Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
VBY5zBdZox

Overview

General Information

Sample Name:VBY5zBdZox (renamed file extension from none to exe)
Analysis ID:651254
MD5:acc0fb4cb35df2d49fc609f2e299ed5e
SHA1:fff261da7332d1bef4253539c3217dcedce99a17
SHA256:907b6500dba0a048d51a3381fafed7e8b6eb256381f53c6471ebb6d305fddfd4
Tags:32exe
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Detected unpacking (changes PE section rights)
Snort IDS alert for network traffic
Tries to steal Crypto Currency Wallets
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for sample
Yara detected Generic Downloader
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Found evasive API chain (may stop execution after checking a module file name)
Yara detected Credential Stealer
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • VBY5zBdZox.exe (PID: 3176 cmdline: "C:\Users\user\Desktop\VBY5zBdZox.exe" MD5: ACC0FB4CB35DF2D49FC609F2E299ED5E)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["193.106.191.246:23196"], "Bot Id": "RUZKI", "Authorization Header": "121027c094f768a0a0e9b562f6417952"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.314646008.0000000005150000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000000.00000002.314646008.0000000005150000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
        00000000.00000002.314646008.0000000005150000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
        • 0x27856:$pat14: , CommandLine:
        • 0x1c01a:$v2_1: ListOfProcesses
        • 0x1b7bd:$v4_3: base64str
        • 0x1b78a:$v4_4: stringKey
        • 0x1b7c7:$v4_5: BytesToStringConverted
        • 0x1b7b2:$v4_6: FromBase64
        • 0x1bcd5:$v4_8: procName
        • 0x1991d:$v5_7: RecordHeaderField
        • 0x19859:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
        00000000.00000002.305431311.0000000002950000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.305431311.0000000002950000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.3.VBY5zBdZox.exe.27d0000.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              0.3.VBY5zBdZox.exe.27d0000.0.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
              • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
              • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
              • 0x700:$s3: 83 EC 38 53 B0 87 88 44 24 2B 88 44 24 2F B0 AB 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
              • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
              • 0x1e9d0:$s5: delete[]
              • 0x1de88:$s6: constructor or from DllMain.
              0.2.VBY5zBdZox.exe.2950ee8.2.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                0.2.VBY5zBdZox.exe.2950ee8.2.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                • 0x25a56:$pat14: , CommandLine:
                • 0x1a21a:$v2_1: ListOfProcesses
                • 0x199bd:$v4_3: base64str
                • 0x1998a:$v4_4: stringKey
                • 0x199c7:$v4_5: BytesToStringConverted
                • 0x199b2:$v4_6: FromBase64
                • 0x19ed5:$v4_8: procName
                • 0x17b1d:$v5_7: RecordHeaderField
                • 0x17a59:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
                0.2.VBY5zBdZox.exe.2a63a26.5.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  Click to see the 33 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  Timestamp:192.168.2.4193.106.191.24649758231962850027 06/23/22-17:51:27.182664
                  SID:2850027
                  Source Port:49758
                  Destination Port:23196
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.4193.106.191.24649758231962850286 06/23/22-17:51:29.952462
                  SID:2850286
                  Source Port:49758
                  Destination Port:23196
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:193.106.191.246192.168.2.423196497582850353 06/23/22-17:51:28.242070
                  SID:2850353
                  Source Port:23196
                  Destination Port:49758
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: VBY5zBdZox.exeVirustotal: Detection: 34%Perma Link
                  Machine Learning detection for sample
                  Source: VBY5zBdZox.exeJoe Sandbox ML: detected
                  Source: 0.2.VBY5zBdZox.exe.5150000.6.raw.unpackMalware Configuration Extractor: RedLine {"C2 url": ["193.106.191.246:23196"], "Bot Id": "RUZKI", "Authorization Header": "121027c094f768a0a0e9b562f6417952"}

                  Compliance

                  barindex
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeUnpacked PE file: 0.2.VBY5zBdZox.exe.400000.0.unpack
                  Source: VBY5zBdZox.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                  Source: Binary string: <vF&C:\yibofew\hileyejugeyaxe\bojavonu7\fopadoj dajewinobasimi33\ge.pdb0 source: VBY5zBdZox.exe
                  Source: Binary string: _.pdb source: VBY5zBdZox.exe, 00000000.00000002.305431311.0000000002950000.00000004.08000000.00040000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000003.240106550.0000000000C15000.00000004.00000020.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.306212179.0000000002A23000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\yibofew\hileyejugeyaxe\bojavonu7\fopadoj dajewinobasimi33\ge.pdb source: VBY5zBdZox.exe

                  Networking

                  barindex
                  Snort IDS alert for network traffic
                  Source: TrafficSnort IDS: 2850027 ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init 192.168.2.4:49758 -> 193.106.191.246:23196
                  Source: TrafficSnort IDS: 2850286 ETPRO TROJAN Redline Stealer TCP CnC Activity 192.168.2.4:49758 -> 193.106.191.246:23196
                  Source: TrafficSnort IDS: 2850353 ETPRO MALWARE Redline Stealer TCP CnC - Id1Response 193.106.191.246:23196 -> 192.168.2.4:49758
                  Connects to many ports of the same IP (likely port scanning)
                  Source: global trafficTCP traffic: 193.106.191.246 ports 1,2,3,23196,6,9
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 0.2.VBY5zBdZox.exe.5150000.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.VBY5zBdZox.exe.2950000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.VBY5zBdZox.exe.2a6490e.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.VBY5zBdZox.exe.2a63a26.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.VBY5zBdZox.exe.2950ee8.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.VBY5zBdZox.exe.c15928.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.314646008.0000000005150000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.305431311.0000000002950000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Joe Sandbox ViewASN Name: BOSPOR-ASRU BOSPOR-ASRU
                  Source: Joe Sandbox ViewIP Address: 193.106.191.246 193.106.191.246
                  Source: global trafficTCP traffic: 192.168.2.4:49758 -> 193.106.191.246:23196
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.246
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.246
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.246
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.246
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.246
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.246
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.246
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.246
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.246
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.246
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.246
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.246
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.246
                  Source: VBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: l9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
                  Source: VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: romium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-j
                  Source: VBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                  Source: VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
                  Source: VBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://forms.rea
                  Source: VBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
                  Source: VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
                  Source: VBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                  Source: VBY5zBdZox.exe, 00000000.00000002.308467878.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                  Source: VBY5zBdZox.exe, 00000000.00000002.308467878.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                  Source: VBY5zBdZox.exe, 00000000.00000002.308467878.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                  Source: VBY5zBdZox.exe, 00000000.00000002.308467878.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                  Source: VBY5zBdZox.exe, 00000000.00000002.308467878.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                  Source: VBY5zBdZox.exe, 00000000.00000002.308467878.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                  Source: VBY5zBdZox.exe, 00000000.00000002.308467878.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                  Source: VBY5zBdZox.exe, 00000000.00000002.308467878.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                  Source: VBY5zBdZox.exe, 00000000.00000002.308467878.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                  Source: VBY5zBdZox.exe, 00000000.00000002.308467878.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                  Source: VBY5zBdZox.exe, 00000000.00000002.308467878.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                  Source: VBY5zBdZox.exe, 00000000.00000002.308467878.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                  Source: VBY5zBdZox.exe, 00000000.00000002.308467878.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: VBY5zBdZox.exe, 00000000.00000002.308467878.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                  Source: VBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://service.r
                  Source: VBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
                  Source: VBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://support.a
                  Source: VBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.308467878.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                  Source: VBY5zBdZox.exe, 00000000.00000002.308467878.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.308467878.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                  Source: VBY5zBdZox.exe, 00000000.00000002.308467878.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.308467878.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                  Source: VBY5zBdZox.exe, 00000000.00000002.312740213.0000000003165000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.308467878.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                  Source: VBY5zBdZox.exe, 00000000.00000002.312740213.0000000003165000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.308467878.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                  Source: VBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
                  Source: VBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chromea
                  Source: VBY5zBdZox.exe, 00000000.00000002.312555896.00000000030EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                  Source: VBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312959266.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314557209.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313959757.0000000003E42000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311668114.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312555896.00000000030EC000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312182241.0000000003014000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312436650.00000000030D6000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314419518.0000000003F77000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314279019.0000000003F25000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312009501.0000000002F53000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313526639.0000000003D5A000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314105435.0000000003EB4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: VBY5zBdZox.exe, 00000000.00000002.314646008.0000000005150000.00000004.08000000.00040000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.305431311.0000000002950000.00000004.08000000.00040000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000003.240106550.0000000000C15000.00000004.00000020.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313526639.0000000003D5A000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.306212179.0000000002A23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                  Source: VBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312959266.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314557209.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313959757.0000000003E42000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311668114.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312555896.00000000030EC000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312182241.0000000003014000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312436650.00000000030D6000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314419518.0000000003F77000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314279019.0000000003F25000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312009501.0000000002F53000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313526639.0000000003D5A000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314105435.0000000003EB4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: VBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312959266.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314557209.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313959757.0000000003E42000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311668114.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312555896.00000000030EC000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312182241.0000000003014000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312436650.00000000030D6000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314419518.0000000003F77000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314279019.0000000003F25000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312009501.0000000002F53000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313526639.0000000003D5A000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314105435.0000000003EB4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: VBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312959266.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314557209.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313959757.0000000003E42000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311668114.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312555896.00000000030EC000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312182241.0000000003014000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312436650.00000000030D6000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314419518.0000000003F77000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314279019.0000000003F25000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312009501.0000000002F53000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313526639.0000000003D5A000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314105435.0000000003EB4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: VBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312959266.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314557209.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313959757.0000000003E42000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311668114.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312555896.00000000030EC000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312182241.0000000003014000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312436650.00000000030D6000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314419518.0000000003F77000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314279019.0000000003F25000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312009501.0000000002F53000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313526639.0000000003D5A000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314105435.0000000003EB4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: VBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://get.adob
                  Source: VBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://helpx.ad
                  Source: VBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312959266.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314557209.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313959757.0000000003E42000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311668114.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312555896.00000000030EC000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312182241.0000000003014000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312436650.00000000030D6000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314419518.0000000003F77000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314279019.0000000003F25000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312009501.0000000002F53000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313526639.0000000003D5A000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314105435.0000000003EB4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                  Source: VBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312959266.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314557209.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313959757.0000000003E42000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311668114.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312555896.00000000030EC000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312182241.0000000003014000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312436650.00000000030D6000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314419518.0000000003F77000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314279019.0000000003F25000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312009501.0000000002F53000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313526639.0000000003D5A000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314105435.0000000003EB4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
                  Source: VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                  Source: VBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_java
                  Source: VBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
                  Source: VBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
                  Source: VBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_real
                  Source: VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
                  Source: VBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
                  Source: VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
                  Source: VBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312959266.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314557209.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313959757.0000000003E42000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311668114.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312555896.00000000030EC000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312182241.0000000003014000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312436650.00000000030D6000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314419518.0000000003F77000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314279019.0000000003F25000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312009501.0000000002F53000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313526639.0000000003D5A000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314105435.0000000003EB4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.3.VBY5zBdZox.exe.27d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.VBY5zBdZox.exe.2950ee8.2.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.VBY5zBdZox.exe.2a63a26.5.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.VBY5zBdZox.exe.5150000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.3.VBY5zBdZox.exe.c15928.1.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.VBY5zBdZox.exe.2950000.3.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.VBY5zBdZox.exe.2a6490e.4.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.VBY5zBdZox.exe.2950000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.VBY5zBdZox.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.VBY5zBdZox.exe.2a6490e.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.VBY5zBdZox.exe.5150000.6.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.VBY5zBdZox.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.VBY5zBdZox.exe.2a63a26.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.VBY5zBdZox.exe.2790e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.VBY5zBdZox.exe.2950ee8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.3.VBY5zBdZox.exe.c15928.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000000.00000002.314646008.0000000005150000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000000.00000002.305431311.0000000002950000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000000.00000003.239424643.00000000027D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000000.00000002.301936626.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: VBY5zBdZox.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 0.3.VBY5zBdZox.exe.27d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.VBY5zBdZox.exe.2950ee8.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.VBY5zBdZox.exe.2a63a26.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.VBY5zBdZox.exe.5150000.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.3.VBY5zBdZox.exe.c15928.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.VBY5zBdZox.exe.2950000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.VBY5zBdZox.exe.2a6490e.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.VBY5zBdZox.exe.2950000.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.VBY5zBdZox.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.VBY5zBdZox.exe.2a6490e.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.VBY5zBdZox.exe.5150000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.VBY5zBdZox.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.VBY5zBdZox.exe.2a63a26.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.VBY5zBdZox.exe.2790e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.VBY5zBdZox.exe.2950ee8.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.3.VBY5zBdZox.exe.c15928.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000000.00000002.314646008.0000000005150000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000000.00000002.305431311.0000000002950000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000000.00000003.239424643.00000000027D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000000.00000002.301936626.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_00408C60
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_0040DC11
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_00407C3F
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_00418CCC
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_00406CA0
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_004028B0
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_0041A4BE
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_00418244
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_00401650
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_00402F20
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_004193C4
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_00418788
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_00402F89
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_00402B90
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_004073A0
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_02792B17
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_0279786D
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_027918B7
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_027931F0
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_027A89EF
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_02793187
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_0279DE78
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_02798EC7
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_02797EA6
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_027A8F33
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_027AA725
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_02796F07
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_027977D9
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_027A84AB
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_02792DF7
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: String function: 0040E1D8 appears 44 times
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: String function: 0279E43F appears 44 times
                  Source: VBY5zBdZox.exeBinary or memory string: OriginalFilename vs VBY5zBdZox.exe
                  Source: VBY5zBdZox.exe, 00000000.00000002.314646008.0000000005150000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameEmblematic.exe4 vs VBY5zBdZox.exe
                  Source: VBY5zBdZox.exe, 00000000.00000002.305431311.0000000002950000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameEmblematic.exe4 vs VBY5zBdZox.exe
                  Source: VBY5zBdZox.exe, 00000000.00000002.305431311.0000000002950000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs VBY5zBdZox.exe
                  Source: VBY5zBdZox.exe, 00000000.00000002.301966790.0000000000439000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameEmblematic.exe4 vs VBY5zBdZox.exe
                  Source: VBY5zBdZox.exe, 00000000.00000002.312555896.00000000030EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs VBY5zBdZox.exe
                  Source: VBY5zBdZox.exe, 00000000.00000002.312555896.00000000030EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: l,\\StringFileInfo\\040904B0\\OriginalFilename vs VBY5zBdZox.exe
                  Source: VBY5zBdZox.exe, 00000000.00000002.312555896.00000000030EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs VBY5zBdZox.exe
                  Source: VBY5zBdZox.exe, 00000000.00000002.312555896.00000000030EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXED vs VBY5zBdZox.exe
                  Source: VBY5zBdZox.exe, 00000000.00000003.241966851.0000000000C3E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs VBY5zBdZox.exe
                  Source: VBY5zBdZox.exe, 00000000.00000003.239424643.00000000027D0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEmblematic.exe4 vs VBY5zBdZox.exe
                  Source: VBY5zBdZox.exe, 00000000.00000002.308467878.0000000002D11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs VBY5zBdZox.exe
                  Source: VBY5zBdZox.exe, 00000000.00000002.303381786.0000000002790000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEmblematic.exe4 vs VBY5zBdZox.exe
                  Source: VBY5zBdZox.exe, 00000000.00000003.240106550.0000000000C15000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEmblematic.exe4 vs VBY5zBdZox.exe
                  Source: VBY5zBdZox.exe, 00000000.00000003.240106550.0000000000C15000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs VBY5zBdZox.exe
                  Source: VBY5zBdZox.exe, 00000000.00000002.313526639.0000000003D5A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEmblematic.exe4 vs VBY5zBdZox.exe
                  Source: VBY5zBdZox.exe, 00000000.00000002.306212179.0000000002A23000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEmblematic.exe4 vs VBY5zBdZox.exe
                  Source: VBY5zBdZox.exe, 00000000.00000002.306212179.0000000002A23000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs VBY5zBdZox.exe
                  Source: VBY5zBdZox.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: VBY5zBdZox.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: VBY5zBdZox.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: VBY5zBdZox.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: VBY5zBdZox.exeVirustotal: Detection: 34%
                  Source: VBY5zBdZox.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeFile created: C:\Users\user\AppData\Local\Microsoft\Wind?wsJump to behavior
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/1@0/1
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCommand line argument: 08A
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                  Source: VBY5zBdZox.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: <vF&C:\yibofew\hileyejugeyaxe\bojavonu7\fopadoj dajewinobasimi33\ge.pdb0 source: VBY5zBdZox.exe
                  Source: Binary string: _.pdb source: VBY5zBdZox.exe, 00000000.00000002.305431311.0000000002950000.00000004.08000000.00040000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000003.240106550.0000000000C15000.00000004.00000020.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.306212179.0000000002A23000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\yibofew\hileyejugeyaxe\bojavonu7\fopadoj dajewinobasimi33\ge.pdb source: VBY5zBdZox.exe

                  Data Obfuscation

                  barindex
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeUnpacked PE file: 0.2.VBY5zBdZox.exe.400000.0.unpack
                  Detected unpacking (changes PE section rights)
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeUnpacked PE file: 0.2.VBY5zBdZox.exe.400000.0.unpack .text:ER;.data:W;.kuxo:W;.pixihu:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_0041C40C push cs; iretd
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_00423149 push eax; ret
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_0041C50E push cs; iretd
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_004231C8 push eax; ret
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_0040E21D push ecx; ret
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_0041C6BE push ebx; ret
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_027AC125 push ebx; ret
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_027ABE73 push cs; iretd
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_027ABF75 push cs; iretd
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_0279E484 push ecx; ret
                  Source: VBY5zBdZox.exeStatic PE information: section name: .kuxo
                  Source: VBY5zBdZox.exeStatic PE information: section name: .pixihu
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                  Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exe TID: 6196Thread sleep time: -2767011611056431s >= -30000s
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exe TID: 5896Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeRegistry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeWindow / User API: threadDelayed 673
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeWindow / User API: threadDelayed 1180
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_0040ADB0 GetProcessHeap,HeapFree,
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_0279092B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_02790D90 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeMemory allocated: page read and write | page guard
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_004123F1 SetUnhandledExceptionFilter,
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_0279D070 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_0279E883 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_027A71D1 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_027A2658 SetUnhandledExceptionFilter,
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: GetLocaleInfoA,
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: GetLocaleInfoA,
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeCode function: 0_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                  Source: VBY5zBdZox.exe, 00000000.00000003.300826226.0000000006084000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.316308989.00000000060AF000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.315822223.0000000005FE6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 0.3.VBY5zBdZox.exe.27d0000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.VBY5zBdZox.exe.2950ee8.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.VBY5zBdZox.exe.2a63a26.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.VBY5zBdZox.exe.5150000.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.VBY5zBdZox.exe.c15928.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.VBY5zBdZox.exe.2950000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.VBY5zBdZox.exe.2a6490e.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.VBY5zBdZox.exe.2950000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.VBY5zBdZox.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.VBY5zBdZox.exe.2a6490e.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.VBY5zBdZox.exe.5150000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.VBY5zBdZox.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.VBY5zBdZox.exe.2a63a26.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.VBY5zBdZox.exe.2790e67.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.VBY5zBdZox.exe.2950ee8.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.VBY5zBdZox.exe.c15928.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.314646008.0000000005150000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.305431311.0000000002950000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.239424643.00000000027D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.301936626.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.303381786.0000000002790000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.306212179.0000000002A23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.240106550.0000000000C15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: VBY5zBdZox.exe PID: 3176, type: MEMORYSTR
                  Tries to steal Crypto Currency Wallets
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                  Found many strings related to Crypto-Wallets (likely being stolen)
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumE#
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: JaxxE#
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ExodusE#
                  Source: VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
                  Source: VBY5zBdZox.exe, 00000000.00000002.314646008.0000000005150000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: set_UseMachineKeyStore
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Users\user\Desktop\VBY5zBdZox.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                  Source: Yara matchFile source: 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: VBY5zBdZox.exe PID: 3176, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 0.3.VBY5zBdZox.exe.27d0000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.VBY5zBdZox.exe.2950ee8.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.VBY5zBdZox.exe.2a63a26.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.VBY5zBdZox.exe.5150000.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.VBY5zBdZox.exe.c15928.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.VBY5zBdZox.exe.2950000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.VBY5zBdZox.exe.2a6490e.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.VBY5zBdZox.exe.2950000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.VBY5zBdZox.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.VBY5zBdZox.exe.2a6490e.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.VBY5zBdZox.exe.5150000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.VBY5zBdZox.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.VBY5zBdZox.exe.2a63a26.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.VBY5zBdZox.exe.2790e67.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.VBY5zBdZox.exe.2950ee8.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.VBY5zBdZox.exe.c15928.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.314646008.0000000005150000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.305431311.0000000002950000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.239424643.00000000027D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.301936626.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.303381786.0000000002790000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.306212179.0000000002A23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.240106550.0000000000C15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: VBY5zBdZox.exe PID: 3176, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts221
                  Windows Management Instrumentation                  		Path InterceptionPath Interception1
                  Masquerading                  		1
                  OS Credential Dumping                  		1
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		Exfiltration Over Other Network Medium1
                  Encrypted Channel                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default Accounts2
                  Command and Scripting Interpreter                  		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                  Disable or Modify Tools                  		LSASS Memory26
                  Security Software Discovery                  		Remote Desktop Protocol3
                  Data from Local System                  		Exfiltration Over Bluetooth1
                  Non-Standard Port                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain Accounts2
                  Native API                  		Logon Script (Windows)Logon Script (Windows)231
                  Virtualization/Sandbox Evasion                  		Security Account Manager231
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                  Deobfuscate/Decode Files or Information                  		NTDS12
                  Process Discovery                  		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
                  Obfuscated Files or Information                  		LSA Secrets1
                  Application Window Discovery                  		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common2
                  Software Packing                  		Cached Domain Credentials134
                  System Information Discovery                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  VBY5zBdZox.exe35%VirustotalBrowse
                  VBY5zBdZox.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://service.r0%URL Reputationsafe
                  http://tempuri.org/0%URL Reputationsafe
                  http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                  http://www.interoperabilitybridges.com/wmp-extension-for-chrome0%URL Reputationsafe
                  http://support.a0%URL Reputationsafe
                  https://api.ip.sb/ip0%URL Reputationsafe
                  http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                  http://forms.rea0%URL Reputationsafe
                  http://www.interoperabilitybridges.com/wmp-extension-for-chromea0%Avira URL Cloudsafe
                  http://go.micros0%URL Reputationsafe
                  http://www.w3.o0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://schemas.xmlsoap.org/ws/2005/02/sc/sctVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://duckduckgo.com/chrome_newtabVBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312959266.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314557209.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313959757.0000000003E42000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311668114.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312555896.00000000030EC000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312182241.0000000003014000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312436650.00000000030D6000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314419518.0000000003F77000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314279019.0000000003F25000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312009501.0000000002F53000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313526639.0000000003D5A000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314105435.0000000003EB4000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://service.rVBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://duckduckgo.com/ac/?q=VBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312959266.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314557209.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313959757.0000000003E42000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311668114.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312555896.00000000030EC000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312182241.0000000003014000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312436650.00000000030D6000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314419518.0000000003F77000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314279019.0000000003F25000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312009501.0000000002F53000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313526639.0000000003D5A000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314105435.0000000003EB4000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://tempuri.org/VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.308467878.0000000002D11000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://tempuri.org/Entity/Id2ResponseVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.308467878.0000000002D11000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://support.google.com/chrome/?p=plugin_realVBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.interoperabilitybridges.com/wmp-extension-for-chromeVBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceVBY5zBdZox.exe, 00000000.00000002.308467878.0000000002D11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://support.google.com/chrome/?p=plugin_pdfVBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/faultVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2004/10/wsatVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://forms.real.com/real/realone/download.html?type=rpsp_usVBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://support.aVBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://api.ip.sb/ipVBY5zBdZox.exe, 00000000.00000002.314646008.0000000005150000.00000004.08000000.00040000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.305431311.0000000002950000.00000004.08000000.00040000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000003.240106550.0000000000C15000.00000004.00000020.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313526639.0000000003D5A000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.306212179.0000000002A23000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exeVBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://support.google.com/chrome/?p=plugin_quicktimeVBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/ws/2004/04/scVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=VBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312959266.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314557209.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313959757.0000000003E42000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311668114.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312555896.00000000030EC000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312182241.0000000003014000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312436650.00000000030D6000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314419518.0000000003F77000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314279019.0000000003F25000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312009501.0000000002F53000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313526639.0000000003D5A000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.314105435.0000000003EB4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://tempuri.org/Entity/Id1ResponseVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.308467878.0000000002D11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedVBY5zBdZox.exe, 00000000.00000002.308467878.0000000002D11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2004/08/addressingVBY5zBdZox.exe, 00000000.00000002.308467878.0000000002D11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://support.google.com/chrome/?p=plugin_shockwaveVBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://forms.reaVBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://www.interoperabilitybridges.com/wmp-extension-for-chromeaVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/trustVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/NonceVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsVBY5zBdZox.exe, 00000000.00000002.308467878.0000000002D11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RenewVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://support.google.com/chrome/?p=plugin_wmpVBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://support.google.com/chrome/answer/6258784VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://schemas.xmlsoap.org/ws/2006/02/addressingidentityVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://schemas.xmlsoap.org/soap/envelope/VBY5zBdZox.exe, 00000000.00000002.308467878.0000000002D11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://support.google.com/chrome/?p=plugin_flashVBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trustVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/RollbackVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://support.google.com/chrome/?p=plugin_javaVBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://go.microsVBY5zBdZox.exe, 00000000.00000002.312070842.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.313057637.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.311765641.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, VBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    		unknown
                                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/06/addressingexVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wscoorVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/NonceVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponseVBY5zBdZox.exe, 00000000.00000002.308467878.0000000002D11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/08/addressing/faultVBY5zBdZox.exe, 00000000.00000002.308467878.0000000002D11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/RenewVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKeyVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://support.google.com/chrome/?p=plugin_divxVBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_SlVBY5zBdZox.exe, 00000000.00000002.312246647.000000000302B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            http://www.w3.oVBY5zBdZox.exe, 00000000.00000002.312555896.00000000030EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                                            		unknown
                                                                                                                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/CommittedVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/faultVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1VBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyVBY5zBdZox.exe, 00000000.00000002.308467878.0000000002D11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/sc/sctVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponseVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/CancelVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgementVBY5zBdZox.exe, 00000000.00000002.308467878.0000000002D11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCTVBY5zBdZox.exe, 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high

                                                                                                                                                                                                    World Map of Contacted IPs

                                                                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                                                                    Public IPs

                                                                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                    193.106.191.246
                                                                                                                                                                                                    		unknownRussian Federation
                                                                                                                                                                                                    		42238BOSPOR-ASRUtrue

                                                                                                                                                                                                    General Information

                                                                                                                                                                                                    Joe Sandbox Version:35.0.0 Citrine
                                                                                                                                                                                                    Analysis ID:651254
                                                                                                                                                                                                    Start date and time: 23/06/202217:50:052022-06-23 17:50:05 +02:00
                                                                                                                                                                                                    Joe Sandbox Product:CloudBasic
                                                                                                                                                                                                    Overall analysis duration:0h 6m 36s
                                                                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                                                                    Report type:light
                                                                                                                                                                                                    Sample file name:VBY5zBdZox (renamed file extension from none to exe)
                                                                                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                                                                    Number of analysed new started processes analysed:24
                                                                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                                                                    Technologies:
                                                                                                                                                                                                    • HCA enabled
                                                                                                                                                                                                    • EGA enabled
                                                                                                                                                                                                    • HDC enabled
                                                                                                                                                                                                    • AMSI enabled
                                                                                                                                                                                                    Analysis Mode:default
                                                                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                                                                    Detection:MAL
                                                                                                                                                                                                    Classification:mal100.troj.spyw.evad.winEXE@1/1@0/1
                                                                                                                                                                                                    EGA Information:
                                                                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                                                                    HDC Information:
                                                                                                                                                                                                    • Successful, ratio: 38.5% (good quality ratio 36.9%)
                                                                                                                                                                                                    • Quality average: 84.9%
                                                                                                                                                                                                    • Quality standard deviation: 24.9%
                                                                                                                                                                                                    HCA Information:
                                                                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                                                                    • Number of executed functions: 0
                                                                                                                                                                                                    • Number of non-executed functions: 0
                                                                                                                                                                                                    Cookbook Comments:
                                                                                                                                                                                                    • Adjust boot time
                                                                                                                                                                                                    • Enable AMSI

                                                                                                                                                                                                    Warnings

                                                                                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                                                                    • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                                                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                                                                    Simulations

                                                                                                                                                                                                    Behavior and APIs

                                                                                                                                                                                                    TimeTypeDescription
                                                                                                                                                                                                    17:51:39API Interceptor11x Sleep call for process: VBY5zBdZox.exe modified

                                                                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                                                                    IPs

                                                                                                                                                                                                    No context

                                                                                                                                                                                                    Domains

                                                                                                                                                                                                    No context

                                                                                                                                                                                                    ASNs

                                                                                                                                                                                                    No context

                                                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                                                    No context

                                                                                                                                                                                                    Dropped Files

                                                                                                                                                                                                    No context

                                                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VBY5zBdZox.exe.log

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\VBY5zBdZox.exe
                                                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):2932
                                                                                                                                                                                                    Entropy (8bit):5.334469918014252
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:48:MIHK5HKXeHKlEHU0YHKhQnouHIWUfHK7HKhBHKdHKB1AHKzvQTHmtHoxHImHK1HQ:Pq5qXeqm00YqhQnouOq7qLqdqUqzcGtk
                                                                                                                                                                                                    MD5:E35A7613F21B0D1588DE4D14CF853427
                                                                                                                                                                                                    SHA1:18AE391E9AB0C970849150EE4D7111473EEE2BD3
                                                                                                                                                                                                    SHA-256:2EB260A8675B41093A7696456E8386F5D212A131BB298D9CC1C58D05E3DA8D49
                                                                                                                                                                                                    SHA-512:6E06C59608F8E491D69F66BB1E83DD522A48D1836CA6B03449822E7BD126ACB2EEEB08FA748CF6E2A524EED361738549B48712E3146AE3D3E958CD2ECD73D10E
                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Cultu

                                                                                                                                                                                                    Static File Info

                                                                                                                                                                                                    General

                                                                                                                                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                    Entropy (8bit):7.236398485913625
                                                                                                                                                                                                    TrID:
                                                                                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                    File name:VBY5zBdZox.exe
                                                                                                                                                                                                    File size:423424
                                                                                                                                                                                                    MD5:acc0fb4cb35df2d49fc609f2e299ed5e
                                                                                                                                                                                                    SHA1:fff261da7332d1bef4253539c3217dcedce99a17
                                                                                                                                                                                                    SHA256:907b6500dba0a048d51a3381fafed7e8b6eb256381f53c6471ebb6d305fddfd4
                                                                                                                                                                                                    SHA512:117ac79355ca79948a050534b625d5bb757640429848a50ddf75fdff3095d03c5db66f74ec01bdc3c8296772b463cdf67963689aca323bedcc059c81ebf70d75
                                                                                                                                                                                                    SSDEEP:6144:RSgQqggOstPSlcWUBzn0Nt/uCkL4iXczObpZz7xVV667fyj7gV+vV:AnqgxuFN0Nt/uC1IczObHxVV6rdV
                                                                                                                                                                                                    TLSH:5094CF10BB90C435F1F711F49AB69668792E3EE15B3450CB62E55AEE5338AE0EC3131B
                                                                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w...3z..3z..3z...5..2z..-(..,z..-(...z......4z..3z~..z..-(...z..-(..2z..-(..2z..Rich3z..........................PE..L....:;`...

                                                                                                                                                                                                    File Icon

                                                                                                                                                                                                    Icon Hash:9bf031f096136cf2

                                                                                                                                                                                                    Static PE Info

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Entrypoint:0x40e770
                                                                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                                                                    Digitally signed:false
                                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                                    Subsystem:windows gui
                                                                                                                                                                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                    DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                    Time Stamp:0x603B3A0D [Sun Feb 28 06:37:01 2021 UTC]
                                                                                                                                                                                                    TLS Callbacks:
                                                                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                                                                    OS Version Major:5
                                                                                                                                                                                                    OS Version Minor:0
                                                                                                                                                                                                    File Version Major:5
                                                                                                                                                                                                    File Version Minor:0
                                                                                                                                                                                                    Subsystem Version Major:5
                                                                                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                                                                                    Import Hash:0bfee496a3ef5b77673533836f065911

                                                                                                                                                                                                    Entrypoint Preview

                                                                                                                                                                                                    Instruction
                                                                                                                                                                                                    mov edi, edi
                                                                                                                                                                                                    push ebp
                                                                                                                                                                                                    mov ebp, esp
                                                                                                                                                                                                    call 00007F095CD0B66Bh
                                                                                                                                                                                                    call 00007F095CCFE8D6h
                                                                                                                                                                                                    pop ebp
                                                                                                                                                                                                    ret
                                                                                                                                                                                                    int3
                                                                                                                                                                                                    int3
                                                                                                                                                                                                    int3
                                                                                                                                                                                                    int3
                                                                                                                                                                                                    int3
                                                                                                                                                                                                    int3
                                                                                                                                                                                                    int3
                                                                                                                                                                                                    int3
                                                                                                                                                                                                    int3
                                                                                                                                                                                                    int3
                                                                                                                                                                                                    int3
                                                                                                                                                                                                    int3
                                                                                                                                                                                                    int3
                                                                                                                                                                                                    int3
                                                                                                                                                                                                    int3
                                                                                                                                                                                                    mov edi, edi
                                                                                                                                                                                                    push ebp
                                                                                                                                                                                                    mov ebp, esp
                                                                                                                                                                                                    push FFFFFFFEh
                                                                                                                                                                                                    push 00430B88h
                                                                                                                                                                                                    push 004122B0h
                                                                                                                                                                                                    mov eax, dword ptr fs:[00000000h]
                                                                                                                                                                                                    push eax
                                                                                                                                                                                                    add esp, FFFFFF94h
                                                                                                                                                                                                    push ebx
                                                                                                                                                                                                    push esi
                                                                                                                                                                                                    push edi
                                                                                                                                                                                                    mov eax, dword ptr [0045D264h]
                                                                                                                                                                                                    xor dword ptr [ebp-08h], eax
                                                                                                                                                                                                    xor eax, ebp
                                                                                                                                                                                                    push eax
                                                                                                                                                                                                    lea eax, dword ptr [ebp-10h]
                                                                                                                                                                                                    mov dword ptr fs:[00000000h], eax
                                                                                                                                                                                                    mov dword ptr [ebp-18h], esp
                                                                                                                                                                                                    mov dword ptr [ebp-70h], 00000000h
                                                                                                                                                                                                    mov dword ptr [ebp-04h], 00000000h
                                                                                                                                                                                                    lea eax, dword ptr [ebp-60h]
                                                                                                                                                                                                    push eax
                                                                                                                                                                                                    call dword ptr [00401250h]
                                                                                                                                                                                                    mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                                                                                                                    jmp 00007F095CCFE8E8h
                                                                                                                                                                                                    mov eax, 00000001h
                                                                                                                                                                                                    ret
                                                                                                                                                                                                    mov esp, dword ptr [ebp-18h]
                                                                                                                                                                                                    mov dword ptr [ebp-78h], 000000FFh
                                                                                                                                                                                                    mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                                                                                                                    mov eax, dword ptr [ebp-78h]
                                                                                                                                                                                                    jmp 00007F095CCFEA18h
                                                                                                                                                                                                    mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                                                                                                                    call 00007F095CCFEA54h
                                                                                                                                                                                                    mov dword ptr [ebp-6Ch], eax
                                                                                                                                                                                                    push 00000001h
                                                                                                                                                                                                    call 00007F095CD0CDCAh
                                                                                                                                                                                                    add esp, 04h
                                                                                                                                                                                                    test eax, eax
                                                                                                                                                                                                    jne 00007F095CCFE8CCh
                                                                                                                                                                                                    push 0000001Ch
                                                                                                                                                                                                    call 00007F095CCFEA0Ch
                                                                                                                                                                                                    add esp, 04h
                                                                                                                                                                                                    call 00007F095CD06D14h
                                                                                                                                                                                                    test eax, eax
                                                                                                                                                                                                    jne 00007F095CCFE8CCh
                                                                                                                                                                                                    push 00000010h

                                                                                                                                                                                                    Rich Headers

                                                                                                                                                                                                    Programming Language:
                                                                                                                                                                                                    • [ASM] VS2008 build 21022
                                                                                                                                                                                                    • [ C ] VS2008 build 21022
                                                                                                                                                                                                    • [IMP] VS2005 build 50727
                                                                                                                                                                                                    • [C++] VS2008 build 21022
                                                                                                                                                                                                    • [RES] VS2008 build 21022
                                                                                                                                                                                                    • [LNK] VS2008 build 21022

                                                                                                                                                                                                    Data Directories

                                                                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x312a40x50.text
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x7500000x9f90.rsrc
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x13800x1c.text
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb2e00x40.text
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x10000x328.text
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                    Sections

                                                                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                    .text0x10000x315ce0x31600False0.4520767405063291data6.399579325671367IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                    .data0x330000x71a8080x2b800unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                    .kuxo0x74e0000x4b0x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                    .pixihu0x74f0000x4a0x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                    .rsrc0x7500000x9f900xa000False0.6589599609375data6.073939237547317IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                    Resources

                                                                                                                                                                                                    NameRVASizeTypeLanguageCountry
                                                                                                                                                                                                    RT_ICON0x7504e00x6c8dataKyrgyzCyrillic
                                                                                                                                                                                                    RT_ICON0x750ba80x568GLS_BINARY_LSB_FIRSTKyrgyzCyrillic
                                                                                                                                                                                                    RT_ICON0x7511100x10a8dataKyrgyzCyrillic
                                                                                                                                                                                                    RT_ICON0x7521b80x988dBase III DBT, version number 0, next free block index 40KyrgyzCyrillic
                                                                                                                                                                                                    RT_ICON0x752b400x468GLS_BINARY_LSB_FIRSTKyrgyzCyrillic
                                                                                                                                                                                                    RT_ICON0x752ff80xea8dataKyrgyzCyrillic
                                                                                                                                                                                                    RT_ICON0x753ea00x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0KyrgyzCyrillic
                                                                                                                                                                                                    RT_ICON0x7547480x6c8dataKyrgyzCyrillic
                                                                                                                                                                                                    RT_ICON0x754e100x568GLS_BINARY_LSB_FIRSTKyrgyzCyrillic
                                                                                                                                                                                                    RT_ICON0x7553780x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0KyrgyzCyrillic
                                                                                                                                                                                                    RT_ICON0x7579200x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0KyrgyzCyrillic
                                                                                                                                                                                                    RT_ICON0x7589c80x988dataKyrgyzCyrillic
                                                                                                                                                                                                    RT_ICON0x7593500x468GLS_BINARY_LSB_FIRSTKyrgyzCyrillic
                                                                                                                                                                                                    RT_STRING0x7599100x42dataKyrgyzCyrillic
                                                                                                                                                                                                    RT_STRING0x7599580x4acdataKyrgyzCyrillic
                                                                                                                                                                                                    RT_STRING0x759e080x188dataKyrgyzCyrillic
                                                                                                                                                                                                    RT_ACCELERATOR0x7598700x70dataKyrgyzCyrillic
                                                                                                                                                                                                    RT_ACCELERATOR0x7598300x40dataKyrgyzCyrillic
                                                                                                                                                                                                    RT_GROUP_ICON0x7597b80x76dataKyrgyzCyrillic
                                                                                                                                                                                                    RT_GROUP_ICON0x752fa80x4cdataKyrgyzCyrillic
                                                                                                                                                                                                    None0x7598f00xadataKyrgyzCyrillic
                                                                                                                                                                                                    None0x7598e00xadataKyrgyzCyrillic
                                                                                                                                                                                                    None0x7599000xadataKyrgyzCyrillic

                                                                                                                                                                                                    Imports

                                                                                                                                                                                                    DLLImport
                                                                                                                                                                                                    KERNEL32.dllDebugBreakProcess, FindFirstChangeNotificationA, GetNamedPipeHandleStateW, CreateIoCompletionPort, FillConsoleOutputCharacterW, DisableThreadLibraryCalls, TerminateProcess, GetProcessId, VerifyVersionInfoW, EnumDateFormatsW, FindNextFileW, CopyFileExA, BuildCommDCBAndTimeoutsW, VirtualUnlock, WriteProfileStringW, VerifyVersionInfoA, SetProcessPriorityBoost, GetFileType, DeleteFileA, FindNextVolumeMountPointA, OutputDebugStringA, ResetWriteWatch, WriteConsoleInputA, WriteConsoleInputW, GetConsoleTitleW, SetComputerNameExW, GetTimeZoneInformation, LoadLibraryA, GetSystemDirectoryA, GetDriveTypeW, BuildCommDCBAndTimeoutsA, GetShortPathNameW, ActivateActCtx, GetProfileSectionA, DeleteFileW, GetCommandLineW, InterlockedIncrement, InterlockedExchangeAdd, AddRefActCtx, FindResourceA, FormatMessageA, GetModuleFileNameW, CreateJobObjectW, InitializeCriticalSection, SetFirmwareEnvironmentVariableW, GetDllDirectoryA, GetExitCodeThread, WritePrivateProfileStringW, GetConsoleAliasesLengthW, WriteProfileSectionW, AddAtomA, InterlockedDecrement, GetVersionExA, HeapSize, _hwrite, InterlockedExchange, GetStartupInfoW, DisconnectNamedPipe, GetCPInfoExW, GetSystemWow64DirectoryW, SetLastError, GetPrivateProfileIntA, GetConsoleAliasExesW, DebugBreak, EndUpdateResourceW, GetLastError, GetStringTypeExW, DeleteVolumeMountPointA, OpenFileMappingA, SetDefaultCommConfigW, VirtualAlloc, lstrcpyA, TerminateThread, GetACP, lstrcatA, GetConsoleAliasA, _lwrite, GetQueuedCompletionStatus, GetNamedPipeHandleStateA, GetDiskFreeSpaceExW, RemoveVectoredExceptionHandler, WriteConsoleW, VirtualProtect, ReadConsoleOutputW, SetThreadContext, BuildCommDCBA, ReleaseActCtx, GetHandleInformation, GetComputerNameW, WritePrivateProfileSectionW, TryEnterCriticalSection, GetPrivateProfileSectionNamesW, OpenWaitableTimerW, CopyFileW, GetVolumePathNameW, SetConsoleMode, HeapSetInformation, SetComputerNameA, FindNextFileA, SetEvent, UnlockFileEx, GetProcAddress, DeleteTimerQueueTimer, MoveFileA, GlobalAlloc, SetCommMask, SetFileShortNameA, FreeEnvironmentStringsW, GetSystemWindowsDirectoryA, GetProfileStringA, GetConsoleTitleA, GlobalGetAtomNameA, SetComputerNameW, GetConsoleAliasesW, CreateMailslotA, EnumDateFormatsA, GetConsoleOutputCP, MoveFileWithProgressW, GetFileInformationByHandle, SetLocalTime, FoldStringW, CallNamedPipeA, GetConsoleAliasExesLengthW, GetCurrentActCtx, OpenSemaphoreW, GetModuleHandleExA, LoadLibraryW, WriteConsoleOutputCharacterW, GetFileAttributesA, GetTickCount, GetConsoleAliasesLengthA, LocalUnlock, GetFileTime, EnumResourceNamesW, OpenFileMappingW, UnhandledExceptionFilter, GetCompressedFileSizeW, GetThreadPriority, ReadConsoleA, AssignProcessToJobObject, Sleep, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, RaiseException, RtlUnwind, WideCharToMultiByte, GetCommandLineA, GetStartupInfoA, HeapValidate, IsBadReadPtr, SetUnhandledExceptionFilter, GetCurrentProcess, IsDebuggerPresent, GetModuleHandleA, TlsGetValue, GetModuleHandleW, TlsAlloc, TlsSetValue, GetCurrentThreadId, TlsFree, GetOEMCP, GetCPInfo, IsValidCodePage, SetStdHandle, WriteFile, GetConsoleCP, GetConsoleMode, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, ExitProcess, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, HeapDestroy, HeapCreate, HeapFree, VirtualFree, HeapAlloc, HeapReAlloc, FlushFileBuffers, OutputDebugStringW, InitializeCriticalSectionAndSpinCount, MultiByteToWideChar, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, LCMapStringA, LCMapStringW, WriteConsoleA, SetFilePointer, CreateFileA, CloseHandle
                                                                                                                                                                                                    USER32.dllCharUpperA
                                                                                                                                                                                                    WINHTTP.dllWinHttpWriteData

                                                                                                                                                                                                    Possible Origin

                                                                                                                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                    KyrgyzCyrillic

                                                                                                                                                                                                    Network Behavior

                                                                                                                                                                                                    Snort IDS Alerts

                                                                                                                                                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                                                    192.168.2.4193.106.191.24649758231962850027 06/23/22-17:51:27.182664TCP2850027ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init4975823196192.168.2.4193.106.191.246
                                                                                                                                                                                                    192.168.2.4193.106.191.24649758231962850286 06/23/22-17:51:29.952462TCP2850286ETPRO TROJAN Redline Stealer TCP CnC Activity4975823196192.168.2.4193.106.191.246
                                                                                                                                                                                                    193.106.191.246192.168.2.423196497582850353 06/23/22-17:51:28.242070TCP2850353ETPRO MALWARE Redline Stealer TCP CnC - Id1Response2319649758193.106.191.246192.168.2.4

                                                                                                                                                                                                    Network Port Distribution

                                                                                                                                                                                                    TCP Packets

                                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                    Jun 23, 2022 17:51:26.879756927 CEST4975823196192.168.2.4193.106.191.246
                                                                                                                                                                                                    Jun 23, 2022 17:51:26.941302061 CEST2319649758193.106.191.246192.168.2.4
                                                                                                                                                                                                    Jun 23, 2022 17:51:26.941448927 CEST4975823196192.168.2.4193.106.191.246
                                                                                                                                                                                                    Jun 23, 2022 17:51:27.182663918 CEST4975823196192.168.2.4193.106.191.246
                                                                                                                                                                                                    Jun 23, 2022 17:51:27.244574070 CEST2319649758193.106.191.246192.168.2.4
                                                                                                                                                                                                    Jun 23, 2022 17:51:27.327807903 CEST4975823196192.168.2.4193.106.191.246
                                                                                                                                                                                                    Jun 23, 2022 17:51:28.180134058 CEST4975823196192.168.2.4193.106.191.246
                                                                                                                                                                                                    Jun 23, 2022 17:51:28.242069960 CEST2319649758193.106.191.246192.168.2.4
                                                                                                                                                                                                    Jun 23, 2022 17:51:28.327898979 CEST4975823196192.168.2.4193.106.191.246
                                                                                                                                                                                                    Jun 23, 2022 17:51:29.952461958 CEST4975823196192.168.2.4193.106.191.246
                                                                                                                                                                                                    Jun 23, 2022 17:51:30.016005993 CEST2319649758193.106.191.246192.168.2.4
                                                                                                                                                                                                    Jun 23, 2022 17:51:30.016064882 CEST2319649758193.106.191.246192.168.2.4
                                                                                                                                                                                                    Jun 23, 2022 17:51:30.016105890 CEST2319649758193.106.191.246192.168.2.4
                                                                                                                                                                                                    Jun 23, 2022 17:51:30.016123056 CEST4975823196192.168.2.4193.106.191.246
                                                                                                                                                                                                    Jun 23, 2022 17:51:30.016146898 CEST2319649758193.106.191.246192.168.2.4
                                                                                                                                                                                                    Jun 23, 2022 17:51:30.016187906 CEST2319649758193.106.191.246192.168.2.4
                                                                                                                                                                                                    Jun 23, 2022 17:51:30.016195059 CEST4975823196192.168.2.4193.106.191.246
                                                                                                                                                                                                    Jun 23, 2022 17:51:30.016225100 CEST2319649758193.106.191.246192.168.2.4
                                                                                                                                                                                                    Jun 23, 2022 17:51:30.016278982 CEST4975823196192.168.2.4193.106.191.246
                                                                                                                                                                                                    Jun 23, 2022 17:51:40.401098013 CEST4975823196192.168.2.4193.106.191.246
                                                                                                                                                                                                    Jun 23, 2022 17:51:40.462614059 CEST2319649758193.106.191.246192.168.2.4
                                                                                                                                                                                                    Jun 23, 2022 17:51:40.462657928 CEST2319649758193.106.191.246192.168.2.4
                                                                                                                                                                                                    Jun 23, 2022 17:51:40.462686062 CEST2319649758193.106.191.246192.168.2.4
                                                                                                                                                                                                    Jun 23, 2022 17:51:40.470408916 CEST2319649758193.106.191.246192.168.2.4
                                                                                                                                                                                                    Jun 23, 2022 17:51:40.641453028 CEST4975823196192.168.2.4193.106.191.246
                                                                                                                                                                                                    Jun 23, 2022 17:51:40.885865927 CEST4975823196192.168.2.4193.106.191.246

                                                                                                                                                                                                    Statistics

                                                                                                                                                                                                    No statistics

                                                                                                                                                                                                    System Behavior

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:0
                                                                                                                                                                                                    Start time:17:51:07
                                                                                                                                                                                                    Start date:23/06/2022
                                                                                                                                                                                                    Path:C:\Users\user\Desktop\VBY5zBdZox.exe
                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                    Commandline:"C:\Users\user\Desktop\VBY5zBdZox.exe"
                                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                                    File size:423424 bytes
                                                                                                                                                                                                    MD5 hash:ACC0FB4CB35DF2D49FC609F2E299ED5E
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.314646008.0000000005150000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.314646008.0000000005150000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.314646008.0000000005150000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.305431311.0000000002950000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.305431311.0000000002950000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.305431311.0000000002950000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.239424643.00000000027D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000003.239424643.00000000027D0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.301936626.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.301936626.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.303381786.0000000002790000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.306212179.0000000002A23000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.240106550.0000000000C15000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.310555251.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                    Reputation:low

                                                                                                                                                                                                    Disassembly

                                                                                                                                                                                                    No disassembly