Windows Analysis Report
vjYcExA6ou.exe

Overview

General Information

Sample name: vjYcExA6ou.exe
renamed because original name is a hash value
Original sample name: c5f20b0cb835adff91c281ba3e9995e3.exe
Analysis ID: 1464859
MD5: c5f20b0cb835adff91c281ba3e9995e3
SHA1: b7edfc4fb9befe9acf241e423741e27d68dfd832
SHA256: 416b40630daa924136b9d10e0faa8c800a7a882416f4e5b7944f9bc2553a414b
Tags: 32exetrojan
Infos:

Detection

PureLog Stealer, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected Vidar stealer
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://steamcommunity.com/profiles/76561199707802586 Avira URL Cloud: Label: malware
Source: https://t.me/g067n Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000000.00000002.2016370667.00000000043E9000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199707802586", "https://t.me/g067n"], "Botnet": "04528874bc19972336f89c7a55ea182c"}
Multi AV Scanner detection for submitted file
Source: vjYcExA6ou.exe ReversingLabs: Detection: 18%
Source: vjYcExA6ou.exe Virustotal: Detection: 20% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Sample uses string decryption to hide its real strings
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: INSERT_KEY_HERE
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GetProcAddress
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: LoadLibraryA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: lstrcatA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: OpenEventA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: CreateEventA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: CloseHandle
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: Sleep
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GetUserDefaultLangID
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: VirtualAllocExNuma
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: VirtualFree
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GetSystemInfo
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: VirtualAlloc
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: HeapAlloc
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GetComputerNameA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: lstrcpyA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GetProcessHeap
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GetCurrentProcess
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: lstrlenA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: ExitProcess
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GlobalMemoryStatusEx
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GetSystemTime
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: SystemTimeToFileTime
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: advapi32.dll
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: gdi32.dll
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: user32.dll
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: crypt32.dll
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: ntdll.dll
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GetUserNameA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: CreateDCA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GetDeviceCaps
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: ReleaseDC
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: CryptStringToBinaryA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: sscanf
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: NtQueryInformationProcess
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: VMwareVMware
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: HAL9TH
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: JohnDoe
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: DISPLAY
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: %hu/%hu/%hu
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GetEnvironmentVariableA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GetFileAttributesA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GlobalLock
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: HeapFree
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GetFileSize
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GlobalSize
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: CreateToolhelp32Snapshot
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: IsWow64Process
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: Process32Next
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GetLocalTime
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: FreeLibrary
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GetTimeZoneInformation
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GetSystemPowerStatus
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GetVolumeInformationA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GetWindowsDirectoryA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: Process32First
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GetLocaleInfoA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GetUserDefaultLocaleName
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GetModuleFileNameA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: DeleteFileA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: FindNextFileA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: LocalFree
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: FindClose
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: SetEnvironmentVariableA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: LocalAlloc
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GetFileSizeEx
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: ReadFile
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: SetFilePointer
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: WriteFile
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: CreateFileA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: FindFirstFileA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: CopyFileA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: VirtualProtect
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GetLogicalProcessorInformationEx
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GetLastError
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: lstrcpynA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: MultiByteToWideChar
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GlobalFree
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: WideCharToMultiByte
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GlobalAlloc
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: OpenProcess
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: TerminateProcess
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GetCurrentProcessId
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: gdiplus.dll
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: ole32.dll
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: bcrypt.dll
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: wininet.dll
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: shlwapi.dll
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: shell32.dll
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: psapi.dll
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: rstrtmgr.dll
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: CreateCompatibleBitmap
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: SelectObject
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: BitBlt
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: DeleteObject
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: CreateCompatibleDC
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GdipGetImageEncodersSize
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GdipGetImageEncoders
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GdipCreateBitmapFromHBITMAP
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GdiplusStartup
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GdiplusShutdown
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GdipSaveImageToStream
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GdipDisposeImage
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GdipFree
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GetHGlobalFromStream
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: CreateStreamOnHGlobal
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: CoUninitialize
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: CoInitialize
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: CoCreateInstance
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: BCryptGenerateSymmetricKey
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: BCryptCloseAlgorithmProvider
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: BCryptDecrypt
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: BCryptSetProperty
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: BCryptDestroyKey
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: BCryptOpenAlgorithmProvider
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GetWindowRect
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GetDesktopWindow
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GetDC
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: CloseWindow
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: wsprintfA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: EnumDisplayDevicesA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GetKeyboardLayoutList
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: CharToOemW
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: wsprintfW
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: RegQueryValueExA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: RegEnumKeyExA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: RegOpenKeyExA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: RegCloseKey
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: RegEnumValueA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: CryptBinaryToStringA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: CryptUnprotectData
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: SHGetFolderPathA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: ShellExecuteExA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: InternetOpenUrlA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: InternetConnectA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: InternetCloseHandle
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: InternetOpenA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: HttpSendRequestA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: HttpOpenRequestA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: InternetReadFile
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: InternetCrackUrlA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: StrCmpCA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: StrStrA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: StrCmpCW
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: PathMatchSpecA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: GetModuleFileNameExA
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: RmStartSession
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: RmRegisterResources
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: RmGetList
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: RmEndSession
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: sqlite3_open
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: sqlite3_prepare_v2
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: sqlite3_step
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: sqlite3_column_text
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: sqlite3_finalize
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: sqlite3_close
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: sqlite3_column_bytes
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: sqlite3_column_blob
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: encrypted_key
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: PATH
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: C:\ProgramData\nss3.dll
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: NSS_Init
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: NSS_Shutdown
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: PK11_GetInternalKeySlot
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: PK11_FreeSlot
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: PK11_Authenticate
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: PK11SDR_Decrypt
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: C:\ProgramData\
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: Soft:
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: profile:
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: Host:
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: Login:
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: Password:
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: Opera
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: OperaGX
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: Network
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: Cookies
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: .txt
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: TRUE
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: FALSE
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: Autofill
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: SELECT name, value FROM autofill
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: History
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: SELECT url FROM urls LIMIT 1000
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: Name:
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: Month:
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: Year:
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: Card:
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: Cookies
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: Login Data
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: Web Data
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: History
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: logins.json
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: formSubmitURL
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: usernameField
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: encryptedUsername
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: encryptedPassword
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: guid
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: cookies.sqlite
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: formhistory.sqlite
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: places.sqlite
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: Plugins
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: Local Extension Settings
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: Sync Extension Settings
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: IndexedDB
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: Opera Stable
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: Opera GX Stable
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: CURRENT
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: chrome-extension_
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: _0.indexeddb.leveldb
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: Local State
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: profiles.ini
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: chrome
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: opera
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: firefox
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: Wallets
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: %08lX%04lX%lu
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: ProductName
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: %d/%d/%d %d:%d:%d
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: ProcessorNameString
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: DisplayName
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: DisplayVersion
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: freebl3.dll
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: mozglue.dll
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: msvcp140.dll
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: nss3.dll
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: softokn3.dll
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: vcruntime140.dll
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: \Temp\
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: .exe
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: runas
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: open
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: /c start
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: %DESKTOP%
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: %APPDATA%
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: %LOCALAPPDATA%
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: %USERPROFILE%
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: %DOCUMENTS%
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: %PROGRAMFILES%
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: %PROGRAMFILES_86%
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: %RECENT%
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: *.lnk
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: Files
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: \discord\
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: \Local Storage\leveldb\CURRENT
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: \Local Storage\leveldb
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: \Telegram Desktop\
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: key_datas
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: D877F783D5D3EF8C*
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: map*
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: A7FDF864FBC10B77*
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: A92DAA6EA6F891F2*
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: F8806DD0C461824F*
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: Telegram
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: *.tox
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: *.ini
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: Password
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: 00000001
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: 00000002
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: 00000003
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: 00000004
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: \Outlook\accounts.txt
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: Pidgin
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: \.purple\
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: accounts.xml
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: dQw4w9WgXcQ
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: token:
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: Software\Valve\Steam
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: SteamPath
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: \config\
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: ssfn*
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: config.vdf
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: DialogConfig.vdf
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: DialogConfigOverlay*.vdf
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: libraryfolders.vdf
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: loginusers.vdf
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: \Steam\
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: sqlite3.dll
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: browsers
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: done
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: Soft
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: \Discord\tokens.txt
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: /c timeout /t 5 & del /f /q "
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: C:\Windows\system32\cmd.exe
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: https
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: POST
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: HTTP/1.1
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: Content-Disposition: form-data; name="
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: hwid
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: build
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: token
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: file_name
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: file
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: message
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack String decryptor: screenshot.jpg
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00407E41 CryptUnprotectData,LocalAlloc,LocalFree, 5_2_00407E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0041302D CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA, 5_2_0041302D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00407DC2 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 5_2_00407DC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0040AB80 memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcatA,lstrcatA,lstrcatA, 5_2_0040AB80
Uses 32bit PE files
Source: vjYcExA6ou.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: vjYcExA6ou.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: kernelsoft.pdb source: vjYcExA6ou.exe
Source: Binary string: C:\Users\press\AppData\Local\Temp\Report.A66214F7-6635-4084-8609-050NK772Dll\obj\Debug\IeEPZ.pdb source: vjYcExA6ou.exe, 00000000.00000002.2017275765.0000000005A00000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: PE.pdbH] source: vjYcExA6ou.exe, 00000000.00000002.2014897676.0000000003281000.00000004.00000800.00020000.00000000.sdmp, vjYcExA6ou.exe, 00000000.00000002.2014839130.0000000003250000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: PE.pdb source: vjYcExA6ou.exe, 00000000.00000002.2014897676.0000000003281000.00000004.00000800.00020000.00000000.sdmp, vjYcExA6ou.exe, 00000000.00000002.2014839130.0000000003250000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: MSBuild.exe, 00000005.00000002.3257687404.000000001C27A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.3263956891.00000000221E8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00409FC0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 5_2_00409FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00401443 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 5_2_00401443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0040E016 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 5_2_0040E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0040C039 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 5_2_0040C039
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_004164C7 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,FindNextFileA,FindClose, 5_2_004164C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0040BC98 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 5_2_0040BC98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00416D7D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 5_2_00416D7D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0040D690 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 5_2_0040D690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0040C6B5 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA, 5_2_0040C6B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_004177D3 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 5_2_004177D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0041738D GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA, 5_2_0041738D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_004169EC GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA, 5_2_004169EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_05D1D4D0

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://steamcommunity.com/profiles/76561199707802586
Source: Malware configuration extractor URLs: https://t.me/g067n
Yara detected Generic Downloader
Source: Yara match File source: vjYcExA6ou.exe, type: SAMPLE
Source: Yara match File source: 0.0.vjYcExA6ou.exe.930000.0.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49707 -> 195.201.251.214:9000
Detected non-DNS traffic on DNS port
Source: global traffic TCP traffic: 192.168.2.5:62239 -> 162.159.36.2:53
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /g067n HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 195.201.251.214 195.201.251.214
Source: Joe Sandbox View IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View IP Address: 149.154.167.99 149.154.167.99
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.251.214
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_004058C4 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,lstrlenA,lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,memcpy,lstrlenA,lstrlenA,memcpy,lstrlenA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 5_2_004058C4
Source: global traffic HTTP traffic detected: GET /g067n HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: t.me
Source: global traffic DNS traffic detected: DNS query: 56.126.166.20.in-addr.arpa
Source: vjYcExA6ou.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: vjYcExA6ou.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: vjYcExA6ou.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: vjYcExA6ou.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: vjYcExA6ou.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: vjYcExA6ou.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: vjYcExA6ou.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: vjYcExA6ou.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: vjYcExA6ou.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: vjYcExA6ou.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: vjYcExA6ou.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: vjYcExA6ou.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: MSBuild.exe, 00000005.00000002.3251961144.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: MSBuild.exe, 00000005.00000002.3251961144.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.5.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: vjYcExA6ou.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: vjYcExA6ou.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: vjYcExA6ou.exe String found in binary or memory: http://ocsp.digicert.com0N
Source: vjYcExA6ou.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: vjYcExA6ou.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: MSBuild.exe, 00000005.00000002.3264150204.000000002221D000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.3257687404.000000001C27A000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.5.dr String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: MSBuild.exe, 00000005.00000002.3252291874.0000000000CFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://195.201.251.214/
Source: MSBuild.exe, 00000005.00000002.3252291874.0000000000CFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://195.201.251.214/i
Source: MSBuild.exe, 00000005.00000002.3250842957.0000000000539000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://195.201.251.214:9000
Source: MSBuild.exe, 00000005.00000002.3252361235.0000000000D59000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.3252361235.0000000000DB0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.3250842957.0000000000445000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.3252291874.0000000000CFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://195.201.251.214:9000/
Source: MSBuild.exe, 00000005.00000002.3252210908.0000000000CD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://195.201.251.214:9000/%
Source: MSBuild.exe, 00000005.00000002.3250842957.0000000000445000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://195.201.251.214:9000/Microsoft
Source: MSBuild.exe, 00000005.00000002.3252210908.0000000000CD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://195.201.251.214:9000/Q
Source: MSBuild.exe, 00000005.00000002.3252291874.0000000000CFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://195.201.251.214:9000/f
Source: MSBuild.exe, 00000005.00000002.3250842957.0000000000445000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.3252361235.0000000000D94000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://195.201.251.214:9000/freebl3.dll
Source: MSBuild.exe, 00000005.00000002.3250842957.0000000000445000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://195.201.251.214:9000/freebl3.dlldge
Source: MSBuild.exe, 00000005.00000002.3250842957.0000000000445000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.3252361235.0000000000D94000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://195.201.251.214:9000/mozglue.dll
Source: MSBuild.exe, 00000005.00000002.3252361235.0000000000D94000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://195.201.251.214:9000/mozglue.dll))%
Source: MSBuild.exe, 00000005.00000002.3250842957.0000000000445000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://195.201.251.214:9000/mozglue.dlldge
Source: MSBuild.exe, 00000005.00000002.3250842957.0000000000445000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://195.201.251.214:9000/msvcp140.dll
Source: MSBuild.exe, 00000005.00000002.3252361235.0000000000D94000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://195.201.251.214:9000/msvcp140.dll%)
Source: MSBuild.exe, 00000005.00000002.3252361235.0000000000D94000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://195.201.251.214:9000/msvcp140.dll1)
Source: MSBuild.exe, 00000005.00000002.3250842957.0000000000445000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://195.201.251.214:9000/msvcp140.dll15;
Source: MSBuild.exe, 00000005.00000002.3250842957.0000000000445000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://195.201.251.214:9000/msvcp140.dllge
Source: MSBuild.exe, 00000005.00000002.3252361235.0000000000D24000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.3250842957.0000000000445000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.3252361235.0000000000D65000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://195.201.251.214:9000/nss3.dll
Source: MSBuild.exe, 00000005.00000002.3252361235.0000000000D24000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://195.201.251.214:9000/nss3.dll2h
Source: MSBuild.exe, 00000005.00000002.3250842957.0000000000445000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://195.201.251.214:9000/nss3.dllt
Source: MSBuild.exe, 00000005.00000002.3252361235.0000000000DB0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.3250842957.0000000000445000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.3251961144.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://195.201.251.214:9000/softokn3.dll
Source: MSBuild.exe, 00000005.00000002.3250842957.0000000000445000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://195.201.251.214:9000/softokn3.dllge
Source: MSBuild.exe, 00000005.00000002.3251961144.0000000000C68000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.3252291874.0000000000CFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://195.201.251.214:9000/sqlt.dll
Source: MSBuild.exe, 00000005.00000002.3252361235.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.3250842957.0000000000445000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.3252291874.0000000000CFE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.3250842957.0000000000539000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://195.201.251.214:9000/vcruntime140.dll
Source: MSBuild.exe, 00000005.00000002.3252361235.0000000000D79000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://195.201.251.214:9000/vcruntime140.dll$
Source: MSBuild.exe, 00000005.00000002.3250842957.0000000000539000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://195.201.251.214:9000/vcruntime140.dllser
Source: MSBuild.exe, 00000005.00000002.3252291874.0000000000CFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://195.201.251.214:9000/y
Source: MSBuild.exe, 00000005.00000002.3250842957.00000000005C8000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://195.201.251.214:9000f54txtft
Source: MSBuild.exe, 00000005.00000002.3250842957.0000000000445000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://195.201.251.214:9000ng
Source: MSBuild.exe, 00000005.00000002.3250842957.0000000000539000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://195.201.251.214:9000ontent-Disposition:
Source: HDAAAA.5.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: HDAAAA.5.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: HDAAAA.5.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: HDAAAA.5.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: HDAAAA.5.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: HDAAAA.5.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: HDAAAA.5.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: vjYcExA6ou.exe String found in binary or memory: https://github.com/mullvad/mullvadvpn-app#readme0
Source: vjYcExA6ou.exe String found in binary or memory: https://jira.adguard.com/browse/AG-15916
Source: vjYcExA6ou.exe String found in binary or memory: https://jira.adguard.com/browse/AG-159168
Source: vjYcExA6ou.exe String found in binary or memory: https://jira.adguard.com/browse/AG-18203
Source: vjYcExA6ou.exe String found in binary or memory: https://jira.adguard.com/browse/AG-18203.
Source: vjYcExA6ou.exe String found in binary or memory: https://jira.adguard.com/browse/AG-20454
Source: vjYcExA6ou.exe String found in binary or memory: https://jira.adguard.com/browse/AG-20454G
Source: vjYcExA6ou.exe String found in binary or memory: https://jira.adguard.com/browse/AG-20455
Source: vjYcExA6ou.exe String found in binary or memory: https://jira.adguard.com/browse/AG-20455N
Source: vjYcExA6ou.exe String found in binary or memory: https://jira.adguard.com/browse/AG-21228
Source: vjYcExA6ou.exe String found in binary or memory: https://jira.adguard.com/browse/AG-7046
Source: vjYcExA6ou.exe String found in binary or memory: https://jira.adguard.com/browse/AG-7046Q
Source: vjYcExA6ou.exe String found in binary or memory: https://jira.adguard.com/browse/AG-7791
Source: vjYcExA6ou.exe String found in binary or memory: https://jira.int.agrd.dev/browse/AG-32263
Source: vjYcExA6ou.exe String found in binary or memory: https://jira.int.agrd.dev/browse/AG-32263-
Source: vjYcExA6ou.exe, 00000000.00000002.2016370667.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, vjYcExA6ou.exe, 00000000.00000002.2016370667.000000000441D000.00000004.00000800.00020000.00000000.sdmp, vjYcExA6ou.exe, 00000000.00000002.2014897676.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, vjYcExA6ou.exe, 00000000.00000002.2016370667.000000000434E000.00000004.00000800.00020000.00000000.sdmp, vjYcExA6ou.exe, 00000000.00000002.2016370667.0000000004382000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, MSBuild.exe, 00000005.00000002.3250842957.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199707802586
Source: vjYcExA6ou.exe, 00000000.00000002.2016370667.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, vjYcExA6ou.exe, 00000000.00000002.2016370667.000000000441D000.00000004.00000800.00020000.00000000.sdmp, vjYcExA6ou.exe, 00000000.00000002.2014897676.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, vjYcExA6ou.exe, 00000000.00000002.2016370667.000000000434E000.00000004.00000800.00020000.00000000.sdmp, vjYcExA6ou.exe, 00000000.00000002.2016370667.0000000004382000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.3250842957.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199707802586hellosqlt.dllsqlite3.dll
Source: MSBuild.exe, 00000005.00000002.3251961144.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/
Source: vjYcExA6ou.exe, 00000000.00000002.2016370667.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, vjYcExA6ou.exe, 00000000.00000002.2016370667.000000000441D000.00000004.00000800.00020000.00000000.sdmp, vjYcExA6ou.exe, 00000000.00000002.2014897676.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, vjYcExA6ou.exe, 00000000.00000002.2016370667.000000000434E000.00000004.00000800.00020000.00000000.sdmp, vjYcExA6ou.exe, 00000000.00000002.2016370667.0000000004382000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, MSBuild.exe, 00000005.00000002.3250842957.0000000000445000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.3252210908.0000000000CD8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.3251961144.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.3250842957.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://t.me/g067n
Source: MSBuild.exe, 00000005.00000002.3251961144.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/g067ni
Source: vjYcExA6ou.exe, 00000000.00000002.2016370667.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, vjYcExA6ou.exe, 00000000.00000002.2016370667.000000000441D000.00000004.00000800.00020000.00000000.sdmp, vjYcExA6ou.exe, 00000000.00000002.2014897676.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, vjYcExA6ou.exe, 00000000.00000002.2016370667.000000000434E000.00000004.00000800.00020000.00000000.sdmp, vjYcExA6ou.exe, 00000000.00000002.2016370667.0000000004382000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.3250842957.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://t.me/g067nry1neMozilla/5.0
Source: MSBuild.exe, 00000005.00000002.3252210908.0000000000CD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://web.telegram.org
Source: vjYcExA6ou.exe String found in binary or memory: https://www.digicert.com/CPS0
Source: HDAAAA.5.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: HDAAAA.5.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49706 version: TLS 1.2
Contains functionality to record screenshots
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00413160 memset,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow, 5_2_00413160
Detected potential crypto function
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Code function: 0_2_013DA108 0_2_013DA108
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Code function: 0_2_013DB558 0_2_013DB558
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Code function: 0_2_013DE7C0 0_2_013DE7C0
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Code function: 0_2_013D31A8 0_2_013D31A8
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Code function: 0_2_013D3198 0_2_013D3198
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Code function: 0_2_013D3558 0_2_013D3558
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Code function: 0_2_013D3548 0_2_013D3548
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Code function: 0_2_05797538 0_2_05797538
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Code function: 0_2_05794458 0_2_05794458
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Code function: 0_2_05798730 0_2_05798730
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Code function: 0_2_05792106 0_2_05792106
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Code function: 0_2_057981A8 0_2_057981A8
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Code function: 0_2_0579A3A0 0_2_0579A3A0
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Code function: 0_2_05799A80 0_2_05799A80
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Code function: 0_2_05797528 0_2_05797528
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Code function: 0_2_05794448 0_2_05794448
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Code function: 0_2_05792C38 0_2_05792C38
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Code function: 0_2_057994D8 0_2_057994D8
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Code function: 0_2_057994C9 0_2_057994C9
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Code function: 0_2_05798720 0_2_05798720
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Code function: 0_2_0579A148 0_2_0579A148
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Code function: 0_2_0579A13A 0_2_0579A13A
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Code function: 0_2_05798198 0_2_05798198
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Code function: 0_2_0579A390 0_2_0579A390
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Code function: 0_2_05799A70 0_2_05799A70
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Code function: 0_2_05798A98 0_2_05798A98
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Code function: 0_2_05798A88 0_2_05798A88
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Code function: 0_2_05D11B10 0_2_05D11B10
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Code function: 0_2_05D13036 0_2_05D13036
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Code function: 0_2_05D13201 0_2_05D13201
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0041ECEC 5_2_0041ECEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0041E919 5_2_0041E919
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0041EEC1 5_2_0041EEC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0041F6CF 5_2_0041F6CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FE4CF0 5_2_21FE4CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FD209F 5_2_21FD209F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_2205A0B0 5_2_2205A0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FFA560 5_2_21FFA560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FD47AF 5_2_21FD47AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FE66C0 5_2_21FE66C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_220CA590 5_2_220CA590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_2210E800 5_2_2210E800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FD3E3B 5_2_21FD3E3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FD481D 5_2_21FD481D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_220EA900 5_2_220EA900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_220CA940 5_2_220CA940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FDEA80 5_2_21FDEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FDAA40 5_2_21FDAA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_220B69C0 5_2_220B69C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_22016E80 5_2_22016E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_221AAEBE 5_2_221AAEBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_22032EE0 5_2_22032EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FD19DD 5_2_21FD19DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FDF160 5_2_21FDF160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_22003370 5_2_22003370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FD174E 5_2_21FD174E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_22007810 5_2_22007810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FFBAB0 5_2_21FFBAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FD251D 5_2_21FD251D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FD290A 5_2_21FD290A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FD3AB2 5_2_21FD3AB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_220F8030 5_2_220F8030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_22050090 5_2_22050090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_22058120 5_2_22058120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_22034760 5_2_22034760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_22068760 5_2_22068760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_22110480 5_2_22110480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FF8763 5_2_21FF8763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FF8680 5_2_21FF8680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_220D4A60 5_2_220D4A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FDC800 5_2_21FDC800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FD1EF1 5_2_21FD1EF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_2200CE10 5_2_2200CE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FF8D2A 5_2_21FF8D2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_221AD209 5_2_221AD209
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FD3580 5_2_21FD3580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_220653B0 5_2_220653B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FE9000 5_2_21FE9000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_220F5040 5_2_220F5040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_22079690 5_2_22079690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_2208D6D0 5_2_2208D6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FDD4C0 5_2_21FDD4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_22139430 5_2_22139430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_220F9A20 5_2_220F9A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FD2018 5_2_21FD2018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FD1C9E 5_2_21FD1C9E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_22085940 5_2_22085940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FD2AA9 5_2_21FD2AA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FD12A8 5_2_21FD12A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_22001C50 5_2_22001C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FD292D 5_2_21FD292D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_22139CC0 5_2_22139CC0
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 221B06B1 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 21FD395E appears 81 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 21FD1F5A appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 21FD3AF3 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 00404239 appears 287 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 21FD1C2B appears 47 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 21FD415B appears 173 times
PE / OLE file has an invalid certificate
Source: vjYcExA6ou.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: vjYcExA6ou.exe, 00000000.00000002.2013998745.00000000013EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs vjYcExA6ou.exe
Source: vjYcExA6ou.exe, 00000000.00000002.2014897676.000000000334B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclrjit.dllT vs vjYcExA6ou.exe
Source: vjYcExA6ou.exe, 00000000.00000002.2014897676.000000000334B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs vjYcExA6ou.exe
Source: vjYcExA6ou.exe, 00000000.00000002.2014897676.000000000334B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $]q,\\StringFileInfo\\040904B0\\OriginalFilename vs vjYcExA6ou.exe
Source: vjYcExA6ou.exe, 00000000.00000002.2014897676.0000000003281000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePE.dll& vs vjYcExA6ou.exe
Source: vjYcExA6ou.exe, 00000000.00000002.2017275765.0000000005A00000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameIeEPZ.dll0 vs vjYcExA6ou.exe
Source: vjYcExA6ou.exe, 00000000.00000002.2014839130.0000000003250000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamePE.dll& vs vjYcExA6ou.exe
Source: vjYcExA6ou.exe Binary or memory string: OriginalFilenamekernelsoft.exe$ vs vjYcExA6ou.exe
Uses 32bit PE files
Source: vjYcExA6ou.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: 0.2.vjYcExA6ou.exe.3250000.0.raw.unpack, fDX9tehJ5EFemhKZwc.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.vjYcExA6ou.exe.3250000.0.raw.unpack, fDX9tehJ5EFemhKZwc.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.vjYcExA6ou.exe.32c9f80.1.raw.unpack, fDX9tehJ5EFemhKZwc.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.vjYcExA6ou.exe.32c9f80.1.raw.unpack, fDX9tehJ5EFemhKZwc.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.vjYcExA6ou.exe.5a00000.12.raw.unpack, FJWhwL.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@9/11@2/2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0041246A CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 5_2_0041246A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_004129BF CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,VariantClear, 5_2_004129BF
Source: C:\Users\user\Desktop\vjYcExA6ou.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vjYcExA6ou.exe.log Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Mutant created: NULL
Source: vjYcExA6ou.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: vjYcExA6ou.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: MSBuild.exe, 00000005.00000002.3257687404.000000001C27A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.3263956891.00000000221E8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.5.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: MSBuild.exe, 00000005.00000002.3257687404.000000001C27A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.3263956891.00000000221E8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.5.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: MSBuild.exe, MSBuild.exe, 00000005.00000002.3257687404.000000001C27A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.3263956891.00000000221E8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.5.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: MSBuild.exe, 00000005.00000002.3257687404.000000001C27A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.3263956891.00000000221E8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.5.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: MSBuild.exe, MSBuild.exe, 00000005.00000002.3257687404.000000001C27A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.3263956891.00000000221E8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.5.dr Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: MSBuild.exe, 00000005.00000002.3257687404.000000001C27A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.3263956891.00000000221E8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.5.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: MSBuild.exe, 00000005.00000002.3257687404.000000001C27A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.3263956891.00000000221E8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.5.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: MSBuild.exe, 00000005.00000002.3257687404.000000001C27A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.3263956891.00000000221E8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.5.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: MSBuild.exe, 00000005.00000002.3257687404.000000001C27A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.3263956891.00000000221E8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.5.dr Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: FIJECA.5.dr, AFHDAK.5.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: MSBuild.exe, MSBuild.exe, 00000005.00000002.3257687404.000000001C27A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.3263956891.00000000221E8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.5.dr Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: MSBuild.exe, 00000005.00000002.3257687404.000000001C27A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.3263956891.00000000221E8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.5.dr Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: vjYcExA6ou.exe ReversingLabs: Detection: 18%
Source: vjYcExA6ou.exe Virustotal: Detection: 20%
Source: vjYcExA6ou.exe String found in binary or memory: /stopService
Source: vjYcExA6ou.exe String found in binary or memory: /stopService
Source: vjYcExA6ou.exe String found in binary or memory: /reinstall
Source: vjYcExA6ou.exe String found in binary or memory: in-addr.arpa
Source: unknown Process created: C:\Users\user\Desktop\vjYcExA6ou.exe "C:\Users\user\Desktop\vjYcExA6ou.exe"
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Section loaded: mscorjit.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: vjYcExA6ou.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: vjYcExA6ou.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: vjYcExA6ou.exe Static file information: File size 4585688 > 1048576
Source: vjYcExA6ou.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x43f800
Source: vjYcExA6ou.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: vjYcExA6ou.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: kernelsoft.pdb source: vjYcExA6ou.exe
Source: Binary string: C:\Users\press\AppData\Local\Temp\Report.A66214F7-6635-4084-8609-050NK772Dll\obj\Debug\IeEPZ.pdb source: vjYcExA6ou.exe, 00000000.00000002.2017275765.0000000005A00000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: PE.pdbH] source: vjYcExA6ou.exe, 00000000.00000002.2014897676.0000000003281000.00000004.00000800.00020000.00000000.sdmp, vjYcExA6ou.exe, 00000000.00000002.2014839130.0000000003250000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: PE.pdb source: vjYcExA6ou.exe, 00000000.00000002.2014897676.0000000003281000.00000004.00000800.00020000.00000000.sdmp, vjYcExA6ou.exe, 00000000.00000002.2014839130.0000000003250000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: MSBuild.exe, 00000005.00000002.3257687404.000000001C27A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.3263956891.00000000221E8000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.5.dr

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.vjYcExA6ou.exe.3250000.0.raw.unpack, fDX9tehJ5EFemhKZwc.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.vjYcExA6ou.exe.32c9f80.1.raw.unpack, fDX9tehJ5EFemhKZwc.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0041B050 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 5_2_0041B050
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00421EF5 push ecx; ret 5_2_00421F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FD10C8 push ecx; ret 5_2_221D3552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FD1BF9 push ecx; ret 5_2_22174C03
Source: 0.2.vjYcExA6ou.exe.3250000.0.raw.unpack, fDX9tehJ5EFemhKZwc.cs High entropy of concatenated method names: 'ce4DmfsmSrOT856tDgfrkMb', 'NvQOxwsIFR', 'QsUuklFoHUiQD', 'MCRoDX9te', 'l5EbFemhK', 'uwcnnhQXJ', 'J3PigtLyh', 'PwdNpFGeB', 'XCj67ZIOy', 'w09DYCs5D'
Source: 0.2.vjYcExA6ou.exe.3250000.0.raw.unpack, zcrmeG4DKc05Qj8A7l.cs High entropy of concatenated method names: 'Ys7O1WDVbX', 'EIxO3RK2jf', 'ov3OzJmFFU', 'KJS0ILfinW', 'Gtt0O5H9rf', 'Gvj00KAYqN', 'hUG0r1tocH', 'PBb0lrpBsM', 'pGy05VOh0y', 'j3M0RfBB5l'
Source: 0.2.vjYcExA6ou.exe.32c9f80.1.raw.unpack, fDX9tehJ5EFemhKZwc.cs High entropy of concatenated method names: 'ce4DmfsmSrOT856tDgfrkMb', 'NvQOxwsIFR', 'QsUuklFoHUiQD', 'MCRoDX9te', 'l5EbFemhK', 'uwcnnhQXJ', 'J3PigtLyh', 'PwdNpFGeB', 'XCj67ZIOy', 'w09DYCs5D'
Source: 0.2.vjYcExA6ou.exe.32c9f80.1.raw.unpack, zcrmeG4DKc05Qj8A7l.cs High entropy of concatenated method names: 'Ys7O1WDVbX', 'EIxO3RK2jf', 'ov3OzJmFFU', 'KJS0ILfinW', 'Gtt0O5H9rf', 'Gvj00KAYqN', 'hUG0r1tocH', 'PBb0lrpBsM', 'pGy05VOh0y', 'j3M0RfBB5l'
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\sqlt[1].dll Jump to dropped file
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0041B050 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 5_2_0041B050
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: vjYcExA6ou.exe PID: 5504, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Memory allocated: 13D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Memory allocated: 3280000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Memory allocated: 1670000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\sqlt[1].dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\vjYcExA6ou.exe TID: 2436 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00409FC0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 5_2_00409FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00401443 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 5_2_00401443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0040E016 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 5_2_0040E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0040C039 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 5_2_0040C039
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_004164C7 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,FindNextFileA,FindClose, 5_2_004164C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0040BC98 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 5_2_0040BC98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00416D7D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 5_2_00416D7D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0040D690 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 5_2_0040D690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0040C6B5 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA, 5_2_0040C6B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_004177D3 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 5_2_004177D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0041738D GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA, 5_2_0041738D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_004169EC GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA, 5_2_004169EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00411F21 GetSystemInfo,wsprintfA, 5_2_00411F21
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: EHDGCG.5.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: EHDGCG.5.dr Binary or memory string: discord.comVMware20,11696428655f
Source: EHDGCG.5.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: EHDGCG.5.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: EHDGCG.5.dr Binary or memory string: global block list test formVMware20,11696428655
Source: EHDGCG.5.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: MSBuild.exe, 00000005.00000002.3251961144.0000000000C68000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.3251961144.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: EHDGCG.5.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: EHDGCG.5.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: EHDGCG.5.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: EHDGCG.5.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: EHDGCG.5.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: EHDGCG.5.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: EHDGCG.5.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: EHDGCG.5.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: EHDGCG.5.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: EHDGCG.5.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: EHDGCG.5.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: EHDGCG.5.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: EHDGCG.5.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: EHDGCG.5.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: EHDGCG.5.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: EHDGCG.5.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: EHDGCG.5.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: EHDGCG.5.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: EHDGCG.5.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: EHDGCG.5.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: EHDGCG.5.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: MSBuild.exe, 00000005.00000002.3251961144.0000000000C68000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: EHDGCG.5.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: EHDGCG.5.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: EHDGCG.5.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: EHDGCG.5.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00421C0B memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00421C0B
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0041B050 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 5_2_0041B050
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0041ACF3 mov eax, dword ptr fs:[00000030h] 5_2_0041ACF3
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_004058C4 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,lstrlenA,lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,memcpy,lstrlenA,lstrlenA,memcpy,lstrlenA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 5_2_004058C4
Enables debug privileges
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00421C0B memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00421C0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00423DCD SetUnhandledExceptionFilter, 5_2_00423DCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_0042224F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_0042224F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FD42AF SetUnhandledExceptionFilter, 5_2_21FD42AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FD2C8E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_21FD2C8E
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: vjYcExA6ou.exe PID: 5504, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 3396, type: MEMORYSTR
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00410A14 memset,memset,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,ResumeThread,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread, 5_2_00410A14
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A Jump to behavior
Searches for specific processes (likely to inject)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_004138BA CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,FindCloseChangeNotification, 5_2_004138BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_004137BD CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 5_2_004137BD
Writes to foreign memory regions
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 425000 Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 42E000 Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 643000 Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 984008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00401000 cpuid 5_2_00401000
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 5_2_00411D31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 5_2_21FD298C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: EnumSystemLocalesW, 5_2_221AFF17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: GetLocaleInfoW, 5_2_21FD2112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: GetLocaleInfoW, 5_2_21FD2112
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Queries volume information: C:\Users\user\Desktop\vjYcExA6ou.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00411C63 GetProcessHeap,HeapAlloc,GetLocalTime,wsprintfA, 5_2_00411C63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00411BEC GetProcessHeap,HeapAlloc,GetUserNameA, 5_2_00411BEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00411CBF GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA, 5_2_00411CBF
Source: C:\Users\user\Desktop\vjYcExA6ou.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: MSBuild.exe, 00000005.00000002.3252361235.0000000000D24000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected PureLog Stealer
Source: Yara match File source: vjYcExA6ou.exe, type: SAMPLE
Source: Yara match File source: 0.0.vjYcExA6ou.exe.930000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.2007705675.0000000000932000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Yara detected Vidar stealer
Source: Yara match File source: 5.2.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vjYcExA6ou.exe.4382790.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vjYcExA6ou.exe.441d610.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vjYcExA6ou.exe.43e9be0.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vjYcExA6ou.exe.441d610.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vjYcExA6ou.exe.43e9be0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vjYcExA6ou.exe.434ed60.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vjYcExA6ou.exe.434ed60.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2016370667.000000000441D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2016370667.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2014897676.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2016370667.000000000434E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2016370667.0000000004382000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3250842957.0000000000445000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3250842957.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vjYcExA6ou.exe PID: 5504, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 3396, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 3396, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected PureLog Stealer
Source: Yara match File source: vjYcExA6ou.exe, type: SAMPLE
Source: Yara match File source: 0.0.vjYcExA6ou.exe.930000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.2007705675.0000000000932000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Yara detected Vidar stealer
Source: Yara match File source: 5.2.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vjYcExA6ou.exe.4382790.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vjYcExA6ou.exe.441d610.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vjYcExA6ou.exe.43e9be0.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vjYcExA6ou.exe.4382790.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vjYcExA6ou.exe.441d610.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vjYcExA6ou.exe.43e9be0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vjYcExA6ou.exe.434ed60.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vjYcExA6ou.exe.434ed60.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2016370667.000000000441D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2016370667.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2014897676.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2016370667.000000000434E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2016370667.0000000004382000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3250842957.0000000000445000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3250842957.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vjYcExA6ou.exe PID: 5504, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 3396, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_2203E200 sqlite3_initialize,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset, 5_2_2203E200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_2203E090 sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset, 5_2_2203E090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_2204E170 sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 5_2_2204E170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_2204A6F0 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value, 5_2_2204A6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FE66C0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_bind_value,sqlite3_free,sqlite3_bind_value,sqlite3_step,sqlite3_reset, 5_2_21FE66C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_2202EF30 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code, 5_2_2202EF30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_22093770 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 5_2_22093770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_220B37E0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 5_2_220B37E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FFB400 sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,sqlite3_reset,sqlite3_step,sqlite3_reset,sqlite3_column_int64, 5_2_21FFB400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_22007810 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset, 5_2_22007810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_22048200 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset, 5_2_22048200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_220B4140 sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_initialize,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset, 5_2_220B4140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_220206E0 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset, 5_2_220206E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_22008430 sqlite3_bind_int64, 5_2_22008430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_22028550 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset, 5_2_22028550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FF8680 sqlite3_mprintf,sqlite3_mprintf,sqlite3_initialize,sqlite3_finalize,sqlite3_free,sqlite3_mprintf,sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_int64, 5_2_21FF8680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FE4820 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_initialize, 5_2_21FE4820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_22008970 sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob, 5_2_22008970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_22000FB0 sqlite3_result_int64,sqlite3_result_double,sqlite3_result_int,sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset, 5_2_22000FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_22008CB0 sqlite3_bind_zeroblob, 5_2_22008CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_220B4D40 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free, 5_2_220B4D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_2208D3B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 5_2_2208D3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_22069090 sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_errmsg,sqlite3_mprintf, 5_2_22069090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_220751D0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 5_2_220751D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_220AD610 sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 5_2_220AD610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_220F14D0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log, 5_2_220F14D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_220FD4F0 sqlite3_bind_value,sqlite3_log,sqlite3_log,sqlite3_log, 5_2_220FD4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_220755B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 5_2_220755B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_2204DB10 sqlite3_initialize,sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free, 5_2_2204DB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_22075910 sqlite3_mprintf,sqlite3_bind_int64, 5_2_22075910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_220FD9E0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log, 5_2_220FD9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_21FE5C70 sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset, 5_2_21FE5C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_2204DFC0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_mprintf,sqlite3_bind_text,sqlite3_step,sqlite3_reset, 5_2_2204DFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_22051FE0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 5_2_22051FE0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1464859 Sample: vjYcExA6ou.exe Startdate: 30/06/2024 Architecture: WINDOWS Score: 100 26 t.me 2->26 28 fp2e7a.wpc.phicdn.net 2->28 30 2 other IPs or domains 2->30 36 Found malware configuration 2->36 38 Antivirus detection for URL or domain 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 10 other signatures 2->42 7 vjYcExA6ou.exe 3 2->7         started        signatures3 process4 file5 22 C:\Users\user\AppData\...\vjYcExA6ou.exe.log, ASCII 7->22 dropped 44 Writes to foreign memory regions 7->44 46 Allocates memory in foreign processes 7->46 48 Injects a PE file into a foreign processes 7->48 11 MSBuild.exe 7->11         started        14 MSBuild.exe 29 7->14         started        18 MSBuild.exe 7->18         started        20 MSBuild.exe 7->20         started        signatures6 process7 dnsIp8 50 Contains functionality to inject code into remote processes 11->50 52 Searches for specific processes (likely to inject) 11->52 32 t.me 149.154.167.99, 443, 49706 TELEGRAMRU United Kingdom 14->32 34 195.201.251.214, 49707, 49709, 49710 HETZNER-ASDE Germany 14->34 24 C:\Users\user\AppData\Local\...\sqlt[1].dll, PE32 14->24 dropped 54 Tries to harvest and steal browser information (history, passwords, etc) 14->54 file9 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.201.251.214
 unknown Germany
24940 HETZNER-ASDE false
149.154.167.99
 t.me United Kingdom
62041 TELEGRAMRU true

Contacted Domains

Name IP Active
t.me 149.154.167.99 true
fp2e7a.wpc.phicdn.net 192.229.221.95 true
56.126.166.20.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://steamcommunity.com/profiles/76561199707802586 true
  • Avira URL Cloud: malware
 unknown
https://t.me/g067n true
  • Avira URL Cloud: malware
 unknown