Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:756296
MD5:b285997d1fb1ed7ff9129e4e9566c2e5
SHA1:64fe09e86b2e6dc67bb85faf9d7a746976edb4a0
SHA256:8edce063ac9af61dd0b493b9dec7e959b93021ad55a07cfe6e2b5519b46581f2
Tags:exe
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Writes to foreign memory regions
Tries to steal Crypto Currency Wallets
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Contains functionality to inject code into remote processes
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
PE file contains more sections than normal
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5316 cmdline: C:\Users\user\Desktop\file.exe MD5: B285997D1FB1ED7FF9129E4E9566C2E5)
    • conhost.exe (PID: 5332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • vbc.exe (PID: 5384 cmdline: C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["172.86.120.146:2819"], "Bot Id": "1kMixWorldTest", "Authorization Header": "7158f67354faaa79bd6ac126ef4cf20e"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000003.263012533.00000000010B2000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000002.263412439.00000000004A2000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Process Memory Space: file.exe PID: 5316JoeSecurity_RedLineYara detected RedLine StealerJoe Security
                Click to see the 2 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.3.file.exe.10b0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.3.file.exe.10b0000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                  • 0x2104c:$pat14: , CommandLine:
                  • 0x18d58:$v2_1: ListOfProcesses
                  • 0x18aec:$v4_3: base64str
                  • 0x19b7f:$v4_4: stringKey
                  • 0x16708:$v4_5: BytesToStringConverted
                  • 0x15770:$v4_6: FromBase64
                  • 0x16edc:$v4_8: procName
                  • 0x1725f:$v5_1: DownloadAndExecuteUpdate
                  • 0x189fc:$v5_2: ITaskProcessor
                  • 0x1724d:$v5_3: CommandLineUpdate
                  • 0x1723e:$v5_4: DownloadUpdate
                  • 0x178f0:$v5_5: FileScanning
                  • 0x16a77:$v5_7: RecordHeaderField
                  • 0x16496:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
                  0.2.file.exe.4a17a0.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    0.2.file.exe.4a17a0.1.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                    • 0x1f44c:$pat14: , CommandLine:
                    • 0x17158:$v2_1: ListOfProcesses
                    • 0x16eec:$v4_3: base64str
                    • 0x17f7f:$v4_4: stringKey
                    • 0x14b08:$v4_5: BytesToStringConverted
                    • 0x13b70:$v4_6: FromBase64
                    • 0x152dc:$v4_8: procName
                    • 0x1565f:$v5_1: DownloadAndExecuteUpdate
                    • 0x16dfc:$v5_2: ITaskProcessor
                    • 0x1564d:$v5_3: CommandLineUpdate
                    • 0x1563e:$v5_4: DownloadUpdate
                    • 0x15cf0:$v5_5: FileScanning
                    • 0x14e77:$v5_7: RecordHeaderField
                    • 0x14896:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
                    0.2.file.exe.3e0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      Click to see the 1 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      Timestamp:192.168.2.3172.86.120.1464968428192850286 11/30/22-00:11:55.241038
                      SID:2850286
                      Source Port:49684
                      Destination Port:2819
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.3172.86.120.1464968428192850027 11/30/22-00:11:30.935107
                      SID:2850027
                      Source Port:49684
                      Destination Port:2819
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:172.86.120.146192.168.2.32819496842850353 11/30/22-00:11:32.905229
                      SID:2850353
                      Source Port:2819
                      Destination Port:49684
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results
                      Source: 0.3.file.exe.10b0000.0.unpackMalware Configuration Extractor: RedLine {"C2 url": ["172.86.120.146:2819"], "Bot Id": "1kMixWorldTest", "Authorization Header": "7158f67354faaa79bd6ac126ef4cf20e"}
                      Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE
                      Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [ecx]
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push ebp
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push ebp
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push ebp
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push esi
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [ecx]
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 00450450h
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push esi
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [ecx]
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [ecx+08h]
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push esi
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [ecx+08h]
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [ecx+08h]
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, 004C5050h
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push ebp
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push esi
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [ecx+08h]
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push ebp
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push edi
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push ebp
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push edi
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push edi
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push ebp
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, ecx
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push ebp
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push ebp
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push ebp
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [esp+14h]
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [esp+14h]
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [esp+14h]

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2850027 ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init 192.168.2.3:49684 -> 172.86.120.146:2819
                      Source: TrafficSnort IDS: 2850286 ETPRO TROJAN Redline Stealer TCP CnC Activity 192.168.2.3:49684 -> 172.86.120.146:2819
                      Source: TrafficSnort IDS: 2850353 ETPRO MALWARE Redline Stealer TCP CnC - Id1Response 172.86.120.146:2819 -> 192.168.2.3:49684
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 172.86.120.146:2819
                      Source: Joe Sandbox ViewASN Name: NETRANGEUS NETRANGEUS
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                      Source: vbc.exe, 00000002.00000002.354699898.0000000004E86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adoboshop/$
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.357253699.0000000006B60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.357253699.0000000006B60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                      Source: vbc.exe, 00000002.00000002.357253699.0000000006B60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.357253699.0000000006B60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                      Source: vbc.exe, 00000002.00000002.357253699.0000000006B60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.357253699.0000000006B60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.357253699.0000000006B60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4pe
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.357253699.0000000006B60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.357253699.0000000006B60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.357253699.0000000006B60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                      Source: vbc.exe, 00000002.00000002.363208113.0000000007DA4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363550422.0000000007E05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: file.exe, file.exe, 00000000.00000003.263012533.00000000010B2000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.263412439.00000000004A2000.00000004.00000001.01000000.00000003.sdmp, vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                      Source: vbc.exe, 00000002.00000002.363208113.0000000007DA4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363550422.0000000007E05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: vbc.exe, 00000002.00000002.363208113.0000000007DA4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363550422.0000000007E05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: vbc.exe, 00000002.00000002.362689753.0000000007D26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.358855894.0000000006CF1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.357196581.0000000006B53000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.362080107.0000000007C8B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.361557498.0000000007BCE000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.361472237.0000000007BB1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.362548163.0000000007D09000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.364377850.0000000007EC8000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.364566369.0000000007EE5000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363666444.0000000007E21000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.358245791.0000000006C64000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.362239438.0000000007CA8000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363083426.0000000007D87000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363208113.0000000007DA4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363550422.0000000007E05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: vbc.exe, 00000002.00000002.363208113.0000000007DA4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363550422.0000000007E05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: file.exeString found in binary or memory: https://gcc.gnu.org/bugs/):
                      Source: vbc.exe, 00000002.00000002.362689753.0000000007D26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.358855894.0000000006CF1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.357196581.0000000006B53000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.362080107.0000000007C8B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.361557498.0000000007BCE000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.361472237.0000000007BB1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.362548163.0000000007D09000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.364377850.0000000007EC8000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.364566369.0000000007EE5000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363666444.0000000007E21000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.358245791.0000000006C64000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.362239438.0000000007CA8000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363083426.0000000007D87000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363208113.0000000007DA4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363550422.0000000007E05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                      Source: vbc.exe, 00000002.00000002.362689753.0000000007D26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.358855894.0000000006CF1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.357196581.0000000006B53000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.362080107.0000000007C8B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.361557498.0000000007BCE000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.361472237.0000000007BB1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.362548163.0000000007D09000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.364377850.0000000007EC8000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.364566369.0000000007EE5000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363666444.0000000007E21000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.358245791.0000000006C64000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.362239438.0000000007CA8000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363083426.0000000007D87000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363208113.0000000007DA4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363550422.0000000007E05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
                      Source: vbc.exe, 00000002.00000002.362689753.0000000007D26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.361557498.0000000007BCE000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.364566369.0000000007EE5000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363666444.0000000007E21000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.362239438.0000000007CA8000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363208113.0000000007DA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
                      Source: vbc.exe, 00000002.00000002.362689753.0000000007D26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.358855894.0000000006CF1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.357196581.0000000006B53000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.362080107.0000000007C8B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.361557498.0000000007BCE000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.361472237.0000000007BB1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.362548163.0000000007D09000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.364377850.0000000007EC8000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.364566369.0000000007EE5000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363666444.0000000007E21000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.358245791.0000000006C64000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.362239438.0000000007CA8000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363083426.0000000007D87000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363208113.0000000007DA4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363550422.0000000007E05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
                      Source: vbc.exe, 00000002.00000002.362689753.0000000007D26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.358855894.0000000006CF1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.357196581.0000000006B53000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.362080107.0000000007C8B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.361557498.0000000007BCE000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.361472237.0000000007BB1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.362548163.0000000007D09000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.364377850.0000000007EC8000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.364566369.0000000007EE5000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363666444.0000000007E21000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.358245791.0000000006C64000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.362239438.0000000007CA8000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363083426.0000000007D87000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363208113.0000000007DA4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363550422.0000000007E05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 0.3.file.exe.10b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 0.2.file.exe.4a17a0.1.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 0.2.file.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE
                      Source: 0.3.file.exe.10b0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 0.2.file.exe.4a17a0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 0.2.file.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003FC030
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042A07E
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004004F0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004287BE
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004388C0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004369C0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00416B10
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00420CA0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042EDD0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00434F9E
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003FF1C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_04EA0907
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_04EAF6D0
                      Source: C:\Users\user\Desktop\file.exeCode function: String function: 004997B0 appears 58 times
                      Source: C:\Users\user\Desktop\file.exeCode function: String function: 00493530 appears 41 times
                      Source: C:\Users\user\Desktop\file.exeCode function: String function: 004857D0 appears 175 times
                      Source: C:\Users\user\Desktop\file.exeCode function: String function: 00497BA0 appears 48 times
                      Source: C:\Users\user\Desktop\file.exeCode function: String function: 0044F620 appears 143 times
                      Source: C:\Users\user\Desktop\file.exeCode function: String function: 004996C0 appears 53 times
                      Source: C:\Users\user\Desktop\file.exeCode function: String function: 00497A60 appears 42 times
                      Source: file.exeBinary or memory string: OriginalFilename vs file.exe
                      Source: file.exe, 00000000.00000003.263038196.00000000010D4000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameZambuks.exe4 vs file.exe
                      Source: file.exe, 00000000.00000002.263412439.00000000004A2000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameZambuks.exe4 vs file.exe
                      Source: file.exeStatic PE information: Number of sections : 17 > 10
                      Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Users\user\AppData\Local\YandexJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/1@0/1
                      Source: vbc.exe, 00000002.00000002.361829863.0000000007C26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.361576683.0000000007BD5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: 0.3.file.exe.10b0000.0.unpack, BrEx.csBase64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5332:120:WilError_01
                      Source: file.exeStatic file information: File size 2564217 > 1048576
                      Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045E04B push eax; mov dword ptr [esp], ebx
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00460079 push eax; mov dword ptr [esp], ebx
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045E094 push eax; mov dword ptr [esp], ebx
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045E094 push edx; mov dword ptr [esp], edi
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00460141 push eax; mov dword ptr [esp], ebx
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043C1E1 push eax; mov dword ptr [esp], ebx
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0046018A push eax; mov dword ptr [esp], ebx
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0046018A push edx; mov dword ptr [esp], edi
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045E19B push eax; mov dword ptr [esp], ebx
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00460209 push eax; mov dword ptr [esp], ebx
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043022A push edx; mov dword ptr [esp], ebx
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0046422C push eax; mov dword ptr [esp], ebx
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00464228 push eax; mov dword ptr [esp], ebx
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00464230 push eax; mov dword ptr [esp], ebx
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045E2D1 push eax; mov dword ptr [esp], ebx
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004602D1 push eax; mov dword ptr [esp], ebx
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040BA4A push eax; mov dword ptr [esp], ebx
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040BA4A push eax; mov dword ptr [esp], ebx
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045C35A push eax; mov dword ptr [esp], esi
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0046031A push eax; mov dword ptr [esp], ebx
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0046031A push edx; mov dword ptr [esp], edi
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045E31A push eax; mov dword ptr [esp], ebx
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045E31A push edx; mov dword ptr [esp], edi
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044C3C5 push ecx; mov dword ptr [esp], ebx
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043C3C1 push eax; mov dword ptr [esp], ebx
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045C3C6 push eax; mov dword ptr [esp], esi
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044C3C1 push ecx; mov dword ptr [esp], ebx
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044C3C9 push ecx; mov dword ptr [esp], ebx
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004643D0 push eax; mov dword ptr [esp], ebx
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004643D0 push edx; mov dword ptr [esp], ebx
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045E399 push eax; mov dword ptr [esp], ebx
                      Source: file.exeStatic PE information: section name: /4
                      Source: file.exeStatic PE information: section name: /14
                      Source: file.exeStatic PE information: section name: /29
                      Source: file.exeStatic PE information: section name: /41
                      Source: file.exeStatic PE information: section name: /55
                      Source: file.exeStatic PE information: section name: /67
                      Source: file.exeStatic PE information: section name: /80
                      Source: file.exeStatic PE information: section name: /91
                      Source: file.exeStatic PE information: section name: /107
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 6096Thread sleep time: -3689348814741908s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 6100Thread sleep count: 5309 > 30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 5408Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeRegistry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWindow / User API: threadDelayed 5309
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\file.exeAPI coverage: 2.5 %
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeThread delayed: delay time: 922337203685477
                      Source: vbc.exe, 00000002.00000002.355418857.0000000004F64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareOWDZAPCUWin32_VideoControllerC85DSAXGVideoController120060621000000.000000-00077580863display.infMSBDAMG1VXMERPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsN6OX5TYYtring
                      Source: vbc.exe, 00000002.00000002.355418857.0000000004F64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
                      Source: vbc.exe, 00000002.00000002.355418857.0000000004F64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A116C mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeMemory allocated: page read and write | page guard
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E1150 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,_cexit,exit,
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E119B SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 730000
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 466008
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 730000 protect: page execute and read and write
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 730000 value starts with: 4D5A
                      Contains functionality to inject code into remote processes
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A11A1 CreateProcessW,GetThreadContext,ReadProcessMemory,VirtualAlloc,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,VirtualFree,WriteProcessMemory,SetThreadContext,ResumeThread,
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.3.file.exe.10b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.4a17a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.3e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000003.263012533.00000000010B2000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.263412439.00000000004A2000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: file.exe PID: 5316, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 5384, type: MEMORYSTR
                      Tries to steal Crypto Currency Wallets
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                      Source: Yara matchFile source: 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 5384, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.3.file.exe.10b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.4a17a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.3e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000003.263012533.00000000010B2000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.263412439.00000000004A2000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: file.exe PID: 5316, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 5384, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts221
                      Windows Management Instrumentation                      		Path Interception411
                      Process Injection                      		1
                      Masquerading                      		1
                      OS Credential Dumping                      		221
                      Security Software Discovery                      		Remote Services1
                      Archive Collected Data                      		Exfiltration Over Other Network Medium1
                      Encrypted Channel                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                      Disable or Modify Tools                      		LSASS Memory11
                      Process Discovery                      		Remote Desktop Protocol2
                      Data from Local System                      		Exfiltration Over Bluetooth1
                      Application Layer Protocol                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)231
                      Virtualization/Sandbox Evasion                      		Security Account Manager231
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)411
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets123
                      System Information Discovery                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common31
                      Obfuscated Files or Information                      		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      No Antivirus matches

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
                      http://tempuri.org/0%URL Reputationsafe
                      http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id90%URL Reputationsafe
                      http://tempuri.org/Entity/Id90%URL Reputationsafe
                      http://tempuri.org/Entity/Id80%URL Reputationsafe
                      http://tempuri.org/Entity/Id80%URL Reputationsafe
                      http://tempuri.org/Entity/Id50%URL Reputationsafe
                      http://tempuri.org/Entity/Id50%URL Reputationsafe
                      http://tempuri.org/Entity/Id70%URL Reputationsafe
                      http://tempuri.org/Entity/Id60%URL Reputationsafe
                      http://tempuri.org/Entity/Id19Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
                      https://api.ip.sb/ip0%URL Reputationsafe
                      http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id200%URL Reputationsafe
                      http://tempuri.org/Entity/Id210%URL Reputationsafe
                      http://tempuri.org/Entity/Id220%URL Reputationsafe
                      http://tempuri.org/Entity/Id230%URL Reputationsafe
                      http://tempuri.org/Entity/Id240%URL Reputationsafe
                      http://tempuri.org/Entity/Id24Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id100%URL Reputationsafe
                      http://tempuri.org/Entity/Id110%URL Reputationsafe
                      http://tempuri.org/Entity/Id120%URL Reputationsafe
                      http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id130%URL Reputationsafe
                      http://tempuri.org/Entity/Id130%URL Reputationsafe
                      http://tempuri.org/Entity/Id140%URL Reputationsafe
                      http://tempuri.org/Entity/Id150%URL Reputationsafe
                      http://tempuri.org/Entity/Id160%URL Reputationsafe
                      http://tempuri.org/Entity/Id170%URL Reputationsafe
                      http://tempuri.org/Entity/Id180%URL Reputationsafe
                      http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id190%URL Reputationsafe
                      http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id8Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id23Response0%URL Reputationsafe
                      http://ns.adoboshop/$0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id4pe1%VirustotalBrowse
                      http://tempuri.org/Entity/Id4pe0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Textvbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/02/sc/sctvbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://duckduckgo.com/chrome_newtabvbc.exe, 00000002.00000002.362689753.0000000007D26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.358855894.0000000006CF1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.357196581.0000000006B53000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.362080107.0000000007C8B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.361557498.0000000007BCE000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.361472237.0000000007BB1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.362548163.0000000007D09000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.364377850.0000000007EC8000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.364566369.0000000007EE5000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363666444.0000000007E21000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.358245791.0000000006C64000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.362239438.0000000007CA8000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363083426.0000000007D87000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363208113.0000000007DA4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363550422.0000000007E05000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://gcc.gnu.org/bugs/):file.exefalse
                              		high
                              http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkvbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://duckduckgo.com/ac/?q=vbc.exe, 00000002.00000002.363208113.0000000007DA4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363550422.0000000007E05000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryvbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id12Responsevbc.exe, 00000002.00000002.357253699.0000000006B60000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://tempuri.org/vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://tempuri.org/Entity/Id2Responsevbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id21Responsevbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrapvbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id9vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDvbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id8vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://tempuri.org/Entity/Id5vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Preparevbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://tempuri.org/Entity/Id7vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://tempuri.org/Entity/Id6vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretvbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2004/08/addressing/faultpvbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://tempuri.org/Entity/Id19Responsevbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licensevbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuevbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Abortedvbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequencevbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/faultvbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2004/10/wsatvbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyvbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://tempuri.org/Entity/Id15Responsevbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namevbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://ns.adoboshop/$vbc.exe, 00000002.00000002.354699898.0000000004E86000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renewvbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/ws/2004/10/wscoor/Registervbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://tempuri.org/Entity/Id6Responsevbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyvbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://api.ip.sb/ipfile.exe, file.exe, 00000000.00000003.263012533.00000000010B2000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.263412439.00000000004A2000.00000004.00000001.01000000.00000003.sdmp, vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://schemas.xmlsoap.org/ws/2004/04/scvbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCvbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancelvbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://tempuri.org/Entity/Id9Responsevbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.357253699.0000000006B60000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=vbc.exe, 00000002.00000002.363208113.0000000007DA4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363550422.0000000007E05000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://tempuri.org/Entity/Id20vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://tempuri.org/Entity/Id21vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://tempuri.org/Entity/Id22vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://tempuri.org/Entity/Id23vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.357253699.0000000006B60000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://tempuri.org/Entity/Id24vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issuevbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://tempuri.org/Entity/Id24Responsevbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://tempuri.org/Entity/Id1Responsevbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=vbc.exe, 00000002.00000002.362689753.0000000007D26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.358855894.0000000006CF1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.357196581.0000000006B53000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.362080107.0000000007C8B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.361557498.0000000007BCE000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.361472237.0000000007BB1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.362548163.0000000007D09000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.364377850.0000000007EC8000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.364566369.0000000007EE5000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363666444.0000000007E21000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.358245791.0000000006C64000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.362239438.0000000007CA8000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363083426.0000000007D87000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363208113.0000000007DA4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363550422.0000000007E05000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedvbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyvbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Replayvbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegovbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binaryvbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCvbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyvbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2004/08/addressingvbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuevbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Completionvbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/trustvbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://tempuri.org/Entity/Id10vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id11vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id12vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id16Responsevbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponsevbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancelvbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://tempuri.org/Entity/Id13vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id14vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id15vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id16vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/Noncevbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://tempuri.org/Entity/Id17vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  http://tempuri.org/Entity/Id18vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  http://tempuri.org/Entity/Id5Responsevbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  http://tempuri.org/Entity/Id19vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsvbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://tempuri.org/Entity/Id10Responsevbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.357253699.0000000006B60000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/Renewvbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://tempuri.org/Entity/Id8Responsevbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.357253699.0000000006B60000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyvbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDvbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTvbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://schemas.xmlsoap.org/ws/2006/02/addressingidentityvbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://schemas.xmlsoap.org/soap/envelope/vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://search.yahoo.com?fr=crmas_sfpfvbc.exe, 00000002.00000002.362689753.0000000007D26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.358855894.0000000006CF1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.357196581.0000000006B53000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.362080107.0000000007C8B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.361557498.0000000007BCE000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.361472237.0000000007BB1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.362548163.0000000007D09000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.364377850.0000000007EC8000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.364566369.0000000007EE5000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363666444.0000000007E21000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.358245791.0000000006C64000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.362239438.0000000007CA8000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363083426.0000000007D87000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363208113.0000000007DA4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.363550422.0000000007E05000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyvbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trustvbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollbackvbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://tempuri.org/Entity/Id23Responsevbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.357253699.0000000006B60000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            		unknown
                                                                                                                                            http://tempuri.org/Entity/Id4pevbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            • 1%, Virustotal, Browse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            		unknown
                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTvbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/06/addressingexvbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wscoorvbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high

                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                  Public IPs

                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                  172.86.120.146
                                                                                                                                                  		unknownUnited States
                                                                                                                                                  		17139NETRANGEUStrue

                                                                                                                                                  General Information

                                                                                                                                                  Joe Sandbox Version:36.0.0 Rainbow Opal
                                                                                                                                                  Analysis ID:756296
                                                                                                                                                  Start date and time:2022-11-30 00:10:11 +01:00
                                                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                                                  Overall analysis duration:0h 8m 16s
                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                  Report type:light
                                                                                                                                                  Sample file name:file.exe
                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                  Number of analysed new started processes analysed:13
                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                  Technologies:
                                                                                                                                                  • HCA enabled
                                                                                                                                                  • EGA enabled
                                                                                                                                                  • HDC enabled
                                                                                                                                                  • AMSI enabled
                                                                                                                                                  Analysis Mode:default
                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                  Detection:MAL
                                                                                                                                                  Classification:mal100.troj.spyw.evad.winEXE@4/1@0/1
                                                                                                                                                  EGA Information:
                                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                                  HDC Information:
                                                                                                                                                  • Successful, ratio: 7.2% (good quality ratio 4.1%)
                                                                                                                                                  • Quality average: 29.7%
                                                                                                                                                  • Quality standard deviation: 28.1%
                                                                                                                                                  HCA Information:
                                                                                                                                                  • Successful, ratio: 99%
                                                                                                                                                  • Number of executed functions: 0
                                                                                                                                                  • Number of non-executed functions: 0
                                                                                                                                                  Cookbook Comments:
                                                                                                                                                  • Found application associated with file extension: .exe

                                                                                                                                                  Warnings

                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                                                  • TCP Packets have been reduced to 100
                                                                                                                                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com
                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                  Simulations

                                                                                                                                                  Behavior and APIs

                                                                                                                                                  TimeTypeDescription
                                                                                                                                                  00:11:51API Interceptor28x Sleep call for process: vbc.exe modified

                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                  IPs

                                                                                                                                                  No context

                                                                                                                                                  Domains

                                                                                                                                                  No context

                                                                                                                                                  ASNs

                                                                                                                                                  No context

                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                  No context

                                                                                                                                                  Dropped Files

                                                                                                                                                  No context

                                                                                                                                                  Created / dropped Files

                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):2843
                                                                                                                                                  Entropy (8bit):5.3371553026862095
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:48:MxHKXeHKlEHU0YHKhQnouHIWUfHKhBHKdHKBfHK5AHKzvQTHmtHoxHImHKAHKx1V:iqXeqm00YqhQnouOqLqdqNq2qzcGtIxo
                                                                                                                                                  MD5:AA480F97CE07B9F7A0B038BD06505712
                                                                                                                                                  SHA1:0D7E42D0733A18A4C48B83EBBC68575925B0CD69
                                                                                                                                                  SHA-256:433F8C545F788D4F901AAD7B70F63700BD6861A1ABE32FAE7C8FD08AE29004BD
                                                                                                                                                  SHA-512:9A3AAEF350767D68BD455F50272BB942A860D3712C831C99896B9814C1733198321B3422D7E411974C56D71DA064716E354BAC0963DFB1D9A786612897A2A4CF
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

                                                                                                                                                  Static File Info

                                                                                                                                                  General

                                                                                                                                                  File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                  Entropy (8bit):6.273721496886178
                                                                                                                                                  TrID:
                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                  File name:file.exe
                                                                                                                                                  File size:2564217
                                                                                                                                                  MD5:b285997d1fb1ed7ff9129e4e9566c2e5
                                                                                                                                                  SHA1:64fe09e86b2e6dc67bb85faf9d7a746976edb4a0
                                                                                                                                                  SHA256:8edce063ac9af61dd0b493b9dec7e959b93021ad55a07cfe6e2b5519b46581f2
                                                                                                                                                  SHA512:d232f632f725ca0351f9c370000f2c3c2f70f2a221e29f33a5e167a9b42d1529ca84f51854a8d9944a4534464f6ec5327b9b01bb46ca5370680f52216d49bef6
                                                                                                                                                  SSDEEP:24576:ZRjcXgYLSaH8MlV0/AGQsHE9iWJnVo2FDq6mZC/36KBsQ96letoreojRqkdvgdBx:Hjh3E7nVoYDv/3DBsQ+dkBx
                                                                                                                                                  TLSH:87C51B036A8B0D75DDD27BB461CB633AA738ED30CA2A9F7FB608C53559532C46C1A742
                                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...87.c....@Z.........'.....t....................@..........................`.......s'...@... ............................

                                                                                                                                                  File Icon

                                                                                                                                                  Icon Hash:00828e8e8686b000

                                                                                                                                                  Static PE Info

                                                                                                                                                  General

                                                                                                                                                  Entrypoint:0x401490
                                                                                                                                                  Entrypoint Section:.text
                                                                                                                                                  Digitally signed:false
                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                  Subsystem:windows cui
                                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                                                                                                                  Time Stamp:0x63863738 [Tue Nov 29 16:45:44 2022 UTC]
                                                                                                                                                  TLS Callbacks:0x415370, 0x415320
                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                  OS Version Major:4
                                                                                                                                                  OS Version Minor:0
                                                                                                                                                  File Version Major:4
                                                                                                                                                  File Version Minor:0
                                                                                                                                                  Subsystem Version Major:4
                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                  Import Hash:26093aeed04a948c138ea9102034d47f

                                                                                                                                                  Entrypoint Preview

                                                                                                                                                  Instruction
                                                                                                                                                  mov dword ptr [00533060h], 00000000h
                                                                                                                                                  jmp 00007F93A0BC42C6h
                                                                                                                                                  nop
                                                                                                                                                  sub esp, 1Ch
                                                                                                                                                  mov eax, dword ptr [esp+20h]
                                                                                                                                                  mov dword ptr [esp], eax
                                                                                                                                                  call 00007F93A0BE7446h
                                                                                                                                                  test eax, eax
                                                                                                                                                  sete al
                                                                                                                                                  add esp, 1Ch
                                                                                                                                                  movzx eax, al
                                                                                                                                                  neg eax
                                                                                                                                                  ret
                                                                                                                                                  nop
                                                                                                                                                  nop
                                                                                                                                                  nop
                                                                                                                                                  push ebp
                                                                                                                                                  mov ebp, esp
                                                                                                                                                  push edi
                                                                                                                                                  push esi
                                                                                                                                                  push ebx
                                                                                                                                                  sub esp, 1Ch
                                                                                                                                                  mov dword ptr [esp], 004E6000h
                                                                                                                                                  call dword ptr [00534208h]
                                                                                                                                                  sub esp, 04h
                                                                                                                                                  test eax, eax
                                                                                                                                                  je 00007F93A0BC4685h
                                                                                                                                                  mov ebx, eax
                                                                                                                                                  mov dword ptr [esp], 004E6000h
                                                                                                                                                  call dword ptr [00534224h]
                                                                                                                                                  mov edi, dword ptr [00534210h]
                                                                                                                                                  sub esp, 04h
                                                                                                                                                  mov dword ptr [00533020h], eax
                                                                                                                                                  mov dword ptr [esp+04h], 004E6013h
                                                                                                                                                  mov dword ptr [esp], ebx
                                                                                                                                                  call edi
                                                                                                                                                  sub esp, 08h
                                                                                                                                                  mov esi, eax
                                                                                                                                                  mov dword ptr [esp+04h], 004E6029h
                                                                                                                                                  mov dword ptr [esp], ebx
                                                                                                                                                  call edi
                                                                                                                                                  sub esp, 08h
                                                                                                                                                  mov dword ptr [004C1004h], eax
                                                                                                                                                  test esi, esi
                                                                                                                                                  je 00007F93A0BC4623h
                                                                                                                                                  mov dword ptr [esp+04h], 00533024h
                                                                                                                                                  mov dword ptr [esp], 004F4104h
                                                                                                                                                  call esi
                                                                                                                                                  mov dword ptr [esp], 00401560h
                                                                                                                                                  call 00007F93A0BC4573h
                                                                                                                                                  lea esp, dword ptr [ebp-0Ch]
                                                                                                                                                  pop ebx
                                                                                                                                                  pop esi
                                                                                                                                                  pop edi
                                                                                                                                                  pop ebp
                                                                                                                                                  ret
                                                                                                                                                  lea esi, dword ptr [esi+00000000h]
                                                                                                                                                  mov eax, 0041AE40h
                                                                                                                                                  mov esi, 0000A660h

                                                                                                                                                  Data Directories

                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x1340000xa98.idata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1370000x6320.reloc
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0xed1f40x18.rdata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x1341e40x1a8.idata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                  Sections

                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                  .text0x10000xbfd380xbfe00False0.37507888843648207data6.311305933324127IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                  .data0xc10000x247d00x24800False0.6999678938356164dBase III DBT, version number 0, next free block index 10, 1st item "D\213k\034B\\200\320\321\227\233<\035\214\\264\363\270\346\0341\215\342+\356\035_\362\2407\313\231"*"7.147373481327555IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                  .rdata0xe60000xd7e00xd800False0.3976236979166667data5.768246776593719IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                  /40xf40000x3e0140x3e200False0.20320359657947687data4.932991729749517IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                  .bss0x1330000xbe00x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                  .idata0x1340000xa980xc00False0.3707682291666667data4.802653247939785IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                  .CRT0x1350000x300x200False0.060546875data0.2233456448570176IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                  .tls0x1360000x80x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                  .reloc0x1370000x63200x6400False0.6265625data6.629503326426674IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                  /140x13e0000x1100x200False0.259765625Matlab v4 mat-file (little endian) *, rows 2, columns 2621441.4688848769576526IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                  /290x13f0000x114cc0x11600False0.43585600269784175Matlab v4 mat-file (little endian) \232aA, rows 2, columns 170393605.953087124455304IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                  /410x1510000x1b2d0x1c00False0.2998046875data4.934458145598331IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                  /550x1530000x6bdd0x6c00False0.4019097222222222data5.235076571151023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                  /670x15a0000x380x200False0.1171875data0.6721446845015864IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                  /800x15b0000x1ea0x200False0.609375data4.817520394014974IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                  /910x15c0000x7f050x8000False0.437591552734375data5.358754830827274IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                  /1070x1640000x10280x1200False0.5264756944444444data5.155904228339899IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                  Imports

                                                                                                                                                  DLLImport
                                                                                                                                                  KERNEL32.dllCloseHandle, CreateSemaphoreW, DeleteCriticalSection, EnterCriticalSection, FormatMessageA, FreeConsole, FreeLibrary, GetCurrentThreadId, GetLastError, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetStartupInfoA, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, LoadLibraryW, LocalFree, MultiByteToWideChar, ReleaseSemaphore, SetLastError, SetUnhandledExceptionFilter, Sleep, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, VirtualProtect, VirtualQuery, WaitForSingleObject, WideCharToMultiByte
                                                                                                                                                  msvcrt.dll__getmainargs, __initenv, __mb_cur_max, __p__acmdln, __p__commode, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _close, _errno, _fdopen, _filelengthi64, _fileno, _fileno, _fstat64, _initterm, _iob, _lseeki64, _onexit, _read, _wfopen, _write, abort, atoi, calloc, exit, fclose, fflush, fgetpos, fopen, fprintf, fputc, fputs, fread, free, fsetpos, fwrite, getc, getwc, iswctype, localeconv, malloc, memchr, memcmp, memcpy, memmove, memset, putc, putwc, realloc, setlocale, setvbuf, signal, strchr, strcmp, strcoll, strerror, strftime, strlen, strncmp, strxfrm, towlower, towupper, ungetc, ungetwc, vfprintf, wcscoll, wcsftime, wcslen, wcsxfrm

                                                                                                                                                  Network Behavior

                                                                                                                                                  Snort IDS Alerts

                                                                                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                  192.168.2.3172.86.120.1464968428192850286 11/30/22-00:11:55.241038TCP2850286ETPRO TROJAN Redline Stealer TCP CnC Activity496842819192.168.2.3172.86.120.146
                                                                                                                                                  192.168.2.3172.86.120.1464968428192850027 11/30/22-00:11:30.935107TCP2850027ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init496842819192.168.2.3172.86.120.146
                                                                                                                                                  172.86.120.146192.168.2.32819496842850353 11/30/22-00:11:32.905229TCP2850353ETPRO MALWARE Redline Stealer TCP CnC - Id1Response281949684172.86.120.146192.168.2.3

                                                                                                                                                  Network Port Distribution

                                                                                                                                                  TCP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Nov 30, 2022 00:11:30.393584013 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:30.536389112 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:30.536550045 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:30.935106993 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:31.077410936 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:31.164304972 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:32.762913942 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:32.905229092 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:32.960944891 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:40.604437113 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:40.792125940 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:40.927454948 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:40.927488089 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:40.927510977 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:40.927557945 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:40.976969957 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:42.876482964 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:43.196058989 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:43.337716103 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:43.386504889 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:43.453166008 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:43.594470024 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:43.631895065 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:43.773346901 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:43.821464062 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:43.876497030 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:44.017739058 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:44.034832001 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:44.175971985 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:44.187093019 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:44.329595089 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:44.350819111 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:44.510768890 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:44.555418968 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:45.115401030 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:45.258395910 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:45.310391903 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:49.084223986 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:49.225177050 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.225202084 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.225231886 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.225245953 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.225251913 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:49.225322008 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:49.225322008 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:49.276420116 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.276525974 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:49.366136074 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.366178036 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.366205931 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.366224051 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.366239071 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.366262913 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.366262913 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:49.366271973 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.366375923 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:49.366485119 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:49.366520882 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:49.417468071 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.417593002 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:49.507074118 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.507108927 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.507154942 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.507204056 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:49.507246971 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.507250071 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:49.507329941 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:49.507458925 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.507477045 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.507505894 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.507524014 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.507539034 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.507556915 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:49.507584095 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.507601023 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.507695913 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.507716894 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.507865906 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.507873058 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:49.507931948 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.507949114 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.507953882 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:49.507992029 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:49.508111954 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.508132935 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.508236885 CET496842819192.168.2.3172.86.120.146
                                                                                                                                                  Nov 30, 2022 00:11:49.558928967 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.558964968 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.655164003 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.655400038 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.655414104 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.655426025 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.655445099 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.655457020 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.655524969 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.655536890 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.655729055 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.655822039 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.655922890 CET281949684172.86.120.146192.168.2.3
                                                                                                                                                  Nov 30, 2022 00:11:49.655935049 CET281949684172.86.120.146192.168.2.3

                                                                                                                                                  Statistics

                                                                                                                                                  Behavior

                                                                                                                                                  Click to jump to process

                                                                                                                                                  System Behavior

                                                                                                                                                  General

                                                                                                                                                  Target ID:0
                                                                                                                                                  Start time:00:11:11
                                                                                                                                                  Start date:30/11/2022
                                                                                                                                                  Path:C:\Users\user\Desktop\file.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:C:\Users\user\Desktop\file.exe
                                                                                                                                                  Imagebase:0x3e0000
                                                                                                                                                  File size:2564217 bytes
                                                                                                                                                  MD5 hash:B285997D1FB1ED7FF9129E4E9566C2E5
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.263012533.00000000010B2000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.263412439.00000000004A2000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                  Reputation:low

                                                                                                                                                  General

                                                                                                                                                  Target ID:1
                                                                                                                                                  Start time:00:11:11
                                                                                                                                                  Start date:30/11/2022
                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                  Imagebase:0x7ff745070000
                                                                                                                                                  File size:625664 bytes
                                                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high

                                                                                                                                                  General

                                                                                                                                                  Target ID:2
                                                                                                                                                  Start time:00:11:12
                                                                                                                                                  Start date:30/11/2022
                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe
                                                                                                                                                  Imagebase:0xa90000
                                                                                                                                                  File size:2688096 bytes
                                                                                                                                                  MD5 hash:B3A917344F5610BEEC562556F11300FA
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  Reputation:high

                                                                                                                                                  Disassembly

                                                                                                                                                  No disassembly