Loading ...

Play interactive tourEdit tour

Analysis Report VCPjXmY0pr

Overview

General Information

Sample Name:VCPjXmY0pr (renamed file extension from none to exe)
Analysis ID:339438
MD5:053ddb3b6e38f9bdbc5fb51fdd44d3ac
SHA1:2f26c6f5a9dbf6bfb7690cb6949536775d1def92
SHA256:2d8151dabf891cf743e67c6f9765ee79884d024b10d265119873b0967a09b20f

Most interesting Screenshot:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Machine Learning detection for sample
Contains long sleeps (>= 3 min)
Detected potential crypto function
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • VCPjXmY0pr.exe (PID: 4792 cmdline: 'C:\Users\user\Desktop\VCPjXmY0pr.exe' MD5: 053DDB3B6E38F9BDBC5FB51FDD44D3AC)
    • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
VCPjXmY0pr.exeapt_RU_Turla_Kazuar_DebugView_peFeaturesTurla mimicking SysInternals Tools- peFeaturesJAG-S
    VCPjXmY0pr.exeAPT_MAL_RU_Turla_Kazuar_May20_1Detects Turla Kazuar malwareFlorian Roth
    • 0x69f62:$s1: Sysinternals
    • 0x69f74:$s1: Sysinternals
    • 0x6b4e4:$s2: Test Copyright
    • 0x69f3c:$op1: 0D 01 00 08 34 2E 38 30 2E 30 2E 30 00 00 13 01

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\9de699449c084cfcaf7aae165ca409d7\7092ee1bf1e386348e9ed2a7b68b7ab2.dllTurla_KazuarRATDetects Turla Kazuar RAT described by DrunkBinaryMarkus Neis / Florian Roth
    • 0x642:$x1: ~1.EXE

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus / Scanner detection for submitted sampleShow sources
    Source: VCPjXmY0pr.exeAvira: detected
    Antivirus detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Local\9de699449c084cfcaf7aae165ca409d7\7092ee1bf1e386348e9ed2a7b68b7ab2.dllAvira: detection malicious, Label: HEUR/AGEN.1126242
    Multi AV Scanner detection for submitted fileShow sources
    Source: VCPjXmY0pr.exeVirustotal: Detection: 76%Perma Link
    Source: VCPjXmY0pr.exeReversingLabs: Detection: 72%
    Machine Learning detection for sampleShow sources
    Source: VCPjXmY0pr.exeJoe Sandbox ML: detected

    Compliance:

    barindex
    Detected unpacking (overwrites its own PE header)Show sources
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeUnpacked PE file: 0.2.VCPjXmY0pr.exe.9b0000.0.unpack
    Source: VCPjXmY0pr.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dllJump to behavior
    Source: VCPjXmY0pr.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000001.00000000.674084782.0000000005A00000.00000002.00000001.sdmp
    Source: Binary string: wscui.pdb source: explorer.exe, 00000001.00000000.674084782.0000000005A00000.00000002.00000001.sdmp
    Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
    Source: VCPjXmY0pr.exe, 00000000.00000002.685997706.0000000000E1A000.00000004.00000020.sdmpString found in binary or memory: http://go.micros
    Source: explorer.exe, 00000001.00000000.666551645.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
    Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
    Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
    Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
    Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
    Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
    Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
    Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
    Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
    Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
    Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
    Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
    Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
    Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
    Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
    Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
    Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
    Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
    Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
    Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
    Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
    Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
    Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
    Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
    Source: explorer.exe, 00000001.00000000.678657512.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
    Source: VCPjXmY0pr.exe, 00000000.00000002.688799779.0000000003011000.00000004.00000001.sdmpString found in binary or memory: https://jaireve.co/wp-content/languages/index.php
    Source: VCPjXmY0pr.exe, 00000000.00000002.688799779.0000000003011000.00000004.00000001.sdmpString found in binary or memory: https://www.weauthenticate.co.uk/wp-content/languages/index.php
    Source: VCPjXmY0pr.exe, 00000000.00000002.688799779.0000000003011000.00000004.00000001.sdmpString found in binary or memory: https://www.weauthenticate.co.uk/wp-content/languages/index.php1https://jaireve.co/wp-content/langua

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: C:\Users\user\AppData\Local\9de699449c084cfcaf7aae165ca409d7\7092ee1bf1e386348e9ed2a7b68b7ab2.dll, type: DROPPEDMatched rule: Detects Turla Kazuar RAT described by DrunkBinary Author: Markus Neis / Florian Roth
    Source: 0.2.VCPjXmY0pr.exe.62480000.1.unpack, type: UNPACKEDPEMatched rule: Detects Turla Kazuar RAT described by DrunkBinary Author: Markus Neis / Florian Roth
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeCode function: 0_2_00007FFA35A03A4A0_2_00007FFA35A03A4A
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeCode function: 0_2_00007FFA359F31A00_2_00007FFA359F31A0
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeCode function: 0_2_00007FFA359FDCF00_2_00007FFA359FDCF0
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeCode function: 0_2_00007FFA35A02CD30_2_00007FFA35A02CD3
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeCode function: 0_2_00007FFA359F01300_2_00007FFA359F0130
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeCode function: 0_2_00007FFA359F4B700_2_00007FFA359F4B70
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeCode function: 0_2_00007FFA35A032400_2_00007FFA35A03240
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeCode function: 0_2_00007FFA359F3FA90_2_00007FFA359F3FA9
    Source: VCPjXmY0pr.exe, 00000000.00000002.685997706.0000000000E1A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs VCPjXmY0pr.exe
    Source: VCPjXmY0pr.exe, 00000000.00000002.685885452.0000000000A1E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAgent.exeN vs VCPjXmY0pr.exe
    Source: VCPjXmY0pr.exeBinary or memory string: OriginalFilenameAgent.exeN vs VCPjXmY0pr.exe
    Source: VCPjXmY0pr.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
    Source: VCPjXmY0pr.exe, type: SAMPLEMatched rule: apt_RU_Turla_Kazuar_DebugView_peFeatures hash2 = 44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac, author = JAG-S, description = Turla mimicking SysInternals Tools- peFeatures, version = 2.0, reference = https://www.epicturla.com/blog/sysinturla, score = 1749c96cc1a4beb9ad4d6e037e40902fac31042fa40152f1d3794f49ed1a2b5c
    Source: VCPjXmY0pr.exe, type: SAMPLEMatched rule: APT_MAL_RU_Turla_Kazuar_May20_1 date = 2020-05-28, hash4 = 44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac, hash3 = 2d8151dabf891cf743e67c6f9765ee79884d024b10d265119873b0967a09b20f, hash2 = 1fca5f41211c800830c5f5c3e355d31a05e4c702401a61f11e25387e25eeb7fa, hash1 = 1749c96cc1a4beb9ad4d6e037e40902fac31042fa40152f1d3794f49ed1a2b5c, author = Florian Roth, description = Detects Turla Kazuar malware, reference = https://www.epicturla.com/blog/sysinturla
    Source: C:\Users\user\AppData\Local\9de699449c084cfcaf7aae165ca409d7\7092ee1bf1e386348e9ed2a7b68b7ab2.dll, type: DROPPEDMatched rule: Turla_KazuarRAT date = 2018-04-08, hash3 = 4e5a86e33e53931afe25a8cb108f53f9c7e6c6a731b0ef4f72ce638d0ea5c198, hash2 = 7594fab1aadc4fb08fb9dbb27c418e8bc7f08dadb2acf5533dc8560241ecfc1d, hash1 = 6b5d9fca6f49a044fd94c816e258bf50b1e90305d7dab2e0480349e80ed2a0fa, author = Markus Neis / Florian Roth, description = Detects Turla Kazuar RAT described by DrunkBinary, reference = https://twitter.com/DrunkBinary/status/982969891975319553
    Source: 0.2.VCPjXmY0pr.exe.62480000.1.unpack, type: UNPACKEDPEMatched rule: Turla_KazuarRAT date = 2018-04-08, hash3 = 4e5a86e33e53931afe25a8cb108f53f9c7e6c6a731b0ef4f72ce638d0ea5c198, hash2 = 7594fab1aadc4fb08fb9dbb27c418e8bc7f08dadb2acf5533dc8560241ecfc1d, hash1 = 6b5d9fca6f49a044fd94c816e258bf50b1e90305d7dab2e0480349e80ed2a0fa, author = Markus Neis / Florian Roth, description = Detects Turla Kazuar RAT described by DrunkBinary, reference = https://twitter.com/DrunkBinary/status/982969891975319553
    Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, type: UNPACKEDPEMatched rule: apt_RU_Turla_Kazuar_DebugView_peFeatures hash2 = 44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac, author = JAG-S, description = Turla mimicking SysInternals Tools- peFeatures, version = 2.0, reference = https://www.epicturla.com/blog/sysinturla, score = 1749c96cc1a4beb9ad4d6e037e40902fac31042fa40152f1d3794f49ed1a2b5c
    Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, type: UNPACKEDPEMatched rule: APT_MAL_RU_Turla_Kazuar_May20_1 date = 2020-05-28, hash4 = 44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac, hash3 = 2d8151dabf891cf743e67c6f9765ee79884d024b10d265119873b0967a09b20f, hash2 = 1fca5f41211c800830c5f5c3e355d31a05e4c702401a61f11e25387e25eeb7fa, hash1 = 1749c96cc1a4beb9ad4d6e037e40902fac31042fa40152f1d3794f49ed1a2b5c, author = Florian Roth, description = Detects Turla Kazuar malware, reference = https://www.epicturla.com/blog/sysinturla
    Source: 0.2.VCPjXmY0pr.exe.9b0000.0.unpack, type: UNPACKEDPEMatched rule: apt_RU_Turla_Kazuar_DebugView_peFeatures hash2 = 44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac, author = JAG-S, description = Turla mimicking SysInternals Tools- peFeatures, version = 2.0, reference = https://www.epicturla.com/blog/sysinturla, score = 1749c96cc1a4beb9ad4d6e037e40902fac31042fa40152f1d3794f49ed1a2b5c
    Source: 0.2.VCPjXmY0pr.exe.9b0000.0.unpack, type: UNPACKEDPEMatched rule: APT_MAL_RU_Turla_Kazuar_May20_1 date = 2020-05-28, hash4 = 44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac, hash3 = 2d8151dabf891cf743e67c6f9765ee79884d024b10d265119873b0967a09b20f, hash2 = 1fca5f41211c800830c5f5c3e355d31a05e4c702401a61f11e25387e25eeb7fa, hash1 = 1749c96cc1a4beb9ad4d6e037e40902fac31042fa40152f1d3794f49ed1a2b5c, author = Florian Roth, description = Detects Turla Kazuar malware, reference = https://www.epicturla.com/blog/sysinturla
    Source: VCPjXmY0pr.exe, JowBOtqcqvVCCqOPQrecpmBhMcCE.csCryptographic APIs: 'CreateDecryptor'
    Source: VCPjXmY0pr.exe, CTriFxnjSzLzysCjWnaasAySZUoH.csCryptographic APIs: 'CreateDecryptor'
    Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, JowBOtqcqvVCCqOPQrecpmBhMcCE.csCryptographic APIs: 'CreateDecryptor'
    Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, CTriFxnjSzLzysCjWnaasAySZUoH.csCryptographic APIs: 'CreateDecryptor'
    Source: VCPjXmY0pr.exe, xaWocZJwXjXdEaUZmSLYfVaHzeiG.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
    Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, xaWocZJwXjXdEaUZmSLYfVaHzeiG.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
    Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, eThxRpbETWdjxmVpXPSjXHAcevov.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
    Source: VCPjXmY0pr.exe, eThxRpbETWdjxmVpXPSjXHAcevov.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
    Source: classification engineClassification label: mal92.evad.winEXE@1/13@0/0
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeFile created: C:\Users\user\AppData\Local\9de699449c084cfcaf7aae165ca409d7Jump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{b8a51239-fdc0-6ddc-5b20-97bdafddcb5a}
    Source: VCPjXmY0pr.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: VCPjXmY0pr.exeVirustotal: Detection: 76%
    Source: VCPjXmY0pr.exeReversingLabs: Detection: 72%
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
    Source: VCPjXmY0pr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dllJump to behavior
    Source: VCPjXmY0pr.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000001.00000000.674084782.0000000005A00000.00000002.00000001.sdmp
    Source: Binary string: wscui.pdb source: explorer.exe, 00000001.00000000.674084782.0000000005A00000.00000002.00000001.sdmp

    Data Obfuscation:

    barindex
    Detected unpacking (overwrites its own PE header)Show sources
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeUnpacked PE file: 0.2.VCPjXmY0pr.exe.9b0000.0.unpack
    .NET source code contains potential unpackerShow sources
    Source: VCPjXmY0pr.exe, yVJzEUMWFmmqMaPSUNTXuiQpWUAo.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, yVJzEUMWFmmqMaPSUNTXuiQpWUAo.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: initial sampleStatic PE information: section where entry point is pointing to: .wtf
    Source: 7092ee1bf1e386348e9ed2a7b68b7ab2.dll.0.drStatic PE information: real checksum: 0xc809 should be: 0x5d1d
    Source: VCPjXmY0pr.exeStatic PE information: real checksum: 0x0 should be: 0x75bb3
    Source: 7092ee1bf1e386348e9ed2a7b68b7ab2.dll.0.drStatic PE information: section name: .wtf
    Source: 7092ee1bf1e386348e9ed2a7b68b7ab2.dll.0.drStatic PE information: section name: .xdata
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeCode function: 0_2_00007FFA359FE373 push edx; retf 0_2_00007FFA359FE3B1
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeCode function: 0_2_00007FFA359F6D14 push esi; ret 0_2_00007FFA359F6D17
    Source: VCPjXmY0pr.exe, oKNGvtPGtCTMPpOxDvUHlAChNZGw.csHigh entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
    Source: VCPjXmY0pr.exe, DteHEPsmEtHhhwFTNYpXIIThIgSr.csHigh entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
    Source: VCPjXmY0pr.exe, WAilIsDhwFrPIXiaBQdCthAaCvye.csHigh entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
    Source: VCPjXmY0pr.exe, lwqQYZKBwOXSoyAQtOILpszueCCr.csHigh entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', 'BESFPzKfKQDDGoimktgzsZJfmaNs', '.ctor'
    Source: VCPjXmY0pr.exe, evwJCBryWduoCpuRjHXVeSRGDCdK.csHigh entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor', 'mFvlXbOBwYFycNExDwsmdSXAUlTC'
    Source: VCPjXmY0pr.exe, TYOxYFoQUvQOzcgSAXTUIUXtTqP.csHigh entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor', 'DOAlVtspoVtZsDRYZnvWSgROwMlp'
    Source: VCPjXmY0pr.exe, KhLUrdNneVMqjOpSdoqdyvaLujbj.csHigh entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
    Source: VCPjXmY0pr.exe, PyJJNitSfJqvXbCTYUUrzsymciYX.csHigh entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
    Source: VCPjXmY0pr.exe, VCkDjCCDwbcJkUlwdXTPjBYmzNfQ.csHigh entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor', 'DOAlVtspoVtZsDRYZnvWSgROwMlp'
    Source: VCPjXmY0pr.exe, qJRFYGcPocAtTrfZlGrAXJMJZBPVA.csHigh entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor', 'DOAlVtspoVtZsDRYZnvWSgROwMlp'
    Source: VCPjXmY0pr.exe, uOWFlXHpjsOByESGjkAeDXbtVDXrb.csHigh entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor', 'DOAlVtspoVtZsDRYZnvWSgROwMlp'
    Source: VCPjXmY0pr.exe, OKTUKVPuuDYGxITuxNrCtXxMDJoC.csHigh entropy of concatenated method names: 'uUmriooNvsGiUkwwzaOIlFvigksD', 'eRgbvDPMDOTkRPtLjFuGtoRrFmqv', 'jiImNtLestTpBtUWRnfloXVAaoQI', 'vdaBnoXZUkSrjeHxAmUiONUhcNKBA', 'uNBwbeDbCUukYLXPIhIIZtBypAIy', 'ncUStthzZpcDXiCzYSsPIhYbKNZp', 'lhRlKXDjVxAeXxyIiYlFismCXmMd', 'PvItMHIRZrKVlvCQvYJLgNNSASLM', 'tLilNWMRyDYOKxEKGLOPvKSHkUAF', 'qVnPtdRNMxbSGbuClYFvMgKPhvDHA'
    Source: VCPjXmY0pr.exe, fFukgVjYWaEFDfuLCEaeAIhjACpu.csHigh entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
    Source: VCPjXmY0pr.exe, NTUiRuGNXCALubTLidZuPliWwwtr.csHigh entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
    Source: VCPjXmY0pr.exe, BnlCTyVPPJbeDfVuwxBXIIwSZXSdA.csHigh entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
    Source: VCPjXmY0pr.exe, LKibmMaQProiRHPzDMvgNzgvUwDyA.csHigh entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
    Source: VCPjXmY0pr.exe, vcjGrbxppmxZxAbJTVMNjLbQdDBCA.csHigh entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
    Source: VCPjXmY0pr.exe, putmnFDFHxWOCpnQJeIPFhapTDCvA.csHigh entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
    Source: VCPjXmY0pr.exe, tYJxLndiqFFoadjBRcFjzCKyVPDw.csHigh entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor', 'VxDEoasEvMyvkTeBHhfKukJmOKoe'
    Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, DteHEPsmEtHhhwFTNYpXIIThIgSr.csHigh entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
    Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, WAilIsDhwFrPIXiaBQdCthAaCvye.csHigh entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
    Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, lwqQYZKBwOXSoyAQtOILpszueCCr.csHigh entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', 'BESFPzKfKQDDGoimktgzsZJfmaNs', '.ctor'
    Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, KhLUrdNneVMqjOpSdoqdyvaLujbj.csHigh entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
    Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, PyJJNitSfJqvXbCTYUUrzsymciYX.csHigh entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
    Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, oKNGvtPGtCTMPpOxDvUHlAChNZGw.csHigh entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
    Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, OKTUKVPuuDYGxITuxNrCtXxMDJoC.csHigh entropy of concatenated method names: 'uUmriooNvsGiUkwwzaOIlFvigksD', 'eRgbvDPMDOTkRPtLjFuGtoRrFmqv', 'jiImNtLestTpBtUWRnfloXVAaoQI', 'vdaBnoXZUkSrjeHxAmUiONUhcNKBA', 'uNBwbeDbCUukYLXPIhIIZtBypAIy', 'ncUStthzZpcDXiCzYSsPIhYbKNZp', 'lhRlKXDjVxAeXxyIiYlFismCXmMd', 'PvItMHIRZrKVlvCQvYJLgNNSASLM', 'tLilNWMRyDYOKxEKGLOPvKSHkUAF', 'qVnPtdRNMxbSGbuClYFvMgKPhvDHA'
    Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, fFukgVjYWaEFDfuLCEaeAIhjACpu.csHigh entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
    Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, NTUiRuGNXCALubTLidZuPliWwwtr.csHigh entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
    Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, BnlCTyVPPJbeDfVuwxBXIIwSZXSdA.csHigh entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
    Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, VCkDjCCDwbcJkUlwdXTPjBYmzNfQ.csHigh entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor', 'DOAlVtspoVtZsDRYZnvWSgROwMlp'
    Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, qJRFYGcPocAtTrfZlGrAXJMJZBPVA.csHigh entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor', 'DOAlVtspoVtZsDRYZnvWSgROwMlp'
    Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, uOWFlXHpjsOByESGjkAeDXbtVDXrb.csHigh entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor', 'DOAlVtspoVtZsDRYZnvWSgROwMlp'
    Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, evwJCBryWduoCpuRjHXVeSRGDCdK.csHigh entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor', 'mFvlXbOBwYFycNExDwsmdSXAUlTC'
    Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, TYOxYFoQUvQOzcgSAXTUIUXtTqP.csHigh entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor', 'DOAlVtspoVtZsDRYZnvWSgROwMlp'
    Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, putmnFDFHxWOCpnQJeIPFhapTDCvA.csHigh entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
    Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, tYJxLndiqFFoadjBRcFjzCKyVPDw.csHigh entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor', 'VxDEoasEvMyvkTeBHhfKukJmOKoe'
    Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, LKibmMaQProiRHPzDMvgNzgvUwDyA.csHigh entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
    Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, vcjGrbxppmxZxAbJTVMNjLbQdDBCA.csHigh entropy of concatenated method names: 'kafSqoPznidGdUKnHguLXljbXBMA', 'LvguNyxphZcgqtToZrVVsKFrHzsY', 'seeGDOBfDaOlBbBHqxuyACVwjvQmA', 'fThBgPgmraqMMhurquOFnDtCMVDY', 'VmwikgacwGaIvpXiNfPEivIVIKMDb', 'kyNfXlhdUbtDBndkvWzdgRvWlWUkA', '.ctor'
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeFile created: C:\Users\user\AppData\Local\9de699449c084cfcaf7aae165ca409d7\7092ee1bf1e386348e9ed2a7b68b7ab2.dllJump to dropped file
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1001Jump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exe TID: 1288Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\explorer.exe TID: 4780Thread sleep count: 64 > 30Jump to behavior
    Source: C:\Windows\explorer.exe TID: 4780Thread sleep time: -128000s >= -30000sJump to behavior
    Source: C:\Windows\explorer.exe TID: 6240Thread sleep count: 1001 > 30Jump to behavior
    Source: C:\Windows\explorer.exe TID: 6240Thread sleep time: -10010000s >= -30000sJump to behavior
    Source: C:\Windows\explorer.exe TID: 6896Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: explorer.exe, 00000001.00000000.677524244.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
    Source: explorer.exe, 00000001.00000000.673659873.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
    Source: explorer.exe, 00000001.00000000.674532575.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    Source: explorer.exe, 00000001.00000000.677524244.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
    Source: explorer.exe, 00000001.00000000.671223228.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
    Source: explorer.exe, 00000001.00000000.673659873.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
    Source: explorer.exe, 00000001.00000000.677640558.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
    Source: explorer.exe, 00000001.00000000.673659873.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
    Source: explorer.exe, 00000001.00000000.677704442.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
    Source: explorer.exe, 00000001.00000000.673659873.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\explorer.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\explorer.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    .NET source code references suspicious native API functionsShow sources
    Source: VCPjXmY0pr.exe, OKTUKVPuuDYGxITuxNrCtXxMDJoC.csReference to suspicious API methods: ('FnweNvyxnMVBuRzMZzQEqdtLAPrA', 'GetProcAddress@kernel32'), ('qVnPtdRNMxbSGbuClYFvMgKPhvDHA', 'CreateRemoteThread@kernel32'), ('zdYpViHCCuxgniqqamPpntrZHzZr', 'LoadLibrary@kernel32'), ('tLilNWMRyDYOKxEKGLOPvKSHkUAF', 'OpenProcess@kernel32'), ('wHieHXtQJlXHyVxhONzsxdAXelIaA', 'OpenProcessToken@advapi32')
    Source: 0.0.VCPjXmY0pr.exe.9b0000.0.unpack, OKTUKVPuuDYGxITuxNrCtXxMDJoC.csReference to suspicious API methods: ('FnweNvyxnMVBuRzMZzQEqdtLAPrA', 'GetProcAddress@kernel32'), ('qVnPtdRNMxbSGbuClYFvMgKPhvDHA', 'CreateRemoteThread@kernel32'), ('zdYpViHCCuxgniqqamPpntrZHzZr', 'LoadLibrary@kernel32'), ('tLilNWMRyDYOKxEKGLOPvKSHkUAF', 'OpenProcess@kernel32'), ('wHieHXtQJlXHyVxhONzsxdAXelIaA', 'OpenProcessToken@advapi32')
    Source: explorer.exe, 00000001.00000000.665732018.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
    Source: explorer.exe, 00000001.00000000.665998562.0000000001080000.00000002.00000001.sdmpBinary or memory string: Program Manager
    Source: VCPjXmY0pr.exe, 00000000.00000002.688799779.0000000003011000.00000004.00000001.sdmp, explorer.exe, 00000001.00000000.665998562.0000000001080000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: explorer.exe, 00000001.00000000.665998562.0000000001080000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: explorer.exe, 00000001.00000000.665998562.0000000001080000.00000002.00000001.sdmpBinary or memory string: Progmanlock
    Source: explorer.exe, 00000001.00000000.677640558.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\VCPjXmY0pr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsNative API1Path InterceptionProcess Injection1Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery12SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing2DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.