Windows Analysis Report
vhFZk5qPZd.exe

Overview

General Information

Sample name: vhFZk5qPZd.exe
renamed because original name is a hash value
Original sample name: B37FB6FCD79F8E7CAD5F1B5AB40D107A.exe
Analysis ID: 1538239
MD5: b37fb6fcd79f8e7cad5f1b5ab40d107a
SHA1: 3aeedadae2d4564000014baae138bb05af2e8016
SHA256: 9a758275144859206b6f3149212ba72c51ead3549da162723bd7d28116fa522e
Tags: exeRedLineStealeruser-abuse_ch
Infos:

Detection

RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected RedLine Stealer
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection

barindex
Source: 0.2.vhFZk5qPZd.exe.3bb9d78.1.raw.unpack Malware Configuration Extractor: RedLine {"C2 url": ["188.190.10.19:1912"], "Bot Id": "FROSHLOG", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
Source: vhFZk5qPZd.exe ReversingLabs: Detection: 71%
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: vhFZk5qPZd.exe Joe Sandbox ML: detected
Source: vhFZk5qPZd.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: vhFZk5qPZd.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: qnT.pdb source: vhFZk5qPZd.exe
Source: Binary string: qnT.pdbSHA256M source: vhFZk5qPZd.exe
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 4x nop then jmp 07B36E27h 5_2_07B366C8
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 4x nop then jmp 07B36624h 5_2_07B36360
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 4x nop then jmp 07B324BBh 5_2_07B32288
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 4x nop then jmp 07B314A2h 5_2_07B31080
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 4x nop then jmp 07B31922h 5_2_07B31080
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 4x nop then jmp 07B39290h 5_2_07B38D98
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 5_2_07B35BF0
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 4x nop then jmp 07B34E2Bh 5_2_07B34E13

Networking

barindex
Source: Network traffic Suricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.9:49739 -> 188.190.10.19:1912
Source: Network traffic Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.9:49739 -> 188.190.10.19:1912
Source: Network traffic Suricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 188.190.10.19:1912 -> 192.168.2.9:49739
Source: Network traffic Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 188.190.10.19:1912 -> 192.168.2.9:49739
Source: Malware configuration extractor URLs: 188.190.10.19:1912
Source: global traffic TCP traffic: 192.168.2.9:49739 -> 188.190.10.19:1912
Source: Joe Sandbox View ASN Name: ASINTTELUA ASINTTELUA
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: vhFZk5qPZd.exe, 00000005.00000002.1527029912.00000000015CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://purl.oen
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000003024000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/D
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000003024000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000003024000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000003024000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000003024000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000003024000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000003024000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000003024000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004062000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: vhFZk5qPZd.exe, 00000000.00000002.1372573802.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, vhFZk5qPZd.exe, 00000000.00000002.1372573802.0000000003C47000.00000004.00000800.00020000.00000000.sdmp, vhFZk5qPZd.exe, 00000000.00000002.1372573802.0000000003BFC000.00000004.00000800.00020000.00000000.sdmp, vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp, vhFZk5qPZd.exe, 00000005.00000002.1525488184.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004062000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004062000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004062000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004062000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004062000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004062000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004062000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004062000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 0_2_010AD6C4 0_2_010AD6C4
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 0_2_05CA0438 0_2_05CA0438
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 0_2_05CA10B8 0_2_05CA10B8
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 0_2_05CA0950 0_2_05CA0950
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 0_2_05CA3970 0_2_05CA3970
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 0_2_05CA9AE8 0_2_05CA9AE8
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 0_2_05CA9AD7 0_2_05CA9AD7
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 0_2_07147B28 0_2_07147B28
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 0_2_07141D57 0_2_07141D57
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 0_2_07141D58 0_2_07141D58
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 0_2_07143460 0_2_07143460
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 0_2_07141920 0_2_07141920
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 0_2_07149968 0_2_07149968
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 0_2_071441B8 0_2_071441B8
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 0_2_071441C8 0_2_071441C8
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 0_2_07143898 0_2_07143898
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 0_2_071418E7 0_2_071418E7
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 5_2_0159DC74 5_2_0159DC74
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 5_2_07B33780 5_2_07B33780
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 5_2_07B366C8 5_2_07B366C8
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 5_2_07B37580 5_2_07B37580
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 5_2_07B34528 5_2_07B34528
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 5_2_07B35500 5_2_07B35500
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 5_2_07B33318 5_2_07B33318
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 5_2_07B31080 5_2_07B31080
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 5_2_07B30040 5_2_07B30040
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 5_2_07B38D98 5_2_07B38D98
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 5_2_07B33DC0 5_2_07B33DC0
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 5_2_07B3BCF8 5_2_07B3BCF8
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 5_2_07B3ACE8 5_2_07B3ACE8
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 5_2_07B35BF0 5_2_07B35BF0
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 5_2_07B33770 5_2_07B33770
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 5_2_07B354F0 5_2_07B354F0
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 5_2_07B33309 5_2_07B33309
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 5_2_07B3106F 5_2_07B3106F
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 5_2_07B35BE0 5_2_07B35BE0
Source: vhFZk5qPZd.exe, 00000000.00000002.1372573802.0000000003C92000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSteanings.exe8 vs vhFZk5qPZd.exe
Source: vhFZk5qPZd.exe, 00000000.00000002.1372573802.0000000003C92000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs vhFZk5qPZd.exe
Source: vhFZk5qPZd.exe, 00000000.00000002.1375920815.00000000074D0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs vhFZk5qPZd.exe
Source: vhFZk5qPZd.exe, 00000000.00000002.1372573802.0000000003C47000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSteanings.exe8 vs vhFZk5qPZd.exe
Source: vhFZk5qPZd.exe, 00000000.00000002.1372573802.0000000003BFC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSteanings.exe8 vs vhFZk5qPZd.exe
Source: vhFZk5qPZd.exe, 00000000.00000000.1355217561.0000000000716000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameqnT.exeD vs vhFZk5qPZd.exe
Source: vhFZk5qPZd.exe, 00000000.00000002.1370104428.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs vhFZk5qPZd.exe
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs vhFZk5qPZd.exe
Source: vhFZk5qPZd.exe, 00000005.00000002.1525488184.0000000000446000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSteanings.exe8 vs vhFZk5qPZd.exe
Source: vhFZk5qPZd.exe Binary or memory string: OriginalFilenameqnT.exeD vs vhFZk5qPZd.exe
Source: vhFZk5qPZd.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: vhFZk5qPZd.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, k2WsvcEpO3XMMP1wTF.cs Security API names: _0020.SetAccessControl
Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, k2WsvcEpO3XMMP1wTF.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, k2WsvcEpO3XMMP1wTF.cs Security API names: _0020.AddAccessRule
Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, xj6EE79rNsvfVDFZEi.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, xj6EE79rNsvfVDFZEi.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, xj6EE79rNsvfVDFZEi.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, k2WsvcEpO3XMMP1wTF.cs Security API names: _0020.SetAccessControl
Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, k2WsvcEpO3XMMP1wTF.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, k2WsvcEpO3XMMP1wTF.cs Security API names: _0020.AddAccessRule
Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, k2WsvcEpO3XMMP1wTF.cs Security API names: _0020.SetAccessControl
Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, k2WsvcEpO3XMMP1wTF.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, k2WsvcEpO3XMMP1wTF.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/1@0/1
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vhFZk5qPZd.exe.log Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Mutant created: NULL
Source: vhFZk5qPZd.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: vhFZk5qPZd.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: vhFZk5qPZd.exe ReversingLabs: Detection: 71%
Source: unknown Process created: C:\Users\user\Desktop\vhFZk5qPZd.exe "C:\Users\user\Desktop\vhFZk5qPZd.exe"
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process created: C:\Users\user\Desktop\vhFZk5qPZd.exe "C:\Users\user\Desktop\vhFZk5qPZd.exe"
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process created: C:\Users\user\Desktop\vhFZk5qPZd.exe "C:\Users\user\Desktop\vhFZk5qPZd.exe"
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process created: C:\Users\user\Desktop\vhFZk5qPZd.exe "C:\Users\user\Desktop\vhFZk5qPZd.exe"
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process created: C:\Users\user\Desktop\vhFZk5qPZd.exe "C:\Users\user\Desktop\vhFZk5qPZd.exe" Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process created: C:\Users\user\Desktop\vhFZk5qPZd.exe "C:\Users\user\Desktop\vhFZk5qPZd.exe" Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process created: C:\Users\user\Desktop\vhFZk5qPZd.exe "C:\Users\user\Desktop\vhFZk5qPZd.exe" Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: msvcp140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: vhFZk5qPZd.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: vhFZk5qPZd.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: vhFZk5qPZd.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: qnT.pdb source: vhFZk5qPZd.exe
Source: Binary string: qnT.pdbSHA256M source: vhFZk5qPZd.exe

Data Obfuscation

barindex
Source: vhFZk5qPZd.exe, FormGame.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: vhFZk5qPZd.exe, FormGame.cs .Net Code: InitializeComponent
Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, k2WsvcEpO3XMMP1wTF.cs .Net Code: MTKt2ZfSqo System.Reflection.Assembly.Load(byte[])
Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, k2WsvcEpO3XMMP1wTF.cs .Net Code: MTKt2ZfSqo System.Reflection.Assembly.Load(byte[])
Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, k2WsvcEpO3XMMP1wTF.cs .Net Code: MTKt2ZfSqo System.Reflection.Assembly.Load(byte[])
Source: vhFZk5qPZd.exe Static PE information: 0xFAE5C82E [Wed May 23 11:29:50 2103 UTC]
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 0_2_05CAA410 push cs; retf 0_2_05CAA41E
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 0_2_05CAF7C9 pushad ; retf 0_2_05CAF7CA
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 0_2_05CAF7F3 pushad ; retf 0_2_05CAF7F4
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 0_2_05CA91A8 push ebx; retf 0_2_05CA91B2
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 0_2_05CAD123 push eax; retf 0_2_05CAD131
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 0_2_05CAA02F push ecx; retf 0_2_05CAA03B
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 0_2_05CAA390 push cs; retf 0_2_05CAA41E
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 0_2_05CA9290 push esi; retf 0_2_05CA929A
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 0_2_05CA9258 push esp; retf 0_2_05CAA5D6
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 0_2_05CA923D push cs; retf 0_2_05CA923F
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 0_2_05CAF93C pushad ; retf 0_2_05CAF93D
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 0_2_05CAF8E1 pushad ; retf 0_2_05CAF8E2
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 0_2_05CAF840 pushad ; retf 0_2_05CAF841
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 0_2_05CAF874 pushad ; retf 0_2_05CAF875
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 0_2_071417AB push eax; retf 0_2_071417AC
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 0_2_07141616 push eax; retf 0_2_0714161C
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 0_2_071416E9 push eax; retf 0_2_071416EF
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 0_2_0714147F push eax; retf 0_2_07141480
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 0_2_071462DC push ds; iretd 0_2_071462DF
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 0_2_071459F1 push eax; retf 0_2_07145A00
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 5_2_015947D7 push ebp; iretd 5_2_0159483D
Source: vhFZk5qPZd.exe Static PE information: section name: .text entropy: 7.988836332316538
Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, aK9Kvdl6aKUkU8Qr4f.cs High entropy of concatenated method names: 'UjpZDxuQcH', 'NDsZ90Dfci', 'PUXZxMFHJG', 'ubXZGOghwh', 'rncZU25r29', 'CBRZIM3O5i', 'ruKZRcSRpg', 'BkjZP89NOB', 'J8sZf4M4r3', 'pq4ZnLvxcv'
Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, KmasHNN3HsYiqa4rkJ.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'pFjueAFU9M', 'GaKuMhliWc', 'Fq6uz2Lg0J', 'hMpWdoAer4', 'EJUWiV46lM', 'K76Wud02yw', 'TA5WWhlDF8', 'Kfx7aT1fOr3tOmLH66J'
Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, xMgPZhF2YiiucHy84N.cs High entropy of concatenated method names: 'TVa2hS8Pq', 'qqtDFdbcG', 'r7a9QGCli', 'c7SHVPyvY', 'hw2GuSejw', 'MpEjlTiSc', 'CIHv9Ka4ulKCb2gW59', 'rJkpcSIv0A0LqTjTWV', 'YvPPgM08K', 'PCon7UI5P'
Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, DCOGKBJuI90uQyZEqx.cs High entropy of concatenated method names: 'bcShYDTcY0', 'KWihHxJ2Si', 'GsdZLyYu72', 'ijLZrT15F3', 'zZ1Z0OLfe6', 'ucuZ5TvniO', 'Ng3ZkOJJAe', 'x12ZwOP2n7', 'xsJZ7uKfWr', 'OadZJKsx6t'
Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, zAZA74R3JuOHGsNPQp.cs High entropy of concatenated method names: 'mpUPF8HxGP', 'sl2P3M9dFj', 'Xv9PLLtRtk', 'HGdPrmyVnl', 'NmQPphlo17', 'hGuP04XTCD', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, a8Hs6c4KES9K7cQPSy.cs High entropy of concatenated method names: 'vpQSxHiExX', 'M6wSGrpmwf', 'DySSFyD4gf', 'CcVS3A9ZlF', 'JugSrykQgv', 'UgYS0Y1OUE', 'CDkSkoDS6Y', 'onFSwlmr2v', 'DtlSJIsjq5', 'sRYSEAdfBN'
Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, NshQXlehtY22OeIe4v.cs High entropy of concatenated method names: 'YaJPXIc7wd', 'Q2HPbEcyBx', 'r33PZkiFLs', 'AfdPhmghau', 'PNkP1QSsDV', 'zsePTISE0K', 'RvPPcMDNXg', 'gJpPCJAnxq', 'km4P4WZOyK', 'VtJPQQcAkr'
Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, XVVjaRgErtfruRfsVW.cs High entropy of concatenated method names: 'HOCiTKqPN0', 'TxbicniXSF', 'PBJi4SJeVk', 'nWwiQ4mlj6', 'ihJiUgNJqF', 'S3EiIf9qll', 'y9kbOyyahNlqEMj6Fp', 'uALTg4wljhElsdqrnS', 'e4piiVh4UJ', 'M72iWlcJLA'
Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, YsxcHQOp6KvdGmx9PY.cs High entropy of concatenated method names: 'AOxT6K9gql', 'rZhTNjcVBG', 'F2qT2IBxeS', 'ac0TDJVBkh', 'fUXTYJUOVM', 'USMT94Wuqx', 'oOeTHUCx4K', 'AyxTxedUuH', 'wmtTGvDZvJ', 'sRcTj3X1X0'
Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, xj6EE79rNsvfVDFZEi.cs High entropy of concatenated method names: 'SuibpQy8A3', 'JXJbsJ0J9n', 'R9pboLg4dB', 'xsdbVwBQLT', 'ekebKEHMBe', 'DKBbykYRPg', 'yMQb8XAREJ', 'HYRblTy6JW', 'P7Hbe9PYTB', 'vQIbMKN7vY'
Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, jsrcYQwhRmXlS3p8hL.cs High entropy of concatenated method names: 'XQX1A2aFVF', 'XJB1bCpvns', 'Hgl1hw6HUq', 'D2d1TDBi6O', 'mHD1cot9MD', 'EWkhKWGwkR', 'Qh8hyXt2lE', 'Uo3h8qmOpa', 'VHDhl44u76', 'oQVhehSFZh'
Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, RbxvwUYlkFxbfwZPku.cs High entropy of concatenated method names: 'Dispose', 'mL6ieETr9U', 'PHBu3Ybvc3', 'wIrBBCFpml', 'SGqiM7psFa', 'l1EizHMHds', 'ProcessDialogKey', 'cVqud98J6m', 'isDuinQPlD', 'Iltuu6vmEY'
Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, k2WsvcEpO3XMMP1wTF.cs High entropy of concatenated method names: 'eX0WAiREtQ', 'YwRWX45GHI', 'n70Wb3HDKv', 'CRUWZX4XNn', 'RfMWh2ed3q', 'uXpW1GNQcs', 'WvuWTyT1ik', 'AiZWcQoNYs', 'JfyWCbicrR', 'zWOW4BIouS'
Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, bEVOL96eS8epun77ws.cs High entropy of concatenated method names: 'qi91otL6Sb', 'PRF1VKsjOw', 'hhJ1KSiqeu', 'ToString', 'GL31y5VePv', 'PAg180TAuB', 'UDcurdHJuAGRKhw44SY', 'fxq5p2HrtPLRn5HcNdT', 'zOAgh9HqcdBJSLEqnBl', 'FVDGBwHyyt0t7RrBQfO'
Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, tqpW97WuF0P2Yusw7o.cs High entropy of concatenated method names: 'jaOfijGle7', 'EbAfWkvP47', 'knDftUc7Fc', 'RYUfX07hAg', 'ycKfbtFZbv', 'qTRfh2uXL3', 'khLf1x4Gfg', 'kTrP8TXb3e', 'beuPlmPmyV', 'i5NPeClIrM'
Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, ccbVjrjKPfBC3Ubyvu.cs High entropy of concatenated method names: 'yYkRlPGO5i', 'BINRMT4neX', 'qsrPdHnXmF', 'pLQPivlA97', 'FSVREWkKN6', 'dKkRvVn4m2', 'jk5ROxM8nH', 'FSKRpl0Tef', 'b4QRskD7VV', 'c5URodfJUJ'
Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, WlCdhYQV2UlTaj7IIwC.cs High entropy of concatenated method names: 'veKf6Z1Rmh', 'BDKfN99Rmp', 'xhOf29Z62s', 'UVRfDGk0wC', 'YC1fYQ19gv', 'oU4f9NSVby', 'PyofHQM3gY', 'p2wfx3KmSK', 'gRPfGHNiEj', 'eZbfjEBdZk'
Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, KpC2jLQdUmQTnkoOCGb.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pYbnpTd4mJ', 'n4DnsqUYnk', 'yF7noAx9lv', 'zUUnVBM0EH', 'dvsnKJesyD', 'YVVnyQsq8y', 'y6vn83x8sp'
Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, bUWaQ6TUIryUiQ4QX6.cs High entropy of concatenated method names: 'nR3UJxSkSE', 'GJQUvSLwf2', 'cimUpvItms', 'iw0UsK06kc', 'fuUU3mZVJu', 'SdeULWp1pK', 'Lv3UrTPyCK', 'vnoU0TjhTt', 'V9jU5CdvM0', 'AWkUkVUD5d'
Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, aK9Kvdl6aKUkU8Qr4f.cs High entropy of concatenated method names: 'UjpZDxuQcH', 'NDsZ90Dfci', 'PUXZxMFHJG', 'ubXZGOghwh', 'rncZU25r29', 'CBRZIM3O5i', 'ruKZRcSRpg', 'BkjZP89NOB', 'J8sZf4M4r3', 'pq4ZnLvxcv'
Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, KmasHNN3HsYiqa4rkJ.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'pFjueAFU9M', 'GaKuMhliWc', 'Fq6uz2Lg0J', 'hMpWdoAer4', 'EJUWiV46lM', 'K76Wud02yw', 'TA5WWhlDF8', 'Kfx7aT1fOr3tOmLH66J'
Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, xMgPZhF2YiiucHy84N.cs High entropy of concatenated method names: 'TVa2hS8Pq', 'qqtDFdbcG', 'r7a9QGCli', 'c7SHVPyvY', 'hw2GuSejw', 'MpEjlTiSc', 'CIHv9Ka4ulKCb2gW59', 'rJkpcSIv0A0LqTjTWV', 'YvPPgM08K', 'PCon7UI5P'
Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, DCOGKBJuI90uQyZEqx.cs High entropy of concatenated method names: 'bcShYDTcY0', 'KWihHxJ2Si', 'GsdZLyYu72', 'ijLZrT15F3', 'zZ1Z0OLfe6', 'ucuZ5TvniO', 'Ng3ZkOJJAe', 'x12ZwOP2n7', 'xsJZ7uKfWr', 'OadZJKsx6t'
Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, zAZA74R3JuOHGsNPQp.cs High entropy of concatenated method names: 'mpUPF8HxGP', 'sl2P3M9dFj', 'Xv9PLLtRtk', 'HGdPrmyVnl', 'NmQPphlo17', 'hGuP04XTCD', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, a8Hs6c4KES9K7cQPSy.cs High entropy of concatenated method names: 'vpQSxHiExX', 'M6wSGrpmwf', 'DySSFyD4gf', 'CcVS3A9ZlF', 'JugSrykQgv', 'UgYS0Y1OUE', 'CDkSkoDS6Y', 'onFSwlmr2v', 'DtlSJIsjq5', 'sRYSEAdfBN'
Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, NshQXlehtY22OeIe4v.cs High entropy of concatenated method names: 'YaJPXIc7wd', 'Q2HPbEcyBx', 'r33PZkiFLs', 'AfdPhmghau', 'PNkP1QSsDV', 'zsePTISE0K', 'RvPPcMDNXg', 'gJpPCJAnxq', 'km4P4WZOyK', 'VtJPQQcAkr'
Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, XVVjaRgErtfruRfsVW.cs High entropy of concatenated method names: 'HOCiTKqPN0', 'TxbicniXSF', 'PBJi4SJeVk', 'nWwiQ4mlj6', 'ihJiUgNJqF', 'S3EiIf9qll', 'y9kbOyyahNlqEMj6Fp', 'uALTg4wljhElsdqrnS', 'e4piiVh4UJ', 'M72iWlcJLA'
Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, YsxcHQOp6KvdGmx9PY.cs High entropy of concatenated method names: 'AOxT6K9gql', 'rZhTNjcVBG', 'F2qT2IBxeS', 'ac0TDJVBkh', 'fUXTYJUOVM', 'USMT94Wuqx', 'oOeTHUCx4K', 'AyxTxedUuH', 'wmtTGvDZvJ', 'sRcTj3X1X0'
Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, xj6EE79rNsvfVDFZEi.cs High entropy of concatenated method names: 'SuibpQy8A3', 'JXJbsJ0J9n', 'R9pboLg4dB', 'xsdbVwBQLT', 'ekebKEHMBe', 'DKBbykYRPg', 'yMQb8XAREJ', 'HYRblTy6JW', 'P7Hbe9PYTB', 'vQIbMKN7vY'
Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, jsrcYQwhRmXlS3p8hL.cs High entropy of concatenated method names: 'XQX1A2aFVF', 'XJB1bCpvns', 'Hgl1hw6HUq', 'D2d1TDBi6O', 'mHD1cot9MD', 'EWkhKWGwkR', 'Qh8hyXt2lE', 'Uo3h8qmOpa', 'VHDhl44u76', 'oQVhehSFZh'
Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, RbxvwUYlkFxbfwZPku.cs High entropy of concatenated method names: 'Dispose', 'mL6ieETr9U', 'PHBu3Ybvc3', 'wIrBBCFpml', 'SGqiM7psFa', 'l1EizHMHds', 'ProcessDialogKey', 'cVqud98J6m', 'isDuinQPlD', 'Iltuu6vmEY'
Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, k2WsvcEpO3XMMP1wTF.cs High entropy of concatenated method names: 'eX0WAiREtQ', 'YwRWX45GHI', 'n70Wb3HDKv', 'CRUWZX4XNn', 'RfMWh2ed3q', 'uXpW1GNQcs', 'WvuWTyT1ik', 'AiZWcQoNYs', 'JfyWCbicrR', 'zWOW4BIouS'
Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, bEVOL96eS8epun77ws.cs High entropy of concatenated method names: 'qi91otL6Sb', 'PRF1VKsjOw', 'hhJ1KSiqeu', 'ToString', 'GL31y5VePv', 'PAg180TAuB', 'UDcurdHJuAGRKhw44SY', 'fxq5p2HrtPLRn5HcNdT', 'zOAgh9HqcdBJSLEqnBl', 'FVDGBwHyyt0t7RrBQfO'
Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, tqpW97WuF0P2Yusw7o.cs High entropy of concatenated method names: 'jaOfijGle7', 'EbAfWkvP47', 'knDftUc7Fc', 'RYUfX07hAg', 'ycKfbtFZbv', 'qTRfh2uXL3', 'khLf1x4Gfg', 'kTrP8TXb3e', 'beuPlmPmyV', 'i5NPeClIrM'
Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, ccbVjrjKPfBC3Ubyvu.cs High entropy of concatenated method names: 'yYkRlPGO5i', 'BINRMT4neX', 'qsrPdHnXmF', 'pLQPivlA97', 'FSVREWkKN6', 'dKkRvVn4m2', 'jk5ROxM8nH', 'FSKRpl0Tef', 'b4QRskD7VV', 'c5URodfJUJ'
Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, WlCdhYQV2UlTaj7IIwC.cs High entropy of concatenated method names: 'veKf6Z1Rmh', 'BDKfN99Rmp', 'xhOf29Z62s', 'UVRfDGk0wC', 'YC1fYQ19gv', 'oU4f9NSVby', 'PyofHQM3gY', 'p2wfx3KmSK', 'gRPfGHNiEj', 'eZbfjEBdZk'
Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, KpC2jLQdUmQTnkoOCGb.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pYbnpTd4mJ', 'n4DnsqUYnk', 'yF7noAx9lv', 'zUUnVBM0EH', 'dvsnKJesyD', 'YVVnyQsq8y', 'y6vn83x8sp'
Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, bUWaQ6TUIryUiQ4QX6.cs High entropy of concatenated method names: 'nR3UJxSkSE', 'GJQUvSLwf2', 'cimUpvItms', 'iw0UsK06kc', 'fuUU3mZVJu', 'SdeULWp1pK', 'Lv3UrTPyCK', 'vnoU0TjhTt', 'V9jU5CdvM0', 'AWkUkVUD5d'
Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, aK9Kvdl6aKUkU8Qr4f.cs High entropy of concatenated method names: 'UjpZDxuQcH', 'NDsZ90Dfci', 'PUXZxMFHJG', 'ubXZGOghwh', 'rncZU25r29', 'CBRZIM3O5i', 'ruKZRcSRpg', 'BkjZP89NOB', 'J8sZf4M4r3', 'pq4ZnLvxcv'
Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, KmasHNN3HsYiqa4rkJ.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'pFjueAFU9M', 'GaKuMhliWc', 'Fq6uz2Lg0J', 'hMpWdoAer4', 'EJUWiV46lM', 'K76Wud02yw', 'TA5WWhlDF8', 'Kfx7aT1fOr3tOmLH66J'
Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, xMgPZhF2YiiucHy84N.cs High entropy of concatenated method names: 'TVa2hS8Pq', 'qqtDFdbcG', 'r7a9QGCli', 'c7SHVPyvY', 'hw2GuSejw', 'MpEjlTiSc', 'CIHv9Ka4ulKCb2gW59', 'rJkpcSIv0A0LqTjTWV', 'YvPPgM08K', 'PCon7UI5P'
Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, DCOGKBJuI90uQyZEqx.cs High entropy of concatenated method names: 'bcShYDTcY0', 'KWihHxJ2Si', 'GsdZLyYu72', 'ijLZrT15F3', 'zZ1Z0OLfe6', 'ucuZ5TvniO', 'Ng3ZkOJJAe', 'x12ZwOP2n7', 'xsJZ7uKfWr', 'OadZJKsx6t'
Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, zAZA74R3JuOHGsNPQp.cs High entropy of concatenated method names: 'mpUPF8HxGP', 'sl2P3M9dFj', 'Xv9PLLtRtk', 'HGdPrmyVnl', 'NmQPphlo17', 'hGuP04XTCD', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, a8Hs6c4KES9K7cQPSy.cs High entropy of concatenated method names: 'vpQSxHiExX', 'M6wSGrpmwf', 'DySSFyD4gf', 'CcVS3A9ZlF', 'JugSrykQgv', 'UgYS0Y1OUE', 'CDkSkoDS6Y', 'onFSwlmr2v', 'DtlSJIsjq5', 'sRYSEAdfBN'
Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, NshQXlehtY22OeIe4v.cs High entropy of concatenated method names: 'YaJPXIc7wd', 'Q2HPbEcyBx', 'r33PZkiFLs', 'AfdPhmghau', 'PNkP1QSsDV', 'zsePTISE0K', 'RvPPcMDNXg', 'gJpPCJAnxq', 'km4P4WZOyK', 'VtJPQQcAkr'
Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, XVVjaRgErtfruRfsVW.cs High entropy of concatenated method names: 'HOCiTKqPN0', 'TxbicniXSF', 'PBJi4SJeVk', 'nWwiQ4mlj6', 'ihJiUgNJqF', 'S3EiIf9qll', 'y9kbOyyahNlqEMj6Fp', 'uALTg4wljhElsdqrnS', 'e4piiVh4UJ', 'M72iWlcJLA'
Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, YsxcHQOp6KvdGmx9PY.cs High entropy of concatenated method names: 'AOxT6K9gql', 'rZhTNjcVBG', 'F2qT2IBxeS', 'ac0TDJVBkh', 'fUXTYJUOVM', 'USMT94Wuqx', 'oOeTHUCx4K', 'AyxTxedUuH', 'wmtTGvDZvJ', 'sRcTj3X1X0'
Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, xj6EE79rNsvfVDFZEi.cs High entropy of concatenated method names: 'SuibpQy8A3', 'JXJbsJ0J9n', 'R9pboLg4dB', 'xsdbVwBQLT', 'ekebKEHMBe', 'DKBbykYRPg', 'yMQb8XAREJ', 'HYRblTy6JW', 'P7Hbe9PYTB', 'vQIbMKN7vY'
Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, jsrcYQwhRmXlS3p8hL.cs High entropy of concatenated method names: 'XQX1A2aFVF', 'XJB1bCpvns', 'Hgl1hw6HUq', 'D2d1TDBi6O', 'mHD1cot9MD', 'EWkhKWGwkR', 'Qh8hyXt2lE', 'Uo3h8qmOpa', 'VHDhl44u76', 'oQVhehSFZh'
Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, RbxvwUYlkFxbfwZPku.cs High entropy of concatenated method names: 'Dispose', 'mL6ieETr9U', 'PHBu3Ybvc3', 'wIrBBCFpml', 'SGqiM7psFa', 'l1EizHMHds', 'ProcessDialogKey', 'cVqud98J6m', 'isDuinQPlD', 'Iltuu6vmEY'
Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, k2WsvcEpO3XMMP1wTF.cs High entropy of concatenated method names: 'eX0WAiREtQ', 'YwRWX45GHI', 'n70Wb3HDKv', 'CRUWZX4XNn', 'RfMWh2ed3q', 'uXpW1GNQcs', 'WvuWTyT1ik', 'AiZWcQoNYs', 'JfyWCbicrR', 'zWOW4BIouS'
Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, bEVOL96eS8epun77ws.cs High entropy of concatenated method names: 'qi91otL6Sb', 'PRF1VKsjOw', 'hhJ1KSiqeu', 'ToString', 'GL31y5VePv', 'PAg180TAuB', 'UDcurdHJuAGRKhw44SY', 'fxq5p2HrtPLRn5HcNdT', 'zOAgh9HqcdBJSLEqnBl', 'FVDGBwHyyt0t7RrBQfO'
Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, tqpW97WuF0P2Yusw7o.cs High entropy of concatenated method names: 'jaOfijGle7', 'EbAfWkvP47', 'knDftUc7Fc', 'RYUfX07hAg', 'ycKfbtFZbv', 'qTRfh2uXL3', 'khLf1x4Gfg', 'kTrP8TXb3e', 'beuPlmPmyV', 'i5NPeClIrM'
Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, ccbVjrjKPfBC3Ubyvu.cs High entropy of concatenated method names: 'yYkRlPGO5i', 'BINRMT4neX', 'qsrPdHnXmF', 'pLQPivlA97', 'FSVREWkKN6', 'dKkRvVn4m2', 'jk5ROxM8nH', 'FSKRpl0Tef', 'b4QRskD7VV', 'c5URodfJUJ'
Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, WlCdhYQV2UlTaj7IIwC.cs High entropy of concatenated method names: 'veKf6Z1Rmh', 'BDKfN99Rmp', 'xhOf29Z62s', 'UVRfDGk0wC', 'YC1fYQ19gv', 'oU4f9NSVby', 'PyofHQM3gY', 'p2wfx3KmSK', 'gRPfGHNiEj', 'eZbfjEBdZk'
Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, KpC2jLQdUmQTnkoOCGb.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pYbnpTd4mJ', 'n4DnsqUYnk', 'yF7noAx9lv', 'zUUnVBM0EH', 'dvsnKJesyD', 'YVVnyQsq8y', 'y6vn83x8sp'
Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, bUWaQ6TUIryUiQ4QX6.cs High entropy of concatenated method names: 'nR3UJxSkSE', 'GJQUvSLwf2', 'cimUpvItms', 'iw0UsK06kc', 'fuUU3mZVJu', 'SdeULWp1pK', 'Lv3UrTPyCK', 'vnoU0TjhTt', 'V9jU5CdvM0', 'AWkUkVUD5d'
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: Yara match File source: Process Memory Space: vhFZk5qPZd.exe PID: 7696, type: MEMORYSTR
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Memory allocated: 10A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Memory allocated: 2B20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Memory allocated: 2870000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Memory allocated: 7D10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Memory allocated: 8D10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Memory allocated: 8ED0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Memory allocated: 9ED0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Memory allocated: 1590000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Memory allocated: 2F30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Memory allocated: 4F30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Window / User API: threadDelayed 575 Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Window / User API: threadDelayed 3778 Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe TID: 7716 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe TID: 8124 Thread sleep time: -17524406870024063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe TID: 7896 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696497155
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.000000000311F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696497155LR
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696497155
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696497155s
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696497155f
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696497155f
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: vhFZk5qPZd.exe, 00000005.00000002.1526199697.0000000001136000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696497155s
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696497155
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696497155j
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696497155j
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696497155o
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696497155o
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696497155
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Code function: 5_2_07B37580 LdrInitializeThunk, 5_2_07B37580
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Memory written: C:\Users\user\Desktop\vhFZk5qPZd.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process created: C:\Users\user\Desktop\vhFZk5qPZd.exe "C:\Users\user\Desktop\vhFZk5qPZd.exe" Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process created: C:\Users\user\Desktop\vhFZk5qPZd.exe "C:\Users\user\Desktop\vhFZk5qPZd.exe" Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Process created: C:\Users\user\Desktop\vhFZk5qPZd.exe "C:\Users\user\Desktop\vhFZk5qPZd.exe" Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Queries volume information: C:\Users\user\Desktop\vhFZk5qPZd.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Queries volume information: C:\Users\user\Desktop\vhFZk5qPZd.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

barindex
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0.2.vhFZk5qPZd.exe.3bb9d78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vhFZk5qPZd.exe.3c04f98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vhFZk5qPZd.exe.3bb9d78.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vhFZk5qPZd.exe.3c04f98.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vhFZk5qPZd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1372573802.0000000003C47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1372573802.0000000003BFC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1372573802.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1525488184.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vhFZk5qPZd.exe PID: 7696, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vhFZk5qPZd.exe PID: 7872, type: MEMORYSTR
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe File opened: C:\Users\user\AppData\Roaming\atomic\ Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\ Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\ Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe File opened: C:\Users\user\AppData\Roaming\Guarda\ Jump to behavior
Source: C:\Users\user\Desktop\vhFZk5qPZd.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\ Jump to behavior
Source: Yara match File source: 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vhFZk5qPZd.exe PID: 7872, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0.2.vhFZk5qPZd.exe.3bb9d78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vhFZk5qPZd.exe.3c04f98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vhFZk5qPZd.exe.3bb9d78.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vhFZk5qPZd.exe.3c04f98.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vhFZk5qPZd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1372573802.0000000003C47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1372573802.0000000003BFC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1372573802.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1525488184.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vhFZk5qPZd.exe PID: 7696, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vhFZk5qPZd.exe PID: 7872, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs