Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe

Overview

General Information

Sample Name:SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe
Analysis ID:756115
MD5:34a852c0f62294480e1e6e154b00539a
SHA1:6204b0e10eaf8094da16cb5ca7c325f1dbfa97f0
SHA256:f461d11f2fac14f49aeedd66999b404cfce4138d27fe7e1da79f0aa85eee5149
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Writes to foreign memory regions
Tries to steal Crypto Currency Wallets
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Contains functionality to inject code into remote processes
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Yara detected Credential Stealer
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe (PID: 3384 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe MD5: 34A852C0F62294480E1E6E154B00539A)
    • conhost.exe (PID: 3276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • vbc.exe (PID: 260 cmdline: C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)
    • conhost.exe (PID: 576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["193.106.191.138:32796"], "Authorization Header": "54c79ce081122137049ee07c0a2f38ab"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.319419057.0000000000415000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000003.318847444.00000000005E2000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              00000002.00000002.422192402.0000000007777000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 3 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.3.SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe.5e0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.3.SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe.5e0000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                  • 0x21068:$pat14: , CommandLine:
                  • 0x18d64:$v2_1: ListOfProcesses
                  • 0x18af8:$v4_3: base64str
                  • 0x19b83:$v4_4: stringKey
                  • 0x16708:$v4_5: BytesToStringConverted
                  • 0x15770:$v4_6: FromBase64
                  • 0x16edc:$v4_8: procName
                  • 0x1725f:$v5_1: DownloadAndExecuteUpdate
                  • 0x18a08:$v5_2: ITaskProcessor
                  • 0x1724d:$v5_3: CommandLineUpdate
                  • 0x1723e:$v5_4: DownloadUpdate
                  • 0x178f2:$v5_5: FileScanning
                  • 0x16a77:$v5_7: RecordHeaderField
                  • 0x16496:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
                  0.2.SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe.414788.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    0.2.SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe.414788.1.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                    • 0x1f468:$pat14: , CommandLine:
                    • 0x17164:$v2_1: ListOfProcesses
                    • 0x16ef8:$v4_3: base64str
                    • 0x17f83:$v4_4: stringKey
                    • 0x14b08:$v4_5: BytesToStringConverted
                    • 0x13b70:$v4_6: FromBase64
                    • 0x152dc:$v4_8: procName
                    • 0x1565f:$v5_1: DownloadAndExecuteUpdate
                    • 0x16e08:$v5_2: ITaskProcessor
                    • 0x1564d:$v5_3: CommandLineUpdate
                    • 0x1563e:$v5_4: DownloadUpdate
                    • 0x15cf2:$v5_5: FileScanning
                    • 0x14e77:$v5_7: RecordHeaderField
                    • 0x14896:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
                    0.2.SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      Click to see the 1 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      Timestamp:192.168.2.5193.106.191.13849699327962850027 11/29/22-16:50:39.536972
                      SID:2850027
                      Source Port:49699
                      Destination Port:32796
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.5193.106.191.13849699327962850286 11/29/22-16:51:03.828285
                      SID:2850286
                      Source Port:49699
                      Destination Port:32796
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:193.106.191.138192.168.2.532796496992850353 11/29/22-16:50:41.373927
                      SID:2850353
                      Source Port:32796
                      Destination Port:49699
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeVirustotal: Detection: 30%Perma Link
                      Machine Learning detection for sample
                      Source: SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeJoe Sandbox ML: detected
                      Source: 0.3.SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe.5e0000.0.unpackMalware Configuration Extractor: RedLine {"C2 url": ["193.106.191.138:32796"], "Authorization Header": "54c79ce081122137049ee07c0a2f38ab"}
                      Source: SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4x nop then jmp 09F9F6D0h

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2850027 ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init 192.168.2.5:49699 -> 193.106.191.138:32796
                      Source: TrafficSnort IDS: 2850286 ETPRO TROJAN Redline Stealer TCP CnC Activity 192.168.2.5:49699 -> 193.106.191.138:32796
                      Source: TrafficSnort IDS: 2850353 ETPRO MALWARE Redline Stealer TCP CnC - Id1Response 193.106.191.138:32796 -> 192.168.2.5:49699
                      Connects to many ports of the same IP (likely port scanning)
                      Source: global trafficTCP traffic: 193.106.191.138 ports 2,3,32796,6,7,9
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 193.106.191.138:32796
                      Source: Joe Sandbox ViewASN Name: BOSPOR-ASRU BOSPOR-ASRU
                      Source: Joe Sandbox ViewIP Address: 193.106.191.138 193.106.191.138
                      Source: global trafficTCP traffic: 192.168.2.5:49699 -> 193.106.191.138:32796
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.138
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faulth
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.422192402.0000000007777000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.422006641.000000000773D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.422192402.0000000007777000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                      Source: vbc.exe, 00000002.00000002.422192402.0000000007777000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                      Source: vbc.exe, 00000002.00000002.422192402.0000000007777000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                      Source: vbc.exe, 00000002.00000002.422192402.0000000007777000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                      Source: vbc.exe, 00000002.00000002.422192402.0000000007777000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                      Source: vbc.exe, 00000002.00000002.422192402.0000000007777000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                      Source: vbc.exe, 00000002.00000002.422192402.0000000007777000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                      Source: vbc.exe, 00000002.00000002.422192402.0000000007777000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                      Source: vbc.exe, 00000002.00000002.422192402.0000000007777000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                      Source: vbc.exe, 00000002.00000002.422192402.0000000007777000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.422006641.000000000773D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                      Source: vbc.exe, 00000002.00000002.422192402.0000000007777000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                      Source: vbc.exe, 00000002.00000002.422192402.0000000007777000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                      Source: vbc.exe, 00000002.00000002.422192402.0000000007777000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                      Source: vbc.exe, 00000002.00000002.422192402.0000000007777000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                      Source: vbc.exe, 00000002.00000002.422192402.0000000007777000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                      Source: vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                      Source: vbc.exe, 00000002.00000002.422192402.0000000007777000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                      Source: vbc.exe, 00000002.00000003.406589920.000000000897E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe, SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe, 00000000.00000002.319419057.0000000000415000.00000004.00000001.01000000.00000003.sdmp, vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                      Source: vbc.exe, 00000002.00000003.406589920.000000000897E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: vbc.exe, 00000002.00000003.406589920.000000000897E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: vbc.exe, 00000002.00000002.423894970.0000000007996000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.404603370.0000000008754000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.404090422.0000000008685000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.408056557.000000000880D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.405554878.000000000883F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.405444480.0000000008822000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.421928279.0000000007730000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.407871530.00000000087F0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.403947258.0000000008668000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.406589920.000000000897E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: vbc.exe, 00000002.00000003.406589920.000000000897E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: vbc.exe, 00000002.00000002.423894970.0000000007996000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.404603370.0000000008754000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.404090422.0000000008685000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.408056557.000000000880D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.405554878.000000000883F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.405444480.0000000008822000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.421928279.0000000007730000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.407871530.00000000087F0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.403947258.0000000008668000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.406589920.000000000897E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                      Source: vbc.exe, 00000002.00000002.423894970.0000000007996000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.404603370.0000000008754000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.404090422.0000000008685000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.408056557.000000000880D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.405554878.000000000883F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.405444480.0000000008822000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.421928279.0000000007730000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.407871530.00000000087F0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.403947258.0000000008668000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.406589920.000000000897E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
                      Source: vbc.exe, 00000002.00000003.404090422.0000000008685000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.408056557.000000000880D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.405554878.000000000883F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.406589920.000000000897E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
                      Source: vbc.exe, 00000002.00000002.423894970.0000000007996000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.404603370.0000000008754000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.404090422.0000000008685000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.408056557.000000000880D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.405554878.000000000883F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.405444480.0000000008822000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.421928279.0000000007730000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.407871530.00000000087F0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.403947258.0000000008668000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.406589920.000000000897E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
                      Source: vbc.exe, 00000002.00000002.423894970.0000000007996000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.404603370.0000000008754000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.404090422.0000000008685000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.408056557.000000000880D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.405554878.000000000883F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.405444480.0000000008822000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.421928279.0000000007730000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.407871530.00000000087F0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.403947258.0000000008668000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.406589920.000000000897E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 0.3.SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe.414788.1.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 0.3.SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe.414788.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeCode function: 0_2_00403620
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeCode function: 0_2_0040DA31
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeCode function: 0_2_0040C688
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeCode function: 0_2_0040F152
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeCode function: 0_2_0040D110
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeCode function: 0_2_0040CBCC
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeCode function: 0_2_0040B3D3
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeCode function: 0_2_0041B9A3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_073608F8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_09F9CA60
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_09F9FA2F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_09F9EDD0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_09F97EB8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_09F9D0B8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_09F9E319
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_09F962D8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_09F9C288
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_09F9E790
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_09F9CA51
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_09F9C278
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_09F9E780
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A004B38
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_09F995E8
                      Source: SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe, 00000000.00000002.319419057.0000000000415000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameThirdsmen.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe, 00000000.00000000.315352225.0000000000439000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCarapace ruff0 vs SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeBinary or memory string: OriginalFilenameCarapace ruff0 vs SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeVirustotal: Detection: 30%
                      Source: SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Users\user\AppData\Local\YandexJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/1@0/1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: 0.3.SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe.5e0000.0.unpack, BrEx.csBase64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:576:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3276:120:WilError_01
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeCode function: 0_2_00408329 push ecx; ret
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_07368976 push es; retf
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeCode function: 0_2_0040A6AC LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 1980Thread sleep count: 4610 > 30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 4848Thread sleep time: -1844674407370954s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 4412Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeRegistry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWindow / User API: threadDelayed 4610
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeCode function: 0_2_00409EB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeCode function: 0_2_0040A6AC LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeCode function: 0_2_00403620 GetVersion,AreFileApisANSI,FindFirstPrinterChangeNotification,QueryPerformanceFrequency,WritePrinter,GetProcessHeap,FindClosePrinterChangeNotification,CreateEventW,GetLogicalDrives,CreateFileW,CreateFileW,GetCurrentProcess,CreateMutexW,CreateFileW,IsProcessorFeaturePresent,FindClosePrinterChangeNotification,FindClosePrinterChangeNotification,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeCode function: 0_2_00414154 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeMemory allocated: page read and write | page guard
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeCode function: 0_2_00409EB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeCode function: 0_2_0040E97E __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeCode function: 0_2_00406F82 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeCode function: 0_2_00409384 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 11BD008
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 protect: page execute and read and write
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5A
                      Contains functionality to inject code into remote processes
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeCode function: 0_2_00414189 CreateProcessW,GetThreadContext,ReadProcessMemory,VirtualAlloc,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,VirtualFree,WriteProcessMemory,SetThreadContext,ResumeThread,
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeCode function: 0_2_004084CC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exeCode function: 0_2_00403620 GetVersion,AreFileApisANSI,FindFirstPrinterChangeNotification,QueryPerformanceFrequency,WritePrinter,GetProcessHeap,FindClosePrinterChangeNotification,CreateEventW,GetLogicalDrives,CreateFileW,CreateFileW,GetCurrentProcess,CreateMutexW,CreateFileW,IsProcessorFeaturePresent,FindClosePrinterChangeNotification,FindClosePrinterChangeNotification,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.3.SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe.5e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe.414788.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.319419057.0000000000415000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.318847444.00000000005E2000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe PID: 3384, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 260, type: MEMORYSTR
                      Tries to steal Crypto Currency Wallets
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                      Found many strings related to Crypto-Wallets (likely being stolen)
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumE#
                      Source: vbc.exe, 00000002.00000002.422192402.0000000007777000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: k2C:\Users\user\AppData\Roaming\Electrum\wallets\*
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: JaxxE#
                      Source: vbc.exe, 00000002.00000002.422192402.0000000007777000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                      Source: vbc.exe, 00000002.00000002.422192402.0000000007777000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\wallets
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ExodusE#
                      Source: vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
                      Source: vbc.exe, 00000002.00000002.422192402.0000000007777000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: k6C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: Yara matchFile source: 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.422192402.0000000007777000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 260, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.3.SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe.5e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe.414788.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.319419057.0000000000415000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.318847444.00000000005E2000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe PID: 3384, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 260, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts221
                      Windows Management Instrumentation                      		Path Interception411
                      Process Injection                      		1
                      Masquerading                      		1
                      OS Credential Dumping                      		1
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		Exfiltration Over Other Network Medium1
                      Encrypted Channel                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default Accounts2
                      Native API                      		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                      Disable or Modify Tools                      		LSASS Memory24
                      Security Software Discovery                      		Remote Desktop Protocol3
                      Data from Local System                      		Exfiltration Over Bluetooth1
                      Non-Standard Port                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)231
                      Virtualization/Sandbox Evasion                      		Security Account Manager11
                      Process Discovery                      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                      Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)411
                      Process Injection                      		NTDS231
                      Virtualization/Sandbox Evasion                      		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script21
                      Obfuscated Files or Information                      		LSA Secrets1
                      Application Window Discovery                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials135
                      System Information Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe30%VirustotalBrowse
                      SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
                      http://tempuri.org/0%URL Reputationsafe
                      http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id90%URL Reputationsafe
                      http://tempuri.org/Entity/Id80%URL Reputationsafe
                      http://tempuri.org/Entity/Id50%URL Reputationsafe
                      http://tempuri.org/Entity/Id40%URL Reputationsafe
                      http://tempuri.org/Entity/Id70%URL Reputationsafe
                      http://tempuri.org/Entity/Id60%URL Reputationsafe
                      http://tempuri.org/Entity/Id19Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
                      https://api.ip.sb/ip0%URL Reputationsafe
                      http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id200%URL Reputationsafe
                      http://tempuri.org/Entity/Id210%URL Reputationsafe
                      http://tempuri.org/Entity/Id220%URL Reputationsafe
                      http://tempuri.org/Entity/Id230%URL Reputationsafe
                      http://tempuri.org/Entity/Id240%URL Reputationsafe
                      http://tempuri.org/Entity/Id24Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                      193.106.191.138:327960%URL Reputationsafe
                      193.106.191.138:327960%URL Reputationsafe
                      http://tempuri.org/Entity/Id100%URL Reputationsafe
                      http://tempuri.org/Entity/Id110%URL Reputationsafe
                      http://tempuri.org/Entity/Id120%URL Reputationsafe
                      http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id130%URL Reputationsafe
                      http://tempuri.org/Entity/Id140%URL Reputationsafe
                      http://tempuri.org/Entity/Id150%URL Reputationsafe
                      http://tempuri.org/Entity/Id160%URL Reputationsafe
                      http://tempuri.org/Entity/Id170%URL Reputationsafe
                      http://tempuri.org/Entity/Id180%URL Reputationsafe
                      http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id190%URL Reputationsafe
                      http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id8Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id23Response0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      193.106.191.138:32796true
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Textvbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/02/sc/sctvbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://duckduckgo.com/chrome_newtabvbc.exe, 00000002.00000002.423894970.0000000007996000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.404603370.0000000008754000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.404090422.0000000008685000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.408056557.000000000880D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.405554878.000000000883F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.405444480.0000000008822000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.421928279.0000000007730000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.407871530.00000000087F0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.403947258.0000000008668000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.406589920.000000000897E000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkvbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://duckduckgo.com/ac/?q=vbc.exe, 00000002.00000003.406589920.000000000897E000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryvbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id12Responsevbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.422192402.0000000007777000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id2Responsevbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id21Responsevbc.exe, 00000002.00000002.422192402.0000000007777000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrapvbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id9vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDvbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2004/08/addressing/faulthvbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id8vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://tempuri.org/Entity/Id5vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Preparevbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://tempuri.org/Entity/Id4vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://tempuri.org/Entity/Id7vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://tempuri.org/Entity/Id6vbc.exe, 00000002.00000002.422192402.0000000007777000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretvbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://tempuri.org/Entity/Id19Responsevbc.exe, 00000002.00000002.422192402.0000000007777000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licensevbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuevbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Abortedvbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequencevbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/faultvbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2004/10/wsatvbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyvbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://tempuri.org/Entity/Id15Responsevbc.exe, 00000002.00000002.422192402.0000000007777000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namevbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renewvbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2004/10/wscoor/Registervbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://tempuri.org/Entity/Id6Responsevbc.exe, 00000002.00000002.422192402.0000000007777000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyvbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://api.ip.sb/ipSecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe, SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe, 00000000.00000002.319419057.0000000000415000.00000004.00000001.01000000.00000003.sdmp, vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://schemas.xmlsoap.org/ws/2004/04/scvbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCvbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancelvbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id9Responsevbc.exe, 00000002.00000002.422192402.0000000007777000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=vbc.exe, 00000002.00000003.406589920.000000000897E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://tempuri.org/Entity/Id20vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://tempuri.org/Entity/Id21vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://tempuri.org/Entity/Id22vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://tempuri.org/Entity/Id23vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://tempuri.org/Entity/Id24vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issuevbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://tempuri.org/Entity/Id24Responsevbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://tempuri.org/Entity/Id1Responsevbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=vbc.exe, 00000002.00000002.423894970.0000000007996000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.404603370.0000000008754000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.404090422.0000000008685000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.408056557.000000000880D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.405554878.000000000883F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.405444480.0000000008822000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.421928279.0000000007730000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.407871530.00000000087F0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.403947258.0000000008668000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.406589920.000000000897E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedvbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyvbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Replayvbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegovbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binaryvbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCvbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyvbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2004/08/addressingvbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuevbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Completionvbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/trustvbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://tempuri.org/Entity/Id10vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id11vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id12vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id16Responsevbc.exe, 00000002.00000002.422192402.0000000007777000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponsevbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancelvbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://tempuri.org/Entity/Id13vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id14vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id15vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id16vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/Noncevbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://tempuri.org/Entity/Id17vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id18vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id5Responsevbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id19vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsvbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://tempuri.org/Entity/Id10Responsevbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.422192402.0000000007777000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/Renewvbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://tempuri.org/Entity/Id8Responsevbc.exe, 00000002.00000002.422192402.0000000007777000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyvbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDvbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTvbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://schemas.xmlsoap.org/ws/2006/02/addressingidentityvbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://schemas.xmlsoap.org/soap/envelope/vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://search.yahoo.com?fr=crmas_sfpfvbc.exe, 00000002.00000002.423894970.0000000007996000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.404603370.0000000008754000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.404090422.0000000008685000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.408056557.000000000880D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.405554878.000000000883F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.405444480.0000000008822000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.421928279.0000000007730000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.407871530.00000000087F0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.403947258.0000000008668000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.406589920.000000000897E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyvbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1vbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trustvbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollbackvbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://tempuri.org/Entity/Id23Responsevbc.exe, 00000002.00000002.422192402.0000000007777000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.419721126.00000000074E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          		unknown
                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTvbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/06/addressingexvbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wscoorvbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/Noncevbc.exe, 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high

                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                  Public IPs

                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                  193.106.191.138
                                                                                                                                                  		unknownRussian Federation
                                                                                                                                                  		42238BOSPOR-ASRUtrue

                                                                                                                                                  General Information

                                                                                                                                                  Joe Sandbox Version:36.0.0 Rainbow Opal
                                                                                                                                                  Analysis ID:756115
                                                                                                                                                  Start date and time:2022-11-29 16:49:14 +01:00
                                                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                                                  Overall analysis duration:0h 7m 41s
                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                  Report type:light
                                                                                                                                                  Sample file name:SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe
                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                  Number of analysed new started processes analysed:5
                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                  Technologies:
                                                                                                                                                  • HCA enabled
                                                                                                                                                  • EGA enabled
                                                                                                                                                  • HDC enabled
                                                                                                                                                  • AMSI enabled
                                                                                                                                                  Analysis Mode:default
                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                  Detection:MAL
                                                                                                                                                  Classification:mal100.troj.spyw.evad.winEXE@5/1@0/1
                                                                                                                                                  EGA Information:
                                                                                                                                                  • Successful, ratio: 50%
                                                                                                                                                  HDC Information:
                                                                                                                                                  • Successful, ratio: 90.9% (good quality ratio 87.2%)
                                                                                                                                                  • Quality average: 82.3%
                                                                                                                                                  • Quality standard deviation: 25.7%
                                                                                                                                                  HCA Information:
                                                                                                                                                  • Successful, ratio: 99%
                                                                                                                                                  • Number of executed functions: 0
                                                                                                                                                  • Number of non-executed functions: 0
                                                                                                                                                  Cookbook Comments:
                                                                                                                                                  • Found application associated with file extension: .exe
                                                                                                                                                  • Stop behavior analysis, all processes terminated

                                                                                                                                                  Warnings

                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe
                                                                                                                                                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ctldl.windowsupdate.com
                                                                                                                                                  • Execution Graph export aborted for target vbc.exe, PID 260 because it is empty
                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                  Simulations

                                                                                                                                                  Behavior and APIs

                                                                                                                                                  TimeTypeDescription
                                                                                                                                                  16:50:51API Interceptor23x Sleep call for process: vbc.exe modified

                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                  IPs

                                                                                                                                                  No context

                                                                                                                                                  Domains

                                                                                                                                                  No context

                                                                                                                                                  ASNs

                                                                                                                                                  No context

                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                  No context

                                                                                                                                                  Dropped Files

                                                                                                                                                  No context

                                                                                                                                                  Created / dropped Files

                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):2843
                                                                                                                                                  Entropy (8bit):5.3371553026862095
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:48:MxHKXeHKlEHU0YHKhQnouHIWUfHKhBHKdHKBfHK5AHKzvQTHmtHoxHImHKx1qHjW:iqXeqm00YqhQnouOqLqdqNq2qzcGtIxM
                                                                                                                                                  MD5:E787CF7FE6F73C60B1ADCB6CFE9A2FAE
                                                                                                                                                  SHA1:CF44D405D677875BC3AC3A41336DA6C8F3E58277
                                                                                                                                                  SHA-256:6332B18367739773EAA1686C22A11DCEAD2D7314EBCEE5510F5E6A799A301203
                                                                                                                                                  SHA-512:8C7213E33F6A56744FAED770ECC85BFC0F9DF1EA07249CFA6FDFD1EB0822F0ADD47BB072EE21CA6442D03A1E44FE2613BFC4FFC4B72B029F33AA292A390F023B
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

                                                                                                                                                  Static File Info

                                                                                                                                                  General

                                                                                                                                                  File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                  Entropy (8bit):7.344808175573031
                                                                                                                                                  TrID:
                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                  File name:SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe
                                                                                                                                                  File size:221696
                                                                                                                                                  MD5:34a852c0f62294480e1e6e154b00539a
                                                                                                                                                  SHA1:6204b0e10eaf8094da16cb5ca7c325f1dbfa97f0
                                                                                                                                                  SHA256:f461d11f2fac14f49aeedd66999b404cfce4138d27fe7e1da79f0aa85eee5149
                                                                                                                                                  SHA512:3d1edf618361a6544937b7c2e5f74bc0d7793d5eb1738ccc3a5d47cf1819efd6ca4bd4bd55d883b7826ee59c6dd6287b5a611d4d4dcdd7a788e260a2c821bea4
                                                                                                                                                  SSDEEP:3072:ehbc8yCxsFNcEyyrJ9WU4khLTvPZFzD0yfZNuzK/hRp1d53CDX5dINLqVqU:VCxGNp7FUyf2AhZjwINut
                                                                                                                                                  TLSH:F124CF1AF5621232DE6AE0F855C1CBD4603D66B2AF81400A7F2D0F7F6D3A0D7729635A
                                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v...v...v...$...v...$...v.......v...$...v.......v..ty...v...v...v.......v...$...v.......v..Rich.v..........PE..L...X..c...

                                                                                                                                                  File Icon

                                                                                                                                                  Icon Hash:00828e8e8686b000

                                                                                                                                                  Static PE Info

                                                                                                                                                  General

                                                                                                                                                  Entrypoint:0x406252
                                                                                                                                                  Entrypoint Section:.text
                                                                                                                                                  Digitally signed:false
                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                  Subsystem:windows cui
                                                                                                                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                  DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                  Time Stamp:0x63860258 [Tue Nov 29 13:00:08 2022 UTC]
                                                                                                                                                  TLS Callbacks:
                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                  OS Version Major:5
                                                                                                                                                  OS Version Minor:0
                                                                                                                                                  File Version Major:5
                                                                                                                                                  File Version Minor:0
                                                                                                                                                  Subsystem Version Major:5
                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                  Import Hash:bcac65c952b8ab1f885fe93835602555

                                                                                                                                                  Entrypoint Preview

                                                                                                                                                  Instruction
                                                                                                                                                  call 00007FF934D37E1Ah
                                                                                                                                                  jmp 00007FF934D35A49h
                                                                                                                                                  mov edi, edi
                                                                                                                                                  push esi
                                                                                                                                                  push 00000001h
                                                                                                                                                  push 00436BA0h
                                                                                                                                                  mov esi, ecx
                                                                                                                                                  call 00007FF934D37E9Ah
                                                                                                                                                  mov dword ptr [esi], 00410B84h
                                                                                                                                                  mov eax, esi
                                                                                                                                                  pop esi
                                                                                                                                                  ret
                                                                                                                                                  mov dword ptr [ecx], 00410B84h
                                                                                                                                                  jmp 00007FF934D37EFFh
                                                                                                                                                  mov edi, edi
                                                                                                                                                  push ebp
                                                                                                                                                  mov ebp, esp
                                                                                                                                                  push esi
                                                                                                                                                  mov esi, ecx
                                                                                                                                                  mov dword ptr [esi], 00410B84h
                                                                                                                                                  call 00007FF934D37EECh
                                                                                                                                                  test byte ptr [ebp+08h], 00000001h
                                                                                                                                                  je 00007FF934D35BA9h
                                                                                                                                                  push esi
                                                                                                                                                  call 00007FF934D37F55h
                                                                                                                                                  pop ecx
                                                                                                                                                  mov eax, esi
                                                                                                                                                  pop esi
                                                                                                                                                  pop ebp
                                                                                                                                                  retn 0004h
                                                                                                                                                  mov edi, edi
                                                                                                                                                  push ebp
                                                                                                                                                  mov ebp, esp
                                                                                                                                                  push esi
                                                                                                                                                  push dword ptr [ebp+08h]
                                                                                                                                                  mov esi, ecx
                                                                                                                                                  call 00007FF934D37E6Bh
                                                                                                                                                  mov dword ptr [esi], 00410B84h
                                                                                                                                                  mov eax, esi
                                                                                                                                                  pop esi
                                                                                                                                                  pop ebp
                                                                                                                                                  retn 0004h
                                                                                                                                                  mov edi, edi
                                                                                                                                                  push ebp
                                                                                                                                                  mov ebp, esp
                                                                                                                                                  sub esp, 0Ch
                                                                                                                                                  jmp 00007FF934D35BAFh
                                                                                                                                                  push dword ptr [ebp+08h]
                                                                                                                                                  call 00007FF934D3818Fh
                                                                                                                                                  pop ecx
                                                                                                                                                  test eax, eax
                                                                                                                                                  je 00007FF934D35BB1h
                                                                                                                                                  push dword ptr [ebp+08h]
                                                                                                                                                  call 00007FF934D380A9h
                                                                                                                                                  pop ecx
                                                                                                                                                  test eax, eax
                                                                                                                                                  je 00007FF934D35B88h
                                                                                                                                                  leave
                                                                                                                                                  ret
                                                                                                                                                  test byte ptr [00437C08h], 00000001h
                                                                                                                                                  mov esi, 00437BFCh
                                                                                                                                                  jne 00007FF934D35BBBh
                                                                                                                                                  or dword ptr [00437C08h], 01h
                                                                                                                                                  mov ecx, esi
                                                                                                                                                  call 00007FF934D35AF9h
                                                                                                                                                  push 0040F8B3h
                                                                                                                                                  call 00007FF934D38016h
                                                                                                                                                  pop ecx
                                                                                                                                                  push esi
                                                                                                                                                  lea ecx, dword ptr [ebp-0Ch]
                                                                                                                                                  call 00007FF934D45B32h

                                                                                                                                                  Rich Headers

                                                                                                                                                  Programming Language:
                                                                                                                                                  • [ASM] VS2008 build 21022
                                                                                                                                                  • [ C ] VS2008 build 21022
                                                                                                                                                  • [IMP] VS2008 SP1 build 30729
                                                                                                                                                  • [C++] VS2008 build 21022
                                                                                                                                                  • [IMP] VS2005 build 50727
                                                                                                                                                  • [C++] VS2008 SP1 build 30729
                                                                                                                                                  • [RES] VS2008 build 21022
                                                                                                                                                  • [LNK] VS2008 SP1 build 30729

                                                                                                                                                  Data Directories

                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x128a40x50.rdata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x390000x600.rsrc
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x100000x150.rdata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                  Sections

                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                  .text0x10000xe8c70xea00False0.5349726228632479data6.652448585777237IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                  .rdata0x100000x30920x3200False0.48296875data6.068435754636973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                  .data0x140000x247d80x23c00False0.7369017701048951Alpha compressed COFF7.268563044922397IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                  .rsrc0x390000x6000x600False0.455078125data3.9776323787735532IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                  Resources

                                                                                                                                                  NameRVASizeTypeLanguageCountry
                                                                                                                                                  RT_VERSION0x392000x3fcdataEnglishUnited States
                                                                                                                                                  RT_MANIFEST0x390a00x15aASCII text, with CRLF line terminatorsEnglishUnited States

                                                                                                                                                  Imports

                                                                                                                                                  DLLImport
                                                                                                                                                  KERNEL32.dllGetLogicalDrives, CreateEventW, GetProcessHeap, QueryPerformanceFrequency, AreFileApisANSI, GetVersion, CreateFileW, GetCurrentProcess, CreateMutexW, IsProcessorFeaturePresent, FreeConsole, MultiByteToWideChar, GetModuleHandleA, GetProcAddress, GetCommandLineA, SetUnhandledExceptionFilter, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetLastError, GetEnvironmentStringsW, SetHandleCount, GetFileType, GetStartupInfoA, DeleteCriticalSection, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, HeapCreate, VirtualFree, HeapFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapAlloc, RaiseException, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TerminateProcess, UnhandledExceptionFilter, IsDebuggerPresent, LeaveCriticalSection, EnterCriticalSection, LoadLibraryA, InitializeCriticalSectionAndSpinCount, VirtualAlloc, HeapReAlloc, RtlUnwind, HeapSize, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA
                                                                                                                                                  WINSPOOL.DRVFindFirstPrinterChangeNotification, FindClosePrinterChangeNotification, FindNextPrinterChangeNotification, WritePrinter, ScheduleJob
                                                                                                                                                  COMCTL32.dllImageList_Remove, ImageList_ReplaceIcon, InitCommonControlsEx, ImageList_Destroy, ImageList_Create, ImageList_SetBkColor, CreateToolbarEx

                                                                                                                                                  Possible Origin

                                                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                                                  EnglishUnited States

                                                                                                                                                  Network Behavior

                                                                                                                                                  Snort IDS Alerts

                                                                                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                  192.168.2.5193.106.191.13849699327962850027 11/29/22-16:50:39.536972TCP2850027ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init4969932796192.168.2.5193.106.191.138
                                                                                                                                                  192.168.2.5193.106.191.13849699327962850286 11/29/22-16:51:03.828285TCP2850286ETPRO TROJAN Redline Stealer TCP CnC Activity4969932796192.168.2.5193.106.191.138
                                                                                                                                                  193.106.191.138192.168.2.532796496992850353 11/29/22-16:50:41.373927TCP2850353ETPRO MALWARE Redline Stealer TCP CnC - Id1Response3279649699193.106.191.138192.168.2.5

                                                                                                                                                  Network Port Distribution

                                                                                                                                                  TCP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Nov 29, 2022 16:50:39.047336102 CET4969932796192.168.2.5193.106.191.138
                                                                                                                                                  Nov 29, 2022 16:50:39.105020046 CET3279649699193.106.191.138192.168.2.5
                                                                                                                                                  Nov 29, 2022 16:50:39.105655909 CET4969932796192.168.2.5193.106.191.138
                                                                                                                                                  Nov 29, 2022 16:50:39.536972046 CET4969932796192.168.2.5193.106.191.138
                                                                                                                                                  Nov 29, 2022 16:50:39.595108986 CET3279649699193.106.191.138192.168.2.5
                                                                                                                                                  Nov 29, 2022 16:50:39.677771091 CET4969932796192.168.2.5193.106.191.138
                                                                                                                                                  Nov 29, 2022 16:50:41.315479040 CET4969932796192.168.2.5193.106.191.138
                                                                                                                                                  Nov 29, 2022 16:50:41.373927116 CET3279649699193.106.191.138192.168.2.5
                                                                                                                                                  Nov 29, 2022 16:50:41.427968979 CET4969932796192.168.2.5193.106.191.138
                                                                                                                                                  Nov 29, 2022 16:50:48.698524952 CET4969932796192.168.2.5193.106.191.138
                                                                                                                                                  Nov 29, 2022 16:50:48.765489101 CET3279649699193.106.191.138192.168.2.5
                                                                                                                                                  Nov 29, 2022 16:50:48.765543938 CET3279649699193.106.191.138192.168.2.5
                                                                                                                                                  Nov 29, 2022 16:50:48.765574932 CET3279649699193.106.191.138192.168.2.5
                                                                                                                                                  Nov 29, 2022 16:50:48.766961098 CET4969932796192.168.2.5193.106.191.138
                                                                                                                                                  Nov 29, 2022 16:50:50.490920067 CET4969932796192.168.2.5193.106.191.138
                                                                                                                                                  Nov 29, 2022 16:50:50.550380945 CET3279649699193.106.191.138192.168.2.5
                                                                                                                                                  Nov 29, 2022 16:50:50.601082087 CET4969932796192.168.2.5193.106.191.138
                                                                                                                                                  Nov 29, 2022 16:51:01.042223930 CET4969932796192.168.2.5193.106.191.138
                                                                                                                                                  Nov 29, 2022 16:51:01.100651026 CET3279649699193.106.191.138192.168.2.5
                                                                                                                                                  Nov 29, 2022 16:51:01.179604053 CET4969932796192.168.2.5193.106.191.138
                                                                                                                                                  Nov 29, 2022 16:51:01.918889046 CET4969932796192.168.2.5193.106.191.138
                                                                                                                                                  Nov 29, 2022 16:51:01.990061998 CET3279649699193.106.191.138192.168.2.5
                                                                                                                                                  Nov 29, 2022 16:51:02.015486002 CET4969932796192.168.2.5193.106.191.138
                                                                                                                                                  Nov 29, 2022 16:51:02.073432922 CET3279649699193.106.191.138192.168.2.5
                                                                                                                                                  Nov 29, 2022 16:51:02.268264055 CET4969932796192.168.2.5193.106.191.138
                                                                                                                                                  Nov 29, 2022 16:51:02.328644037 CET3279649699193.106.191.138192.168.2.5
                                                                                                                                                  Nov 29, 2022 16:51:02.328670979 CET3279649699193.106.191.138192.168.2.5
                                                                                                                                                  Nov 29, 2022 16:51:02.328689098 CET3279649699193.106.191.138192.168.2.5
                                                                                                                                                  Nov 29, 2022 16:51:02.447978973 CET4969932796192.168.2.5193.106.191.138
                                                                                                                                                  Nov 29, 2022 16:51:02.505686045 CET3279649699193.106.191.138192.168.2.5
                                                                                                                                                  Nov 29, 2022 16:51:02.511476040 CET4969932796192.168.2.5193.106.191.138
                                                                                                                                                  Nov 29, 2022 16:51:02.569384098 CET3279649699193.106.191.138192.168.2.5
                                                                                                                                                  Nov 29, 2022 16:51:02.572211981 CET4969932796192.168.2.5193.106.191.138
                                                                                                                                                  Nov 29, 2022 16:51:02.630630016 CET3279649699193.106.191.138192.168.2.5
                                                                                                                                                  Nov 29, 2022 16:51:02.680166006 CET4969932796192.168.2.5193.106.191.138
                                                                                                                                                  Nov 29, 2022 16:51:02.772866011 CET4969932796192.168.2.5193.106.191.138
                                                                                                                                                  Nov 29, 2022 16:51:02.831033945 CET3279649699193.106.191.138192.168.2.5
                                                                                                                                                  Nov 29, 2022 16:51:02.853375912 CET4969932796192.168.2.5193.106.191.138
                                                                                                                                                  Nov 29, 2022 16:51:02.911556005 CET3279649699193.106.191.138192.168.2.5
                                                                                                                                                  Nov 29, 2022 16:51:02.976716995 CET4969932796192.168.2.5193.106.191.138
                                                                                                                                                  Nov 29, 2022 16:51:03.070801973 CET4969932796192.168.2.5193.106.191.138
                                                                                                                                                  Nov 29, 2022 16:51:03.128408909 CET3279649699193.106.191.138192.168.2.5
                                                                                                                                                  Nov 29, 2022 16:51:03.129113913 CET3279649699193.106.191.138192.168.2.5
                                                                                                                                                  Nov 29, 2022 16:51:03.159497976 CET4969932796192.168.2.5193.106.191.138
                                                                                                                                                  Nov 29, 2022 16:51:03.217700005 CET3279649699193.106.191.138192.168.2.5
                                                                                                                                                  Nov 29, 2022 16:51:03.306329966 CET4969932796192.168.2.5193.106.191.138
                                                                                                                                                  Nov 29, 2022 16:51:03.364243984 CET3279649699193.106.191.138192.168.2.5
                                                                                                                                                  Nov 29, 2022 16:51:03.476902008 CET4969932796192.168.2.5193.106.191.138
                                                                                                                                                  Nov 29, 2022 16:51:03.565983057 CET4969932796192.168.2.5193.106.191.138
                                                                                                                                                  Nov 29, 2022 16:51:03.625777960 CET3279649699193.106.191.138192.168.2.5
                                                                                                                                                  Nov 29, 2022 16:51:03.649928093 CET4969932796192.168.2.5193.106.191.138
                                                                                                                                                  Nov 29, 2022 16:51:03.707921982 CET3279649699193.106.191.138192.168.2.5
                                                                                                                                                  Nov 29, 2022 16:51:03.710012913 CET4969932796192.168.2.5193.106.191.138
                                                                                                                                                  Nov 29, 2022 16:51:03.767947912 CET3279649699193.106.191.138192.168.2.5
                                                                                                                                                  Nov 29, 2022 16:51:03.769047976 CET4969932796192.168.2.5193.106.191.138
                                                                                                                                                  Nov 29, 2022 16:51:03.826925039 CET3279649699193.106.191.138192.168.2.5
                                                                                                                                                  Nov 29, 2022 16:51:03.828284979 CET4969932796192.168.2.5193.106.191.138
                                                                                                                                                  Nov 29, 2022 16:51:03.886820078 CET3279649699193.106.191.138192.168.2.5
                                                                                                                                                  Nov 29, 2022 16:51:03.976751089 CET4969932796192.168.2.5193.106.191.138
                                                                                                                                                  Nov 29, 2022 16:51:04.092643023 CET4969932796192.168.2.5193.106.191.138

                                                                                                                                                  Statistics

                                                                                                                                                  Behavior

                                                                                                                                                  Click to jump to process

                                                                                                                                                  System Behavior

                                                                                                                                                  General

                                                                                                                                                  Target ID:0
                                                                                                                                                  Start time:16:50:17
                                                                                                                                                  Start date:29/11/2022
                                                                                                                                                  Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.7840.9995.exe
                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                  File size:221696 bytes
                                                                                                                                                  MD5 hash:34A852C0F62294480E1E6E154B00539A
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.319419057.0000000000415000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.318847444.00000000005E2000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  Reputation:low

                                                                                                                                                  General

                                                                                                                                                  Target ID:1
                                                                                                                                                  Start time:16:50:17
                                                                                                                                                  Start date:29/11/2022
                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                  Imagebase:0x7ff7fcd70000
                                                                                                                                                  File size:625664 bytes
                                                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high

                                                                                                                                                  General

                                                                                                                                                  Target ID:2
                                                                                                                                                  Start time:16:50:18
                                                                                                                                                  Start date:29/11/2022
                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe
                                                                                                                                                  Imagebase:0x1320000
                                                                                                                                                  File size:2688096 bytes
                                                                                                                                                  MD5 hash:B3A917344F5610BEEC562556F11300FA
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.420283444.0000000007573000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.422192402.0000000007777000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  Reputation:high

                                                                                                                                                  General

                                                                                                                                                  Target ID:4
                                                                                                                                                  Start time:16:51:05
                                                                                                                                                  Start date:29/11/2022
                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                  Imagebase:0x7ff7fcd70000
                                                                                                                                                  File size:625664 bytes
                                                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high

                                                                                                                                                  Disassembly

                                                                                                                                                  No disassembly