Loading ...

Play interactive tourEdit tour

Analysis Report Codes.exe

Overview

General Information

Sample Name:Codes.exe
Analysis ID:299676
MD5:0a27a7189fa876b1b5954b1fb2e3767c
SHA1:da6193b7b261d0d6d0b554a94d29ba4846b614b7
SHA256:9efe056121715e1671bd1d940518b20f1b8673973ec009d2b84f24cadcea2c4a
Tags:AgentTeslaexeOutlook

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Creates multiple autostart registry keys
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses cmd line tools excessively to alter registry or file data
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Codes.exe (PID: 7088 cmdline: 'C:\Users\user\Desktop\Codes.exe' MD5: 0A27A7189FA876B1B5954B1FB2E3767C)
    • cmd.exe (PID: 4552 cmdline: 'C:\Windows\System32\cmd.exe' /c copy 'C:\Users\user\Desktop\Codes.exe' 'C:\Users\user\AppData\Roaming\vpn.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6176 cmdline: 'C:\Windows\System32\cmd.exe' /c, 'C:\Users\user\AppData\Roaming\vpn.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • vpn.exe (PID: 3156 cmdline: C:\Users\user\AppData\Roaming\vpn.exe MD5: 0A27A7189FA876B1B5954B1FB2E3767C)
        • cmd.exe (PID: 6608 cmdline: 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • reg.exe (PID: 5716 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • InstallUtil.exe (PID: 5584 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
        • cmd.exe (PID: 5576 cmdline: 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 2584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • reg.exe (PID: 5604 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • cmd.exe (PID: 5476 cmdline: 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 5468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • reg.exe (PID: 6344 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • cmd.exe (PID: 6388 cmdline: 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • reg.exe (PID: 6980 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • cmd.exe (PID: 7100 cmdline: 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 7112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • reg.exe (PID: 4552 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • cmd.exe (PID: 5648 cmdline: 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 5968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • reg.exe (PID: 6100 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • cmd.exe (PID: 4944 cmdline: 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • reg.exe (PID: 4364 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)
  • ljYBX.exe (PID: 5404 cmdline: 'C:\Users\user\AppData\Roaming\fCvYpQH\ljYBX.exe' MD5: EFEC8C379D165E3F33B536739AEE26A3)
    • conhost.exe (PID: 6476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "LjE19yLD35cKU8", "URL: ": "https://CKhVIEPcstJa0pUqPCyV.net", "To: ": "", "ByHost: ": "smtp.gmail.com:587", "Password: ": "KZXZV6Wrjg", "From: ": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.494231059.0000000005824000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000006.00000002.491639909.00000000040C4000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000A.00000002.366702068.00000000026F3000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000A.00000002.366702068.00000000026F3000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000006.00000002.491769896.0000000004232000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            10.2.InstallUtil.exe.700000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: InstallUtil.exe.5584.10.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "LjE19yLD35cKU8", "URL: ": "https://CKhVIEPcstJa0pUqPCyV.net", "To: ": "", "ByHost: ": "smtp.gmail.com:587", "Password: ": "KZXZV6Wrjg", "From: ": ""}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\vpn.exeReversingLabs: Detection: 14%
              Multi AV Scanner detection for submitted fileShow sources
              Source: Codes.exeReversingLabs: Detection: 14%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\vpn.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: Codes.exeJoe Sandbox ML: detected
              Source: 10.2.InstallUtil.exe.700000.0.unpackAvira: Label: TR/Dropper.Gen7
              Source: C:\Users\user\Desktop\Codes.exeCode function: 4x nop then push dword ptr [ebp-24h]1_2_0139E880
              Source: C:\Users\user\Desktop\Codes.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh1_2_0139E880
              Source: C:\Users\user\Desktop\Codes.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h1_2_0139DB58
              Source: C:\Users\user\Desktop\Codes.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h1_2_0139E07D
              Source: C:\Users\user\Desktop\Codes.exeCode function: 4x nop then push dword ptr [ebp-20h]1_2_0139E560
              Source: C:\Users\user\Desktop\Codes.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh1_2_0139E560
              Source: C:\Users\user\Desktop\Codes.exeCode function: 4x nop then push dword ptr [ebp-20h]1_2_0139E554
              Source: C:\Users\user\Desktop\Codes.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh1_2_0139E554
              Source: C:\Users\user\Desktop\Codes.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]1_2_01398473
              Source: C:\Users\user\Desktop\Codes.exeCode function: 4x nop then xor edx, edx1_2_0139E7B8
              Source: C:\Users\user\Desktop\Codes.exeCode function: 4x nop then xor edx, edx1_2_0139E7AC
              Source: C:\Users\user\Desktop\Codes.exeCode function: 4x nop then push dword ptr [ebp-24h]1_2_0139E874
              Source: C:\Users\user\Desktop\Codes.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh1_2_0139E874
              Source: C:\Users\user\Desktop\Codes.exeCode function: 4x nop then mov ecx, dword ptr [03DEE69Ch]1_2_0139712B
              Source: C:\Users\user\Desktop\Codes.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]1_2_0139712B
              Source: C:\Users\user\AppData\Roaming\vpn.exeCode function: 4x nop then push dword ptr [ebp-24h]6_2_00CBE880
              Source: C:\Users\user\AppData\Roaming\vpn.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh6_2_00CBE880
              Source: C:\Users\user\AppData\Roaming\vpn.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h6_2_00CBDB58
              Source: C:\Users\user\AppData\Roaming\vpn.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h6_2_00CBE07D
              Source: C:\Users\user\AppData\Roaming\vpn.exeCode function: 4x nop then push dword ptr [ebp-20h]6_2_00CBE554
              Source: C:\Users\user\AppData\Roaming\vpn.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh6_2_00CBE554
              Source: C:\Users\user\AppData\Roaming\vpn.exeCode function: 4x nop then push dword ptr [ebp-20h]6_2_00CBE560
              Source: C:\Users\user\AppData\Roaming\vpn.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh6_2_00CBE560
              Source: C:\Users\user\AppData\Roaming\vpn.exeCode function: 4x nop then xor edx, edx6_2_00CBE7AC
              Source: C:\Users\user\AppData\Roaming\vpn.exeCode function: 4x nop then xor edx, edx6_2_00CBE7B8
              Source: C:\Users\user\AppData\Roaming\vpn.exeCode function: 4x nop then push dword ptr [ebp-24h]6_2_00CBE874
              Source: C:\Users\user\AppData\Roaming\vpn.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh6_2_00CBE874
              Source: Joe Sandbox ViewIP Address: 172.253.120.108 172.253.120.108
              Source: InstallUtil.exe, 0000000A.00000002.366702068.00000000026F3000.00000004.00000001.sdmpString found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
              Source: unknownDNS traffic detected: queries for: smtp.gmail.com
              Source: InstallUtil.exe, 0000000A.00000002.370633547.0000000005BF0000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: InstallUtil.exe, 0000000A.00000002.367332773.000000000290A000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
              Source: InstallUtil.exe, 0000000A.00000002.367076436.0000000002887000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
              Source: InstallUtil.exe, 0000000A.00000002.370687322.0000000005C7A000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2=E
              Source: InstallUtil.exe, 0000000A.00000002.366702068.00000000026F3000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
              Source: InstallUtil.exe, 0000000A.00000002.366702068.00000000026F3000.00000004.00000001.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
              Source: InstallUtil.exe, 0000000A.00000002.367076436.0000000002887000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
              Source: InstallUtil.exe, 0000000A.00000002.367332773.000000000290A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
              Source: InstallUtil.exe, 0000000A.00000002.367332773.000000000290A000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
              Source: InstallUtil.exe, 0000000A.00000002.366845303.000000000287C000.00000004.00000001.sdmpString found in binary or memory: http://smtp.gmail.com
              Source: InstallUtil.exe, 0000000A.00000002.366702068.00000000026F3000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.366826954.0000000002850000.00000004.00000001.sdmpString found in binary or memory: https://CKhVIEPcstJa0pUqPCyV.net
              Source: InstallUtil.exe, 0000000A.00000002.367212986.00000000028A4000.00000004.00000001.sdmpString found in binary or memory: https://accounts.google.com/signin/continue?sarp=1&scc=1&plt=AKgnsbs
              Source: InstallUtil.exe, 0000000A.00000002.367365794.0000000002964000.00000004.00000001.sdmpString found in binary or memory: https://accounts.google.com/signin/continue?sarp=1&scc=1&plt=AKgnsbt
              Source: InstallUtil.exe, 0000000A.00000002.367076436.0000000002887000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
              Source: InstallUtil.exe, 0000000A.00000002.366702068.00000000026F3000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
              Source: InstallUtil.exe, 0000000A.00000002.366702068.00000000026F3000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
              Source: InstallUtil.exe, 0000000A.00000002.366702068.00000000026F3000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
              Source: InstallUtil.exe, 0000000A.00000002.366702068.00000000026F3000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
              Source: InstallUtil.exe, 0000000A.00000002.367212986.00000000028A4000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.367123764.000000000289C000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.367365794.0000000002964000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/mail/?p=WantAuthError
              Source: InstallUtil.exe, 0000000A.00000002.367365794.0000000002964000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/mail/answer/78754

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Installs a global keyboard hookShow sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_0819C018 GetKeyState,GetKeyState,GetKeyState,10_2_0819C018
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_0819C028 GetKeyState,GetKeyState,GetKeyState,10_2_0819C028

              System Summary:

              barindex
              .NET source code contains very large array initializationsShow sources
              Source: Codes.exe, Fk4u0040u0023/u0030Wqu0025L.csLarge array initialization: 6o)W*: array initializer size 91152
              Source: 1.0.Codes.exe.9c0000.0.unpack, Fk4u0040u0023/u0030Wqu0025L.csLarge array initialization: 6o)W*: array initializer size 91152
              Source: 1.2.Codes.exe.9c0000.0.unpack, Fk4u0040u0023/u0030Wqu0025L.csLarge array initialization: 6o)W*: array initializer size 91152
              Source: vpn.exe.2.dr, Fk4u0040u0023/u0030Wqu0025L.csLarge array initialization: 6o)W*: array initializer size 91152
              Source: 6.2.vpn.exe.230000.0.unpack, Fk4u0040u0023/u0030Wqu0025L.csLarge array initialization: 6o)W*: array initializer size 91152
              Source: 6.0.vpn.exe.230000.0.unpack, Fk4u0040u0023/u0030Wqu0025L.csLarge array initialization: 6o)W*: array initializer size 91152
              Source: C:\Users\user\Desktop\Codes.exeCode function: 1_2_013922721_2_01392272
              Source: C:\Users\user\Desktop\Codes.exeCode function: 1_2_013954581_2_01395458
              Source: C:\Users\user\Desktop\Codes.exeCode function: 1_2_013917701_2_01391770
              Source: C:\Users\user\Desktop\Codes.exeCode function: 1_2_013939991_2_01393999
              Source: C:\Users\user\Desktop\Codes.exeCode function: 1_2_0139F9F01_2_0139F9F0
              Source: C:\Users\user\Desktop\Codes.exeCode function: 1_2_0139712B1_2_0139712B
              Source: C:\Users\user\Desktop\Codes.exeCode function: 1_2_0139F0381_2_0139F038
              Source: C:\Users\user\Desktop\Codes.exeCode function: 1_2_0139F0271_2_0139F027
              Source: C:\Users\user\Desktop\Codes.exeCode function: 1_2_01399BBF1_2_01399BBF
              Source: C:\Users\user\AppData\Roaming\vpn.exeCode function: 6_2_00CB22786_2_00CB2278
              Source: C:\Users\user\AppData\Roaming\vpn.exeCode function: 6_2_00CB54686_2_00CB5468
              Source: C:\Users\user\AppData\Roaming\vpn.exeCode function: 6_2_00CB17806_2_00CB1780
              Source: C:\Users\user\AppData\Roaming\vpn.exeCode function: 6_2_00CBF9E16_2_00CBF9E1
              Source: C:\Users\user\AppData\Roaming\vpn.exeCode function: 6_2_00CB39A86_2_00CB39A8
              Source: C:\Users\user\AppData\Roaming\vpn.exeCode function: 6_2_00CBA2E06_2_00CBA2E0
              Source: C:\Users\user\AppData\Roaming\vpn.exeCode function: 6_2_00CB22686_2_00CB2268
              Source: C:\Users\user\AppData\Roaming\vpn.exeCode function: 6_2_00CBF0276_2_00CBF027
              Source: C:\Users\user\AppData\Roaming\vpn.exeCode function: 6_2_00CBF0386_2_00CBF038
              Source: C:\Users\user\AppData\Roaming\vpn.exeCode function: 6_2_00CB54586_2_00CB5458
              Source: C:\Users\user\AppData\Roaming\vpn.exeCode function: 6_2_00CB17786_2_00CB1778
              Source: C:\Users\user\AppData\Roaming\vpn.exeCode function: 6_2_00CB39996_2_00CB3999
              Source: C:\Users\user\AppData\Roaming\vpn.exeCode function: 6_2_00CB9BBF6_2_00CB9BBF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_025EA23810_2_025EA238
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_025E633810_2_025E6338
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_025E8BD010_2_025E8BD0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_025E5FF010_2_025E5FF0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_025E6C0810_2_025E6C08
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_025EF23010_2_025EF230
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_025EF61810_2_025EF618
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_025EE7B810_2_025EE7B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_025EE7AA10_2_025EE7AA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_025E1C0310_2_025E1C03
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_025E1D0210_2_025E1D02
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_04EA830810_2_04EA8308
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_04EA0D6010_2_04EA0D60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_04EA4D5210_2_04EA4D52
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_04EA492810_2_04EA4928
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_04EA3C6010_2_04EA3C60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_04EA85C310_2_04EA85C3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_04EA867A10_2_04EA867A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_04EA82F810_2_04EA82F8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_04EA0CC610_2_04EA0CC6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_04EA0D5F10_2_04EA0D5F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_04EACD1010_2_04EACD10
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_04EA08AF10_2_04EA08AF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_04EA08B010_2_04EA08B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_04EA099310_2_04EA0993
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_04EA0B6110_2_04EA0B61
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_04EA3C5010_2_04EA3C50
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_05F090E010_2_05F090E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_05F05BC810_2_05F05BC8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_05F01D9410_2_05F01D94
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_05F01D4A10_2_05F01D4A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_05F01CBB10_2_05F01CBB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_05F04C9810_2_05F04C98
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_05F01C2C10_2_05F01C2C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_05F01F1710_2_05F01F17
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_05F01ECD10_2_05F01ECD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_05F01E6D10_2_05F01E6D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_05F01E2310_2_05F01E23
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_05F010BA10_2_05F010BA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_05F0102C10_2_05F0102C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_05F023CD10_2_05F023CD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_05F0235910_2_05F02359
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_0819901010_2_08199010
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_0819B79810_2_0819B798
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_0819432810_2_08194328
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_081936D010_2_081936D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_081936E010_2_081936E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_0819B78910_2_0819B789
              Source: C:\Users\user\AppData\Roaming\fCvYpQH\ljYBX.exeCode function: 32_2_006020B032_2_006020B0
              Source: C:\Users\user\AppData\Roaming\fCvYpQH\ljYBX.exeCode function: 32_2_00E107D832_2_00E107D8
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\fCvYpQH\ljYBX.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
              Source: Codes.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: vpn.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: Codes.exe, 00000001.00000002.230541199.0000000008BE0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Codes.exe
              Source: Codes.exe, 00000001.00000002.226115393.0000000004734000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamecxWlVgzyJXCqbjKqdSekvKKkpgCBtpIp.exe4 vs Codes.exe
              Source: Codes.exe, 00000001.00000002.231390375.0000000008CD0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Codes.exe
              Source: Codes.exe, 00000001.00000002.231390375.0000000008CD0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Codes.exe
              Source: Codes.exe, 00000001.00000002.225672755.0000000003E27000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDESdgdhser.dll0 vs Codes.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe'
              Source: Codes.exe, D_y3u0023z8H/Np0u002fc7u002bY.csCryptographic APIs: 'CreateDecryptor'
              Source: 1.0.Codes.exe.9c0000.0.unpack, D_y3u0023z8H/Np0u002fc7u002bY.csCryptographic APIs: 'CreateDecryptor'
              Source: 1.2.Codes.exe.9c0000.0.unpack, D_y3u0023z8H/Np0u002fc7u002bY.csCryptographic APIs: 'CreateDecryptor'
              Source: vpn.exe.2.dr, D_y3u0023z8H/Np0u002fc7u002bY.csCryptographic APIs: 'CreateDecryptor'
              Source: 6.2.vpn.exe.230000.0.unpack, D_y3u0023z8H/Np0u002fc7u002bY.csCryptographic APIs: 'CreateDecryptor'
              Source: 6.0.vpn.exe.230000.0.unpack, D_y3u0023z8H/Np0u002fc7u002bY.csCryptographic APIs: 'CreateDecryptor'
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@148/7@2/1
              Source: C:\Users\user\Desktop\Codes.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Codes.exe.logJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5968:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4812:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6616:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5376:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5468:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6860:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6476:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7112:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2584:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6856:120:WilError_01
              Source: Codes.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\Codes.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\fCvYpQH\ljYBX.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\Codes.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\Codes.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: Codes.exeReversingLabs: Detection: 14%
              Source: unknownProcess created: C:\Users\user\Desktop\Codes.exe 'C:\Users\user\Desktop\Codes.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c copy 'C:\Users\user\Desktop\Codes.exe' 'C:\Users\user\AppData\Roaming\vpn.exe'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c, 'C:\Users\user\AppData\Roaming\vpn.exe'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\vpn.exe C:\Users\user\AppData\Roaming\vpn.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe'
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe'
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\fCvYpQH\ljYBX.exe 'C:\Users\user\AppData\Roaming\fCvYpQH\ljYBX.exe'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe'
              Source: C:\Users\user\Desktop\Codes.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c copy 'C:\Users\user\Desktop\Codes.exe' 'C:\Users\user\AppData\Roaming\vpn.exe'Jump to behavior
              Source: C:\Users\user\Desktop\Codes.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c, 'C:\Users\user\AppData\Roaming\vpn.exe'Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\vpn.exe C:\Users\user\AppData\Roaming\vpn.exeJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe'Jump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe'Jump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe'Jump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe'Jump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe'Jump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe'Jump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe'Jump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe'Jump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe'Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe'
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe'
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe'
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe'
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe'
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'vips72' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\vpn.exe'
              Source: C:\Users\user\Desktop\Codes.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\Codes.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: Codes.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: Codes.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
              Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: ljYBX.exe, 00000020.00000000.274153885.0000000000602000.00000002.00020000.sdmp, ljYBX.exe.10.dr
              Source: Binary string: InstallUtil.pdb source: ljYBX.exe, ljYBX.exe.10.dr

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: Codes.exe, tMu00240W7zu0029/Ta3u007cqu005eM0.cs.Net Code: 4Na_!i5P System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 1.0.Codes.exe.9c0000.0.unpack, tMu00240W7zu0029/Ta3u007cqu005eM0.cs.Net Code: 4Na_!i5P System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 1.2.Codes.exe.9c0000.0.unpack, tMu00240W7zu0029/Ta3u007cqu005eM0.cs.Net Code: 4Na_!i5P System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: vpn.exe.2.dr, tMu00240W7zu0029/Ta3u007cqu005eM0.cs.Net Code: 4Na_!i5P System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 6.2.vpn.exe.230000.0.unpack, tMu00240W7zu0029/Ta3u007cqu005eM0.cs.Net Code: 4Na_!i5P System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 6.0.vpn.exe.230000.0.unpack, tMu00240W7zu0029/Ta3u007cqu005eM0.cs.Net Code: 4Na_!i5P System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_00A4DFA8 pushad ; retf 10_2_00A4DFA9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_00A4D5BC pushad ; retf 10_2_00A4D5BD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_00A4DF88 push esp; retf 10_2_00A4DF89
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_00A4D59C push esp; retf 10_2_00A4D59D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_05F03E09 pushfd ; ret 10_2_05F03E1F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_05F038F6 push 69D04589h; ret 10_2_05F03904

              Persistence and Installation Behavior:

              barindex
              Uses cmd line tools excessively to alter registry or file dataShow sources
              Source: C:\Users\user\AppData\Roaming\vpn.exeProcess created: reg.exeJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\fCvYpQH\ljYBX.exeJump to dropped file
              Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\vpn.exeJump to dropped file

              Boot Survival:

              bar