymbAA3.exe.2700000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.3.Igv6ymbAA3.exe.9ee370.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000000.00000002.400990974.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000000.00000002.402241386.0000000002850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000000.00000003.350331599.0000000002450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000000.00000002.402147783.0000000002700000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000000.00000002.401518261.0000000002410000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000002.401246578.0000000000989000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: Igv6ymbAA3.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 0.3.Igv6ymbAA3.exe.2450000.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                  Source: 0.3.Igv6ymbAA3.exe.2450000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.Igv6ymbAA3.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.Igv6ymbAA3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                  Source: 0.2.Igv6ymbAA3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.Igv6ymbAA3.exe.262f71e.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.3.Igv6ymbAA3.exe.9ee370.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.Igv6ymbAA3.exe.2700ee8.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.Igv6ymbAA3.exe.2700000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.Igv6ymbAA3.exe.262f71e.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.Igv6ymbAA3.exe.2850000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.Igv6ymbAA3.exe.262e836.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.Igv6ymbAA3.exe.2700ee8.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.Igv6ymbAA3.exe.2410e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                  Source: 0.2.Igv6ymbAA3.exe.2410e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.Igv6ymbAA3.exe.262e836.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.Igv6ymbAA3.exe.2850000.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.Igv6ymbAA3.exe.2700000.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.3.Igv6ymbAA3.exe.9ee370.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000000.00000002.400990974.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000000.00000002.402241386.0000000002850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000000.00000003.350331599.0000000002450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                  Source: 00000000.00000003.350331599.0000000002450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000000.00000002.402147783.0000000002700000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000000.00000002.401518261.0000000002410000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000002.401246578.0000000000989000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_00408C60
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_0040DC11
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_00407C3F
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_00418CCC
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_00406CA0
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_004028B0
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_0041A4BE
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_00418244
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_00401650
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_00402F20
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_004193C4
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_00418788
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_00402F89
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_00402B90
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_004073A0
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_02412B17
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_0241786D
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_024118B7
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_024289EF
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_024131F0
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_02413187
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_0241DE78
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_02418EC7
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_02417EA6
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_02416F07
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_0242A725
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_02428F33
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_024177D9
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_024284AB
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_02412DF7
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: String function: 0040E1D8 appears 44 times
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: String function: 0241E43F appears 44 times
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402241386.0000000002850000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameGuardant.exe4 vs Igv6ymbAA3.exe
                  Source: Igv6ymbAA3.exe, 00000000.00000003.350331599.000000000247B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGuardant.exe4 vs Igv6ymbAA3.exe
                  Source: Igv6ymbAA3.exe, 00000000.00000002.401518261.000000000243C000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGuardant.exe4 vs Igv6ymbAA3.exe
                  Source: Igv6ymbAA3.exe, 00000000.00000002.401980636.0000000002657000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGuardant.exe4 vs Igv6ymbAA3.exe
                  Source: Igv6ymbAA3.exe, 00000000.00000002.401980636.0000000002657000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs Igv6ymbAA3.exe
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402147783.0000000002700000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameGuardant.exe4 vs Igv6ymbAA3.exe
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402147783.0000000002700000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs Igv6ymbAA3.exe
                  Source: Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003953000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGuardant.exe4 vs Igv6ymbAA3.exe
                  Source: Igv6ymbAA3.exe, 00000000.00000003.350614100.00000000009EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGuardant.exe4 vs Igv6ymbAA3.exe
                  Source: Igv6ymbAA3.exe, 00000000.00000003.350614100.00000000009EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs Igv6ymbAA3.exe
                  Source: Igv6ymbAA3.exe, 00000000.00000002.400990974.000000000043D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameGuardant.exe4 vs Igv6ymbAA3.exe
                  Source: Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs Igv6ymbAA3.exe
                  Source: Igv6ymbAA3.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: Igv6ymbAA3.exeVirustotal: Detection: 40%
                  Source: Igv6ymbAA3.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeFile created: C:\Users\user\AppData\Local\SystemCacheJump to behavior
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/1@0/1
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCommand line argument: 08A
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                  Source: Igv6ymbAA3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: Igv6ymbAA3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: Igv6ymbAA3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: Igv6ymbAA3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Igv6ymbAA3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: Igv6ymbAA3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: Igv6ymbAA3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: R"C:\putomeru\rivigonahehu\nafuzul.pdb source: Igv6ymbAA3.exe
                  Source: Binary string: _.pdb source: Igv6ymbAA3.exe, 00000000.00000002.401980636.0000000002657000.00000004.00000020.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402147783.0000000002700000.00000004.08000000.00040000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000003.350614100.00000000009EE000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\putomeru\rivigonahehu\nafuzul.pdb source: Igv6ymbAA3.exe

                  Data Obfuscation

                  barindex
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeUnpacked PE file: 0.2.Igv6ymbAA3.exe.400000.0.unpack
                  Detected unpacking (changes PE section rights)
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeUnpacked PE file: 0.2.Igv6ymbAA3.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_0041C40C push cs; iretd
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_00423149 push eax; ret
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_0041C50E push cs; iretd
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_004231C8 push eax; ret
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_0040E21D push ecx; ret
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_0041C6BE push ebx; ret
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_0242C125 push ebx; ret
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_0242BE73 push cs; iretd
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_0242BF75 push cs; iretd
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_0241E484 push ecx; ret
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.755781377893314
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                  Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exe TID: 4764Thread sleep time: -12912720851596678s >= -30000s
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exe TID: 6996Thread sleep count: 4207 > 30
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exe TID: 5864Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeRegistry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeWindow / User API: threadDelayed 4207
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeAPI call chain: ExitProcess graph end node
                  Source: Igv6ymbAA3.exe, 00000000.00000002.401283248.0000000000A50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_0040ADB0 GetProcessHeap,HeapFree,
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_0241092B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_02410D90 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeMemory allocated: page read and write | page guard
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_004123F1 SetUnhandledExceptionFilter,
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_0241D070 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_0241E883 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_024271D1 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_02422658 SetUnhandledExceptionFilter,
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: GetLocaleInfoA,
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: GetLocaleInfoA,
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeCode function: 0_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 0.3.Igv6ymbAA3.exe.2450000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Igv6ymbAA3.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Igv6ymbAA3.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Igv6ymbAA3.exe.262f71e.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.Igv6ymbAA3.exe.9ee370.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Igv6ymbAA3.exe.2700ee8.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Igv6ymbAA3.exe.2700000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Igv6ymbAA3.exe.262f71e.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Igv6ymbAA3.exe.2850000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Igv6ymbAA3.exe.262e836.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Igv6ymbAA3.exe.2700ee8.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Igv6ymbAA3.exe.2410e67.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Igv6ymbAA3.exe.262e836.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Igv6ymbAA3.exe.2850000.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Igv6ymbAA3.exe.2700000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.Igv6ymbAA3.exe.9ee370.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.400990974.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.402241386.0000000002850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.350331599.0000000002450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.401980636.00000000025EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.402147783.0000000002700000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.350614100.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.401518261.0000000002410000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Igv6ymbAA3.exe PID: 5896, type: MEMORYSTR
                  Tries to steal Crypto Currency Wallets
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Users\user\Desktop\Igv6ymbAA3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                  Source: Yara matchFile source: 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Igv6ymbAA3.exe PID: 5896, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 0.3.Igv6ymbAA3.exe.2450000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Igv6ymbAA3.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Igv6ymbAA3.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Igv6ymbAA3.exe.262f71e.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.Igv6ymbAA3.exe.9ee370.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Igv6ymbAA3.exe.2700ee8.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Igv6ymbAA3.exe.2700000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Igv6ymbAA3.exe.262f71e.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Igv6ymbAA3.exe.2850000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Igv6ymbAA3.exe.262e836.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Igv6ymbAA3.exe.2700ee8.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Igv6ymbAA3.exe.2410e67.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Igv6ymbAA3.exe.262e836.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Igv6ymbAA3.exe.2850000.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Igv6ymbAA3.exe.2700000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.Igv6ymbAA3.exe.9ee370.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.400990974.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.402241386.0000000002850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.350331599.0000000002450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.401980636.00000000025EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.402147783.0000000002700000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.350614100.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.401518261.0000000002410000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Igv6ymbAA3.exe PID: 5896, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts221
                  Windows Management Instrumentation                  		Path InterceptionPath Interception1
                  Masquerading                  		1
                  OS Credential Dumping                  		1
                  System Time Discovery                  		Remote Services1
                  Input Capture                  		Exfiltration Over Other Network Medium1
                  Encrypted Channel                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default Accounts2
                  Command and Scripting Interpreter                  		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                  Disable or Modify Tools                  		1
                  Input Capture                  		251
                  Security Software Discovery                  		Remote Desktop Protocol1
                  Archive Collected Data                  		Exfiltration Over Bluetooth1
                  Non-Standard Port                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain Accounts2
                  Native API                  		Logon Script (Windows)Logon Script (Windows)231
                  Virtualization/Sandbox Evasion                  		Security Account Manager231
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin Shares2
                  Data from Local System                  		Automated Exfiltration1
                  Application Layer Protocol                  		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                  Deobfuscate/Decode Files or Information                  		NTDS12
                  Process Discovery                  		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script3
                  Obfuscated Files or Information                  		LSA Secrets1
                  Application Window Discovery                  		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common22
                  Software Packing                  		Cached Domain Credentials134
                  System Information Discovery                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Igv6ymbAA3.exe41%VirustotalBrowse
                  Igv6ymbAA3.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
                  http://tempuri.org/0%URL Reputationsafe
                  http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id90%URL Reputationsafe
                  http://tempuri.org/Entity/Id80%URL Reputationsafe
                  http://tempuri.org/Entity/Id50%URL Reputationsafe
                  http://tempuri.org/Entity/Id40%URL Reputationsafe
                  http://tempuri.org/Entity/Id40%URL Reputationsafe
                  http://tempuri.org/Entity/Id70%URL Reputationsafe
                  http://tempuri.org/Entity/Id60%URL Reputationsafe
                  http://tempuri.org/Entity/Id19Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id22Response(0%URL Reputationsafe
                  http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
                  https://api.ip.sb/ip0%URL Reputationsafe
                  http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id200%URL Reputationsafe
                  http://tempuri.org/Entity/Id210%URL Reputationsafe
                  http://tempuri.org/Entity/Id220%URL Reputationsafe
                  http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id100%URL Reputationsafe
                  http://tempuri.org/Entity/Id100%URL Reputationsafe
                  http://tempuri.org/Entity/Id110%URL Reputationsafe
                  http://tempuri.org/Entity/Id120%URL Reputationsafe
                  http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id130%URL Reputationsafe
                  http://tempuri.org/Entity/Id130%URL Reputationsafe
                  http://tempuri.org/Entity/Id140%URL Reputationsafe
                  http://tempuri.org/Entity/Id150%URL Reputationsafe
                  http://tempuri.org/Entity/Id160%URL Reputationsafe
                  http://tempuri.org/Entity/Id170%URL Reputationsafe
                  http://tempuri.org/Entity/Id180%URL Reputationsafe
                  http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id190%URL Reputationsafe
                  http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id8Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id19Response$90%Avira URL Cloudsafe
                  51.210.170.199:233680%Avira URL Cloudsafe
                  51.210.170.199:233680%VirustotalBrowse

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  51.210.170.199:23368true
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://schemas.xmlsoap.org/ws/2005/02/sc/sctIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://duckduckgo.com/chrome_newtabIgv6ymbAA3.exe, 00000000.00000002.403988658.0000000003D22000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003D9F000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003D3F000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002C65000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003CA4000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003CC1000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003BA8000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003DBC000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002D7E000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003C43000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002BD8000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003AA7000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003C26000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://duckduckgo.com/ac/?q=Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003C43000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002BD8000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003AA7000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003C26000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://tempuri.org/Entity/Id12ResponseIgv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://tempuri.org/Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://tempuri.org/Entity/Id2ResponseIgv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://tempuri.org/Entity/Id21ResponseIgv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id9Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id8Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://tempuri.org/Entity/Id5Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id4Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://tempuri.org/Entity/Id7Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://tempuri.org/Entity/Id6Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id19ResponseIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceIgv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://tempuri.org/Entity/Id22Response(Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/faultIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2004/10/wsatIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://tempuri.org/Entity/Id15ResponseIgv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://tempuri.org/Entity/Id6ResponseIgv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://api.ip.sb/ipIgv6ymbAA3.exe, 00000000.00000002.402241386.0000000002850000.00000004.08000000.00040000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.401980636.00000000025EE000.00000004.00000020.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402147783.0000000002700000.00000004.08000000.00040000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000003.350614100.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://tempuri.org/Entity/Id19Response$9Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2004/04/scIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://tempuri.org/Entity/Id9ResponseIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003C43000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002BD8000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003AA7000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003C26000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://tempuri.org/Entity/Id20Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://tempuri.org/Entity/Id21Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://tempuri.org/Entity/Id22Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://tempuri.org/Entity/Id1ResponseIgv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003D22000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003D9F000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003D3F000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002C65000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003CA4000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003CC1000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003BA8000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003DBC000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002D7E000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003C43000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002BD8000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003AA7000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003C26000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedIgv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2004/08/addressingIgv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/trustIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://tempuri.org/Entity/Id10Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    http://tempuri.org/Entity/Id11Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    http://tempuri.org/Entity/Id12Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    http://tempuri.org/Entity/Id16ResponseIgv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://tempuri.org/Entity/Id13Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id14Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id15Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id16Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/NonceIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://tempuri.org/Entity/Id17Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id18Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id5ResponseIgv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id19Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsIgv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://tempuri.org/Entity/Id10ResponseIgv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RenewIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/rm8DIgv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://tempuri.org/Entity/Id8ResponseIgv6ymbAA3.exe, 00000000.00000002.402656262.0000000002A96000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://schemas.xmlsoap.org/ws/2006/02/addressingidentityIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://schemas.xmlsoap.org/soap/envelope/Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://search.yahoo.com?fr=crmas_sfpfIgv6ymbAA3.exe, 00000000.00000002.403988658.0000000003D22000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003D9F000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003D3F000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002C65000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003CA4000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003CC1000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003BA8000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003DBC000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002D7E000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003C43000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002BD8000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003AA7000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.402656262.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, Igv6ymbAA3.exe, 00000000.00000002.403988658.0000000003C26000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1Igv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trustIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/RollbackIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/06/addressingexIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wscoorIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/NonceIgv6ymbAA3.exe, 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponseIgv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/08/addressing/faultIgv6ymbAA3.exe, 00000000.00000002.402656262.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high

                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                  Public IPs

                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                  51.210.170.199
                                                                                                                                                  		unknownFrance
                                                                                                                                                  		16276OVHFRtrue

                                                                                                                                                  General Information

                                                                                                                                                  Joe Sandbox Version:37.1.0 Beryl
                                                                                                                                                  Analysis ID:876997
                                                                                                                                                  Start date and time:2023-05-28 10:32:07 +02:00
                                                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                                                  Overall analysis duration:0h 5m 24s
                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                  Report type:light
                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                  Number of analysed new started processes analysed:3
                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                  Technologies:
                                                                                                                                                  • HCA enabled
                                                                                                                                                  • EGA enabled
                                                                                                                                                  • HDC enabled
                                                                                                                                                  • AMSI enabled
                                                                                                                                                  Analysis Mode:default
                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                  Sample file name:Igv6ymbAA3.exe
                                                                                                                                                  Original Sample Name:18ecf495a7e8dc91de0f57f60c9896f8.exe
                                                                                                                                                  Detection:MAL
                                                                                                                                                  Classification:mal100.troj.spyw.evad.winEXE@1/1@0/1
                                                                                                                                                  EGA Information:
                                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                                  HDC Information:
                                                                                                                                                  • Successful, ratio: 12.1% (good quality ratio 11.6%)
                                                                                                                                                  • Quality average: 85%
                                                                                                                                                  • Quality standard deviation: 24.9%
                                                                                                                                                  HCA Information:
                                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                                  • Number of executed functions: 0
                                                                                                                                                  • Number of non-executed functions: 0
                                                                                                                                                  Cookbook Comments:
                                                                                                                                                  • Found application associated with file extension: .exe
                                                                                                                                                  • Stop behavior analysis, all processes terminated

                                                                                                                                                  Warnings

                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, conhost.exe
                                                                                                                                                  • TCP Packets have been reduced to 100
                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                  Simulations

                                                                                                                                                  Behavior and APIs

                                                                                                                                                  TimeTypeDescription
                                                                                                                                                  10:33:16API Interceptor25x Sleep call for process: Igv6ymbAA3.exe modified

                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                  IPs

                                                                                                                                                  No context

                                                                                                                                                  Domains

                                                                                                                                                  No context

                                                                                                                                                  ASNs

                                                                                                                                                  No context

                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                  No context

                                                                                                                                                  Dropped Files

                                                                                                                                                  No context

                                                                                                                                                  Created / dropped Files

                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Igv6ymbAA3.exe.log

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\Igv6ymbAA3.exe
                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):2843
                                                                                                                                                  Entropy (8bit):5.3371553026862095
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:48:MIHK5HKXeHKlEHU0YHKhQnouHIWUfHKhBHKdHKBfHK5AHKzvQTHmtHoxHImHK1Hl:Pq5qXeqm00YqhQnouOqLqdqNq2qzcGtx
                                                                                                                                                  MD5:E9C2F4CC11CEA097B88D7D224F41A5B3
                                                                                                                                                  SHA1:B16891C1E967E2803C1F994CA61ED82A52233C54
                                                                                                                                                  SHA-256:843CF5780CF7C018F8431C1A69DB910BDC039E48C495A2C854A0C1A9C52CAF82
                                                                                                                                                  SHA-512:2259C7E86AE80AC4CB26AB22FE50295D2C17E45BF31DF0BC3E91BCC9063300616764C1219E9B40A16EED0D2D63035B0EF1ED7B1BDBAEDF9408BF9D46E5A86D48
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Cultu

                                                                                                                                                  Static File Info

                                                                                                                                                  General

                                                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Entropy (8bit):6.963681234872864
                                                                                                                                                  TrID:
                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                  File name:Igv6ymbAA3.exe
                                                                                                                                                  File size:356864
                                                                                                                                                  MD5:18ecf495a7e8dc91de0f57f60c9896f8
                                                                                                                                                  SHA1:10a613527dc3d67c40957b9ee2eb8e0a4dd79fcc
                                                                                                                                                  SHA256:f4e57d6160cc7f2ad503c3b1627cb5176ccc6e20490399b3700cdf7eeef8beec
                                                                                                                                                  SHA512:51d57cb2d51bd314252da33b35d8c3d40b83f783a9bfd3475fe4d34d3472d497e8fd02c915d5ce687d33f4770ec26c609de06c64d1607198aa0bba8d0c7a01ab
                                                                                                                                                  SSDEEP:6144:Ofr4CTYnMaqblzRhIVpCaTLymSB+1Va/dliK+jzTtim:U/TYM7bhRhmCaTRSKqdAPTtim
                                                                                                                                                  TLSH:C0745B1382A13E96E9A64B769E1FD6E8761EF1708F597769321CFA1F08700B2D173B10
                                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&...b...b...b...|.......|.......|...H...EX..k...b.......|...c...|...c...|...c...Richb...................PE..L....?.b...........

                                                                                                                                                  File Icon

                                                                                                                                                  Icon Hash:454941454d55691d

                                                                                                                                                  Static PE Info

                                                                                                                                                  General

                                                                                                                                                  Entrypoint:0x404e59
                                                                                                                                                  Entrypoint Section:.text
                                                                                                                                                  Digitally signed:false
                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                  DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                                                  Time Stamp:0x62E73FCE [Mon Aug 1 02:51:58 2022 UTC]
                                                                                                                                                  TLS Callbacks:
                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                  OS Version Major:5
                                                                                                                                                  OS Version Minor:0
                                                                                                                                                  File Version Major:5
                                                                                                                                                  File Version Minor:0
                                                                                                                                                  Subsystem Version Major:5
                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                  Import Hash:2d9ed3462f8a74bfd1231e2e9de56b43

                                                                                                                                                  Entrypoint Preview

                                                                                                                                                  Instruction
                                                                                                                                                  call 00007F4D3CD9DD53h
                                                                                                                                                  jmp 00007F4D3CD993EDh
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  mov ecx, dword ptr [esp+04h]
                                                                                                                                                  test ecx, 00000003h
                                                                                                                                                  je 00007F4D3CD99596h
                                                                                                                                                  mov al, byte ptr [ecx]
                                                                                                                                                  add ecx, 01h
                                                                                                                                                  test al, al
                                                                                                                                                  je 00007F4D3CD995C0h
                                                                                                                                                  test ecx, 00000003h
                                                                                                                                                  jne 00007F4D3CD99561h
                                                                                                                                                  add eax, 00000000h
                                                                                                                                                  lea esp, dword ptr [esp+00000000h]
                                                                                                                                                  lea esp, dword ptr [esp+00000000h]
                                                                                                                                                  mov eax, dword ptr [ecx]
                                                                                                                                                  mov edx, 7EFEFEFFh
                                                                                                                                                  add edx, eax
                                                                                                                                                  xor eax, FFFFFFFFh
                                                                                                                                                  xor eax, edx
                                                                                                                                                  add ecx, 04h
                                                                                                                                                  test eax, 81010100h
                                                                                                                                                  je 00007F4D3CD9955Ah
                                                                                                                                                  mov eax, dword ptr [ecx-04h]
                                                                                                                                                  test al, al
                                                                                                                                                  je 00007F4D3CD995A4h
                                                                                                                                                  test ah, ah
                                                                                                                                                  je 00007F4D3CD99596h
                                                                                                                                                  test eax, 00FF0000h
                                                                                                                                                  je 00007F4D3CD99585h
                                                                                                                                                  test eax, FF000000h
                                                                                                                                                  je 00007F4D3CD99574h
                                                                                                                                                  jmp 00007F4D3CD9953Fh
                                                                                                                                                  lea eax, dword ptr [ecx-01h]
                                                                                                                                                  mov ecx, dword ptr [esp+04h]
                                                                                                                                                  sub eax, ecx
                                                                                                                                                  ret
                                                                                                                                                  lea eax, dword ptr [ecx-02h]
                                                                                                                                                  mov ecx, dword ptr [esp+04h]
                                                                                                                                                  sub eax, ecx
                                                                                                                                                  ret
                                                                                                                                                  lea eax, dword ptr [ecx-03h]
                                                                                                                                                  mov ecx, dword ptr [esp+04h]
                                                                                                                                                  sub eax, ecx
                                                                                                                                                  ret
                                                                                                                                                  lea eax, dword ptr [ecx-04h]
                                                                                                                                                  mov ecx, dword ptr [esp+04h]
                                                                                                                                                  sub eax, ecx
                                                                                                                                                  ret
                                                                                                                                                  mov edi, edi
                                                                                                                                                  push ebp
                                                                                                                                                  mov ebp, esp
                                                                                                                                                  sub esp, 20h
                                                                                                                                                  mov eax, dword ptr [ebp+08h]
                                                                                                                                                  push esi
                                                                                                                                                  push edi
                                                                                                                                                  push 00000008h
                                                                                                                                                  pop ecx
                                                                                                                                                  mov esi, 004012D8h
                                                                                                                                                  lea edi, dword ptr [ebp-20h]
                                                                                                                                                  rep movsd
                                                                                                                                                  mov dword ptr [ebp-08h], eax
                                                                                                                                                  mov eax, dword ptr [ebp+0Ch]
                                                                                                                                                  pop edi
                                                                                                                                                  mov dword ptr [ebp-04h], eax
                                                                                                                                                  pop esi

                                                                                                                                                  Rich Headers

                                                                                                                                                  Programming Language:
                                                                                                                                                  • [ASM] VS2008 build 21022
                                                                                                                                                  • [ C ] VS2008 build 21022
                                                                                                                                                  • [C++] VS2008 build 21022
                                                                                                                                                  • [IMP] VS2005 build 50727
                                                                                                                                                  • [RES] VS2008 build 21022
                                                                                                                                                  • [LNK] VS2008 build 21022

                                                                                                                                                  Data Directories

                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x38ba80x64.text
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x2800000x19398.rsrc
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x29a0000xddc.reloc
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x12200x1c.text
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x31500x40.text
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x10000x1d4.text
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                  Sections

                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                  .text0x10000x3866a0x38800False0.8478723036504425data7.755781377893314IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                  .data0x3a0000x2458440x1e00unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                  .rsrc0x2800000x193980x19400False0.3788869121287129data4.259520200570937IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                  .reloc0x29a0000x33d80x3400False0.22611177884615385data2.5254465339166545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                  Resources

                                                                                                                                                  NameRVASizeTypeLanguageCountry
                                                                                                                                                  RT_ICON0x2807300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0
                                                                                                                                                  RT_ICON0x2815d80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0
                                                                                                                                                  RT_ICON0x281e800x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0
                                                                                                                                                  RT_ICON0x2844280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0
                                                                                                                                                  RT_ICON0x2854d00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0
                                                                                                                                                  RT_ICON0x2859880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0
                                                                                                                                                  RT_ICON0x2868300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0
                                                                                                                                                  RT_ICON0x2870d80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0
                                                                                                                                                  RT_ICON0x2876400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0
                                                                                                                                                  RT_ICON0x289be80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0
                                                                                                                                                  RT_ICON0x28ac900x988Device independent bitmap graphic, 24 x 48 x 32, image size 0
                                                                                                                                                  RT_ICON0x28b6180x468Device independent bitmap graphic, 16 x 32 x 32, image size 0
                                                                                                                                                  RT_ICON0x28bae80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0
                                                                                                                                                  RT_ICON0x28c9900x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0
                                                                                                                                                  RT_ICON0x28d2380x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0
                                                                                                                                                  RT_ICON0x28d9000x568Device independent bitmap graphic, 16 x 32 x 8, image size 0
                                                                                                                                                  RT_ICON0x28de680x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0
                                                                                                                                                  RT_ICON0x2904100x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0
                                                                                                                                                  RT_ICON0x2914b80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0
                                                                                                                                                  RT_ICON0x2919880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0
                                                                                                                                                  RT_ICON0x2928300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0
                                                                                                                                                  RT_ICON0x2930d80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0
                                                                                                                                                  RT_ICON0x2936400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0
                                                                                                                                                  RT_ICON0x295be80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0
                                                                                                                                                  RT_ICON0x296c900x988Device independent bitmap graphic, 24 x 48 x 32, image size 0
                                                                                                                                                  RT_ICON0x2976180x468Device independent bitmap graphic, 16 x 32 x 32, image size 0
                                                                                                                                                  RT_STRING0x297d200x664data
                                                                                                                                                  RT_STRING0x2983880x59edata
                                                                                                                                                  RT_STRING0x2989280x29adata
                                                                                                                                                  RT_STRING0x298bc80x248data
                                                                                                                                                  RT_STRING0x298e100x582data
                                                                                                                                                  RT_GROUP_ICON0x297a800x68data
                                                                                                                                                  RT_GROUP_ICON0x2859380x4cdata
                                                                                                                                                  RT_GROUP_ICON0x2919200x68data
                                                                                                                                                  RT_GROUP_ICON0x28ba800x68data
                                                                                                                                                  RT_VERSION0x297ae80x238data

                                                                                                                                                  Imports

                                                                                                                                                  DLLImport
                                                                                                                                                  KERNEL32.dllGetModuleHandleW, IsBadReadPtr, GetConsoleAliasesLengthA, WaitForMultipleObjectsEx, GetPrivateProfileIntA, FreeConsole, GetVersionExW, WritePrivateProfileStructW, MulDiv, GetModuleFileNameW, CreateActCtxA, WritePrivateProfileStringW, ReplaceFileA, GetStringTypeExA, GetStdHandle, GetLogicalDriveStringsA, OpenMutexW, GetLastError, ReadConsoleOutputCharacterA, GetProcAddress, AttachConsole, SleepEx, VirtualAlloc, _hwrite, LoadLibraryA, InterlockedExchangeAdd, LocalAlloc, GetFileType, CreateFileMappingW, FindFirstVolumeMountPointW, GetNumberFormatW, CreateEventW, GetModuleFileNameA, lstrcmpiW, GetModuleHandleA, CreateMutexA, GetFileAttributesExW, GetConsoleCursorInfo, ScrollConsoleScreenBufferA, GetCurrentThreadId, FindAtomW, EnumResourceLanguagesW, DebugBreak, FindNextVolumeA, AddConsoleAliasW, CancelWaitableTimer, GetCommState, WaitForSingleObject, GetLongPathNameA, GetCommandLineA, GetStartupInfoA, RaiseException, RtlUnwind, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, HeapFree, WideCharToMultiByte, SetHandleCount, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, Sleep, ExitProcess, WriteFile, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, InterlockedDecrement, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapReAlloc, SetFilePointer, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, InitializeCriticalSectionAndSpinCount, HeapSize, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, FlushFileBuffers, CreateFileA, CloseHandle
                                                                                                                                                  USER32.dllCharLowerBuffA
                                                                                                                                                  GDI32.dllGetCharWidthW, EnumFontsW, GetCharABCWidthsFloatW
                                                                                                                                                  ADVAPI32.dllMapGenericMask

                                                                                                                                                  Network Behavior

                                                                                                                                                  Snort IDS Alerts

                                                                                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                  192.168.2.351.210.170.19949701233682043233 05/28/23-10:33:05.871920TCP2043233ET TROJAN RedLine Stealer TCP CnC net.tcp Init4970123368192.168.2.351.210.170.199
                                                                                                                                                  192.168.2.351.210.170.19949701233682043231 05/28/23-10:33:20.355629TCP2043231ET TROJAN Redline Stealer TCP CnC Activity4970123368192.168.2.351.210.170.199
                                                                                                                                                  51.210.170.199192.168.2.323368497012043234 05/28/23-10:33:06.698130TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response233684970151.210.170.199192.168.2.3

                                                                                                                                                  Network Port Distribution

                                                                                                                                                  TCP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  May 28, 2023 10:33:05.533560991 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:05.562397003 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:05.566582918 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:05.871920109 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:05.902595997 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:05.949218988 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:06.668385029 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:06.698129892 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:06.746134996 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:14.263818979 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:14.297100067 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:14.297166109 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:14.297219992 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:14.297239065 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:14.340572119 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:15.257227898 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:15.288314104 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:15.434360981 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:15.589613914 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:15.617861032 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:15.634917974 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:15.663518906 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:15.677033901 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:15.707966089 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:15.729003906 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:15.757349014 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:15.811477900 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:15.839639902 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:15.843931913 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:15.872005939 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:15.873869896 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:15.901968002 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:15.951283932 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:15.978918076 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:15.979000092 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:15.979039907 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:15.979079008 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:15.979975939 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:15.987600088 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:16.015773058 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:16.128205061 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:16.156337976 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:16.158643961 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:16.186841011 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:16.246958971 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:16.414422035 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:16.441956997 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:16.442012072 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:16.442051888 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:16.442087889 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:16.442123890 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:16.442158937 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:16.442244053 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:16.442317009 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:16.442323923 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:16.442359924 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:16.442436934 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:16.442529917 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:16.442540884 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:16.442781925 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:16.442909002 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:16.469741106 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:16.469794035 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:16.469836950 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:16.469872952 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:16.469911098 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:16.469947100 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:16.469993114 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:16.469994068 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:16.470072985 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:16.470109940 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:16.470113993 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:16.470175982 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:16.470210075 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:16.470283985 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:16.470377922 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:16.470400095 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:16.470482111 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:16.470524073 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:16.470558882 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:16.470627069 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:16.470649004 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:16.470662117 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:16.470798969 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:16.470835924 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:16.471026897 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:16.471116066 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:16.471204042 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:16.471309900 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:16.471580029 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:16.497410059 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:16.497462034 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:16.497500896 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:16.497575045 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:16.497670889 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:16.497778893 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:16.497778893 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:16.497801065 CEST233684970151.210.170.199192.168.2.3
                                                                                                                                                  May 28, 2023 10:33:16.497898102 CEST4970123368192.168.2.351.210.170.199
                                                                                                                                                  May 28, 2023 10:33:16.497925043 CEST233684970151.210.170.199192.168.2.3

                                                                                                                                                  Statistics

                                                                                                                                                  No statistics

                                                                                                                                                  System Behavior

                                                                                                                                                  General

                                                                                                                                                  Target ID:0
                                                                                                                                                  Start time:10:32:56
                                                                                                                                                  Start date:28/05/2023
                                                                                                                                                  Path:C:\Users\user\Desktop\Igv6ymbAA3.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:C:\Users\user\Desktop\Igv6ymbAA3.exe
                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                  File size:356864 bytes
                                                                                                                                                  MD5 hash:18ECF495A7E8DC91DE0F57F60C9896F8
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.400990974.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.400990974.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.402241386.0000000002850000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.402241386.0000000002850000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                  • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: 00000000.00000003.350331599.0000000002450000.00000004.00001000.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.350331599.0000000002450000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000003.350331599.0000000002450000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.401980636.00000000025EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.402147783.0000000002700000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.402147783.0000000002700000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.350614100.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.401518261.0000000002410000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.401518261.0000000002410000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                  • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.401246578.0000000000989000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.402656262.00000000029B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  Reputation:low

                                                                                                                                                  Disassembly

                                                                                                                                                  No disassembly