Analysis Report VCPjXmY0pr

Overview

General Information

Sample Name: VCPjXmY0pr (renamed file extension from none to exe)
Analysis ID: 339438
MD5: 053ddb3b6e38f9bdbc5fb51fdd44d3ac
SHA1: 2f26c6f5a9dbf6bfb7690cb6949536775d1def92
SHA256: 2d8151dabf891cf743e67c6f9765ee79884d024b10d265119873b0967a09b20f

Most interesting Screenshot:

Detection

Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Machine Learning detection for sample
Contains long sleeps (>= 3 min)
Detected potential crypto function
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: VCPjXmY0pr.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\9de699449c084cfcaf7aae165ca409d7\7092ee1bf1e386348e9ed2a7b68b7ab2.dll Avira: detection malicious, Label: HEUR/AGEN.1126242
Multi AV Scanner detection for submitted file
Source: VCPjXmY0pr.exe Virustotal: Detection: 76% Perma Link
Source: VCPjXmY0pr.exe ReversingLabs: Detection: 72%
Machine Learning detection for sample
Source: VCPjXmY0pr.exe Joe Sandbox ML: detected

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Unpacked PE file: 0.2.VCPjXmY0pr.exe.9b0000.0.unpack
Uses 32bit PE files
Source: VCPjXmY0pr.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dll Jump to behavior
Source: VCPjXmY0pr.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000001.00000000.674084782.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000001.00000000.674084782.0000000005A00000.00000002.00000001.sdmp
Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: VCPjXmY0pr.exe, 00000000.00000002.685997706.0000000000E1A000.00000004.00000020.sdmp String found in binary or memory: http://go.micros
Source: explorer.exe, 00000001.00000000.666551645.0000000002B50000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: VCPjXmY0pr.exe, 00000000.00000002.688799779.0000000003011000.00000004.00000001.sdmp String found in binary or memory: https://jaireve.co/wp-content/languages/index.php
Source: VCPjXmY0pr.exe, 00000000.00000002.688799779.0000000003011000.00000004.00000001.sdmp String found in binary or memory: https://www.weauthenticate.co.uk/wp-content/languages/index.php
Source: VCPjXmY0pr.exe, 00000000.00000002.688799779.0000000003011000.00000004.00000001.sdmp String found in binary or memory: https://www.weauthenticate.co.uk/wp-content/languages/index.php1https://jaireve.co/wp-content/langua

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: C:\Users\user\AppData\Local\9de699449c084cfcaf7aae165ca409d7\7092ee1bf1e386348e9ed2a7b68b7ab2.dll, type: DROPPED Matched rule: Detects Turla Kazuar RAT described by DrunkBinary Author: Markus Neis / Florian Roth
Source: 0.2.VCPjXmY0pr.exe.62480000.1.unpack, type: UNPACKEDPE Matched rule: Detects Turla Kazuar RAT described by DrunkBinary Author: Markus Neis / Florian Roth
Detected potential crypto function
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Code function: 0_2_00007FFA35A03A4A 0_2_00007FFA35A03A4A
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Code function: 0_2_00007FFA359F31A0 0_2_00007FFA359F31A0
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Code function: 0_2_00007FFA359FDCF0 0_2_00007FFA359FDCF0
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Code function: 0_2_00007FFA35A02CD3 0_2_00007FFA35A02CD3
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Code function: 0_2_00007FFA359F0130 0_2_00007FFA359F0130
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Code function: 0_2_00007FFA359F4B70 0_2_00007FFA359F4B70
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Code function: 0_2_00007FFA35A03240 0_2_00007FFA35A03240
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Code function: 0_2_00007FFA359F3FA9 0_2_00007FFA359F3FA9
Sample file is different than original file name gathered from version info
Source: VCPjXmY0pr.exe, 00000000.00000002.685997706.0000000000E1A000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamemscorwks.dllT vs VCPjXmY0pr.exe
Source: VCPjXmY0pr.exe, 00000000.00000002.685885452.0000000000A1E000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameAgent.exeN vs VCPjXmY0pr.exe
Source: VCPjXmY0pr.exe Binary or memory string: OriginalFilenameAgent.exeN vs VCPjXmY0pr.exe
Uses 32bit PE files
Source: VCPjXmY0pr.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
Yara signature match
Source: VCPjXmY0pr.exe, type: SAMPLE Matched rule: apt_RU_Turla_Kazuar_DebugView_peFeatures hash2 = 44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac, author = JAG-S, description = Turla mimicking SysInternals Tools- peFeatures, version = 2.0, reference = https://www.epicturla.com/blog/sysinturla, score = 1749c96cc1a4beb9ad4d6e037e40902fac31042fa40152f1d3794f49ed1a2b5c
Source: VCPjXmY0pr.exe, type: SAMPLE Matched rule: APT_MAL_RU_Turla_Kazuar_May20_1 date = 2020-05-28, hash4 = 44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac, hash3 = 2d8151dabf891cf743e67c6f9765ee79884d024b10d265119873b0967a09b20f, hash2 = 1fca5f41211c800830c5f5c3e355d31a05e4c702401a61f11e25387e25eeb7fa, hash1 = 1749c96cc1a4beb9ad4d6e037e40902fac31042fa40152f1d3794f49ed1a2b5c, author = Florian Roth, description = Detects Turla Kazuar malware, reference = https://www.epicturla.com/blog/sysinturla
Source: C:\Users\user\AppData\Local\9de699449c084cfcaf7aae165ca409d7\7092ee1bf1e386348e9ed2a7b68b7ab2.dll, type: DROPPED Matched rule: Turla_KazuarRAT date = 2018-04-08, hash3 = 4e5a86e33e53931afe25a8cb108f53f9c7e6c6a731b0ef4f72ce638d0ea5c198, hash2 = 7594fab1aadc4fb08fb9dbb27c418e8bc7f08dadb2acf5533dc8560241ecfc1d, hash1 = 6b5d9fca6f49a044fd94c816e258bf50b1e90305d7dab2e0480349e80ed2a0fa, author = Markus Neis / Florian Roth, description = Detects Turla Kazuar RAT described by DrunkBinary, reference = https://twitter.com/DrunkBinary/status/982969891975319553
Source: 0.2.VCPjXmY0pr.exe.62480000.1.unpack, type: UNPACKEDPE Matched rule: Turla_KazuarRAT date = 2018-04-08, hash3 = 4e5a86e33e53931afe25a8cb108f53f9c7e6c6a731b0ef4f72ce638d0ea5c198, hash2 = 7594fab1aadc4fb08fb9dbb27c418e8bc7f08dadb2acf5533dc8560241ecfc1d, hash1 = 6b5d9fca6f49a044fd94c816e258bf50b1e90305d7dab2e0480349e80ed2a0fa, author = Markus Neis / Florian Roth, description = Detects Turla Kazuar RAT described by DrunkBinary, reference = https://twitter.com/DrunkBinary/status/982969891975319553
Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, type: UNPACKEDPE Matched rule: apt_RU_Turla_Kazuar_DebugView_peFeatures hash2 = 44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac, author = JAG-S, description = Turla mimicking SysInternals Tools- peFeatures, version = 2.0, reference = https://www.epicturla.com/blog/sysinturla, score = 1749c96cc1a4beb9ad4d6e037e40902fac31042fa40152f1d3794f49ed1a2b5c
Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, type: UNPACKEDPE Matched rule: APT_MAL_RU_Turla_Kazuar_May20_1 date = 2020-05-28, hash4 = 44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac, hash3 = 2d8151dabf891cf743e67c6f9765ee79884d024b10d265119873b0967a09b20f, hash2 = 1fca5f41211c800830c5f5c3e355d31a05e4c702401a61f11e25387e25eeb7fa, hash1 = 1749c96cc1a4beb9ad4d6e037e40902fac31042fa40152f1d3794f49ed1a2b5c, author = Florian Roth, description = Detects Turla Kazuar malware, reference = https://www.epicturla.com/blog/sysinturla
Source: 0.2.VCPjXmY0pr.exe.9b0000.0.unpack, type: UNPACKEDPE Matched rule: apt_RU_Turla_Kazuar_DebugView_peFeatures hash2 = 44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac, author = JAG-S, description = Turla mimicking SysInternals Tools- peFeatures, version = 2.0, reference = https://www.epicturla.com/blog/sysinturla, score = 1749c96cc1a4beb9ad4d6e037e40902fac31042fa40152f1d3794f49ed1a2b5c
Source: 0.2.VCPjXmY0pr.exe.9b0000.0.unpack, type: UNPACKEDPE Matched rule: APT_MAL_RU_Turla_Kazuar_May20_1 date = 2020-05-28, hash4 = 44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac, hash3 = 2d8151dabf891cf743e67c6f9765ee79884d024b10d265119873b0967a09b20f, hash2 = 1fca5f41211c800830c5f5c3e355d31a05e4c702401a61f11e25387e25eeb7fa, hash1 = 1749c96cc1a4beb9ad4d6e037e40902fac31042fa40152f1d3794f49ed1a2b5c, author = Florian Roth, description = Detects Turla Kazuar malware, reference = https://www.epicturla.com/blog/sysinturla
Source: VCPjXmY0pr.exe, JowBOtqcqvVCCqOPQrecpmBhMcCE.cs Cryptographic APIs: 'CreateDecryptor'
Source: VCPjXmY0pr.exe, CTriFxnjSzLzysCjWnaasAySZUoH.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, JowBOtqcqvVCCqOPQrecpmBhMcCE.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, CTriFxnjSzLzysCjWnaasAySZUoH.cs Cryptographic APIs: 'CreateDecryptor'
Source: VCPjXmY0pr.exe, xaWocZJwXjXdEaUZmSLYfVaHzeiG.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, xaWocZJwXjXdEaUZmSLYfVaHzeiG.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, eThxRpbETWdjxmVpXPSjXHAcevov.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: VCPjXmY0pr.exe, eThxRpbETWdjxmVpXPSjXHAcevov.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: classification engine Classification label: mal92.evad.winEXE@1/13@0/0
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe File created: C:\Users\user\AppData\Local\9de699449c084cfcaf7aae165ca409d7 Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{b8a51239-fdc0-6ddc-5b20-97bdafddcb5a}
Source: VCPjXmY0pr.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: VCPjXmY0pr.exe Virustotal: Detection: 76%
Source: VCPjXmY0pr.exe ReversingLabs: Detection: 72%
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: VCPjXmY0pr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dll Jump to behavior
Source: VCPjXmY0pr.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000001.00000000.674084782.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000001.00000000.674084782.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Unpacked PE file: 0.2.VCPjXmY0pr.exe.9b0000.0.unpack
.NET source code contains potential unpacker
Source: VCPjXmY0pr.exe, yVJzEUMWFmmqMaPSUNTXuiQpWUAo.cs .Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, yVJzEUMWFmmqMaPSUNTXuiQpWUAo.cs .Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .wtf
PE file contains an invalid checksum
Source: 7092ee1bf1e386348e9ed2a7b68b7ab2.dll.0.dr Static PE information: real checksum: 0xc809 should be: 0x5d1d
Source: VCPjXmY0pr.exe Static PE information: real checksum: 0x0 should be: 0x75bb3
PE file contains sections with non-standard names
Source: 7092ee1bf1e386348e9ed2a7b68b7ab2.dll.0.dr Static PE information: section name: .wtf
Source: 7092ee1bf1e386348e9ed2a7b68b7ab2.dll.0.dr Static PE information: section name: .xdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Code function: 0_2_00007FFA359FE373 push edx; retf 0_2_00007FFA359FE3B1
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Code function: 0_2_00007FFA359F6D14 push esi; ret 0_2_00007FFA359F6D17
Source: VCPjXmY0pr.exe, oKNGvtPGtCTMPpOxDvUHlAChNZGw.cs High entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
Source: VCPjXmY0pr.exe, DteHEPsmEtHhhwFTNYpXIIThIgSr.cs High entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
Source: VCPjXmY0pr.exe, WAilIsDhwFrPIXiaBQdCthAaCvye.cs High entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
Source: VCPjXmY0pr.exe, lwqQYZKBwOXSoyAQtOILpszueCCr.cs High entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', 'BESFPzKfKQDDGoimktgzsZJfmaNs', '.ctor'
Source: VCPjXmY0pr.exe, evwJCBryWduoCpuRjHXVeSRGDCdK.cs High entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor', 'mFvlXbOBwYFycNExDwsmdSXAUlTC'
Source: VCPjXmY0pr.exe, TYOxYFoQUvQOzcgSAXTUIUXtTqP.cs High entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor', 'DOAlVtspoVtZsDRYZnvWSgROwMlp'
Source: VCPjXmY0pr.exe, KhLUrdNneVMqjOpSdoqdyvaLujbj.cs High entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
Source: VCPjXmY0pr.exe, PyJJNitSfJqvXbCTYUUrzsymciYX.cs High entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
Source: VCPjXmY0pr.exe, VCkDjCCDwbcJkUlwdXTPjBYmzNfQ.cs High entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor', 'DOAlVtspoVtZsDRYZnvWSgROwMlp'
Source: VCPjXmY0pr.exe, qJRFYGcPocAtTrfZlGrAXJMJZBPVA.cs High entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor', 'DOAlVtspoVtZsDRYZnvWSgROwMlp'
Source: VCPjXmY0pr.exe, uOWFlXHpjsOByESGjkAeDXbtVDXrb.cs High entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor', 'DOAlVtspoVtZsDRYZnvWSgROwMlp'
Source: VCPjXmY0pr.exe, OKTUKVPuuDYGxITuxNrCtXxMDJoC.cs High entropy of concatenated method names: 'uUmriooNvsGiUkwwzaOIlFvigksD', 'eRgbvDPMDOTkRPtLjFuGtoRrFmqv', 'jiImNtLestTpBtUWRnfloXVAaoQI', 'vdaBnoXZUkSrjeHxAmUiONUhcNKBA', 'uNBwbeDbCUukYLXPIhIIZtBypAIy', 'ncUStthzZpcDXiCzYSsPIhYbKNZp', 'lhRlKXDjVxAeXxyIiYlFismCXmMd', 'PvItMHIRZrKVlvCQvYJLgNNSASLM', 'tLilNWMRyDYOKxEKGLOPvKSHkUAF', 'qVnPtdRNMxbSGbuClYFvMgKPhvDHA'
Source: VCPjXmY0pr.exe, fFukgVjYWaEFDfuLCEaeAIhjACpu.cs High entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
Source: VCPjXmY0pr.exe, NTUiRuGNXCALubTLidZuPliWwwtr.cs High entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
Source: VCPjXmY0pr.exe, BnlCTyVPPJbeDfVuwxBXIIwSZXSdA.cs High entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
Source: VCPjXmY0pr.exe, LKibmMaQProiRHPzDMvgNzgvUwDyA.cs High entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
Source: VCPjXmY0pr.exe, vcjGrbxppmxZxAbJTVMNjLbQdDBCA.cs High entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
Source: VCPjXmY0pr.exe, putmnFDFHxWOCpnQJeIPFhapTDCvA.cs High entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
Source: VCPjXmY0pr.exe, tYJxLndiqFFoadjBRcFjzCKyVPDw.cs High entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor', 'VxDEoasEvMyvkTeBHhfKukJmOKoe'
Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, DteHEPsmEtHhhwFTNYpXIIThIgSr.cs High entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, WAilIsDhwFrPIXiaBQdCthAaCvye.cs High entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, lwqQYZKBwOXSoyAQtOILpszueCCr.cs High entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', 'BESFPzKfKQDDGoimktgzsZJfmaNs', '.ctor'
Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, KhLUrdNneVMqjOpSdoqdyvaLujbj.cs High entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, PyJJNitSfJqvXbCTYUUrzsymciYX.cs High entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, oKNGvtPGtCTMPpOxDvUHlAChNZGw.cs High entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, OKTUKVPuuDYGxITuxNrCtXxMDJoC.cs High entropy of concatenated method names: 'uUmriooNvsGiUkwwzaOIlFvigksD', 'eRgbvDPMDOTkRPtLjFuGtoRrFmqv', 'jiImNtLestTpBtUWRnfloXVAaoQI', 'vdaBnoXZUkSrjeHxAmUiONUhcNKBA', 'uNBwbeDbCUukYLXPIhIIZtBypAIy', 'ncUStthzZpcDXiCzYSsPIhYbKNZp', 'lhRlKXDjVxAeXxyIiYlFismCXmMd', 'PvItMHIRZrKVlvCQvYJLgNNSASLM', 'tLilNWMRyDYOKxEKGLOPvKSHkUAF', 'qVnPtdRNMxbSGbuClYFvMgKPhvDHA'
Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, fFukgVjYWaEFDfuLCEaeAIhjACpu.cs High entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, NTUiRuGNXCALubTLidZuPliWwwtr.cs High entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, BnlCTyVPPJbeDfVuwxBXIIwSZXSdA.cs High entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, VCkDjCCDwbcJkUlwdXTPjBYmzNfQ.cs High entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor', 'DOAlVtspoVtZsDRYZnvWSgROwMlp'
Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, qJRFYGcPocAtTrfZlGrAXJMJZBPVA.cs High entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor', 'DOAlVtspoVtZsDRYZnvWSgROwMlp'
Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, uOWFlXHpjsOByESGjkAeDXbtVDXrb.cs High entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor', 'DOAlVtspoVtZsDRYZnvWSgROwMlp'
Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, evwJCBryWduoCpuRjHXVeSRGDCdK.cs High entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor', 'mFvlXbOBwYFycNExDwsmdSXAUlTC'
Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, TYOxYFoQUvQOzcgSAXTUIUXtTqP.cs High entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor', 'DOAlVtspoVtZsDRYZnvWSgROwMlp'
Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, putmnFDFHxWOCpnQJeIPFhapTDCvA.cs High entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, tYJxLndiqFFoadjBRcFjzCKyVPDw.cs High entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor', 'VxDEoasEvMyvkTeBHhfKukJmOKoe'
Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, LKibmMaQProiRHPzDMvgNzgvUwDyA.cs High entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, vcjGrbxppmxZxAbJTVMNjLbQdDBCA.cs High entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe File created: C:\Users\user\AppData\Local\9de699449c084cfcaf7aae165ca409d7\7092ee1bf1e386348e9ed2a7b68b7ab2.dll Jump to dropped file
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\explorer.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 1001 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe TID: 1288 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 4780 Thread sleep count: 64 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 4780 Thread sleep time: -128000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6240 Thread sleep count: 1001 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6240 Thread sleep time: -10010000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6896 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: explorer.exe, 00000001.00000000.677524244.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.673659873.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000001.00000000.674532575.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.677524244.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.671223228.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000001.00000000.673659873.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000001.00000000.677640558.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000001.00000000.673659873.00000000058C0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000001.00000000.677704442.000000000A784000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000001.00000000.673659873.00000000058C0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\explorer.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\explorer.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
.NET source code references suspicious native API functions
Source: VCPjXmY0pr.exe, OKTUKVPuuDYGxITuxNrCtXxMDJoC.cs Reference to suspicious API methods: ('FnweNvyxnMVBuRzMZzQEqdtLAPrA', 'GetProcAddress@kernel32'), ('qVnPtdRNMxbSGbuClYFvMgKPhvDHA', 'CreateRemoteThread@kernel32'), ('zdYpViHCCuxgniqqamPpntrZHzZr', 'LoadLibrary@kernel32'), ('tLilNWMRyDYOKxEKGLOPvKSHkUAF', 'OpenProcess@kernel32'), ('wHieHXtQJlXHyVxhONzsxdAXelIaA', 'OpenProcessToken@advapi32')
Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, OKTUKVPuuDYGxITuxNrCtXxMDJoC.cs Reference to suspicious API methods: ('FnweNvyxnMVBuRzMZzQEqdtLAPrA', 'GetProcAddress@kernel32'), ('qVnPtdRNMxbSGbuClYFvMgKPhvDHA', 'CreateRemoteThread@kernel32'), ('zdYpViHCCuxgniqqamPpntrZHzZr', 'LoadLibrary@kernel32'), ('tLilNWMRyDYOKxEKGLOPvKSHkUAF', 'OpenProcess@kernel32'), ('wHieHXtQJlXHyVxhONzsxdAXelIaA', 'OpenProcessToken@advapi32')
Source: explorer.exe, 00000001.00000000.665732018.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000001.00000000.665998562.0000000001080000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: VCPjXmY0pr.exe, 00000000.00000002.688799779.0000000003011000.00000004.00000001.sdmp, explorer.exe, 00000001.00000000.665998562.0000000001080000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.665998562.0000000001080000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.665998562.0000000001080000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000001.00000000.677640558.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VCPjXmY0pr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 339438 Sample: VCPjXmY0pr Startdate: 14/01/2021 Architecture: WINDOWS Score: 92 19 Malicious sample detected (through community Yara rule) 2->19 21 Antivirus detection for dropped file 2->21 23 Antivirus / Scanner detection for submitted sample 2->23 25 4 other signatures 2->25 6 VCPjXmY0pr.exe 12 2->6         started        process3 file4 13 C:\...\7092ee1bf1e386348e9ed2a7b68b7ab2.dll, PE32+ 6->13 dropped 15 C:\Users\user\AppData\...\VCPjXmY0pr.exe.log, ASCII 6->15 dropped 27 Detected unpacking (overwrites its own PE header) 6->27 10 explorer.exe 14 6->10 injected signatures5 process6 file7 17 C:\Users\user\AppData\...\08D8B839E60385D2, DOS 10->17 dropped
No contacted IP infos