| Source: 4.3.vbc.exe.502d8d0.0.unpack |
Avira: Label: TR/Patched.Ren.Gen |
| Source: 0.2.HHGHJJUILn.exe.252d012dbe0.3.unpack |
Avira: Label: TR/Dropper.Gen |
| Source: 4.0.vbc.exe.400000.0.unpack |
Avira: Label: TR/Dropper.Gen |
| Source: 4.2.vbc.exe.502d8d0.0.unpack |
Avira: Label: TR/Patched.Ren.Gen |
| Source: |
Binary string: HHGHJJUILn.pdb source: HHGHJJUILn.exe |
| Source: |
Binary string: W.pdb4 source: HHGHJJUILn.exe, 00000000.00000002.251576631.00000252D012D000.00000004.00000800.00020000.00000000.sdmp, vbsqlite3.dll.4.dr |
| Source: |
Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BUMBUM.pdb source: HHGHJJUILn.exe, 00000000.00000002.248728659.00000252BF9A1000.00000004.00000800.00020000.00000000.sdmp, HHGHJJUILn.exe, 00000000.00000002.248645893.00000252BE0D0000.00000004.08000000.00040000.00000000.sdmp |
| Source: |
Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BUMBUM.pdbBSJB source: HHGHJJUILn.exe, 00000000.00000002.248728659.00000252BF9A1000.00000004.00000800.00020000.00000000.sdmp, HHGHJJUILn.exe, 00000000.00000002.248645893.00000252BE0D0000.00000004.08000000.00040000.00000000.sdmp |
| Source: HHGHJJUILn.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0 |
| Source: HHGHJJUILn.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
| Source: HHGHJJUILn.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0 |
| Source: HHGHJJUILn.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0 |
| Source: HHGHJJUILn.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
| Source: HHGHJJUILn.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0 |
| Source: HHGHJJUILn.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08 |
| Source: HHGHJJUILn.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0: |
| Source: HHGHJJUILn.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
| Source: HHGHJJUILn.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0 |
| Source: HHGHJJUILn.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O |
| Source: HHGHJJUILn.exe |
String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0. |
| Source: HHGHJJUILn.exe |
String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
| Source: HHGHJJUILn.exe |
String found in binary or memory: http://crl3.digicert.com/sha2-ha-cs-g1.crl00 |
| Source: HHGHJJUILn.exe |
String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w |
| Source: HHGHJJUILn.exe |
String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0 |
| Source: HHGHJJUILn.exe |
String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
| Source: HHGHJJUILn.exe |
String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0 |
| Source: HHGHJJUILn.exe |
String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L |
| Source: HHGHJJUILn.exe |
String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
| Source: HHGHJJUILn.exe |
String found in binary or memory: http://crl4.digicert.com/sha2-ha-cs-g1.crl0L |
| Source: HHGHJJUILn.exe |
String found in binary or memory: http://ocsp.digicert.com0A |
| Source: HHGHJJUILn.exe |
String found in binary or memory: http://ocsp.digicert.com0C |
| Source: HHGHJJUILn.exe |
String found in binary or memory: http://ocsp.digicert.com0I |
| Source: HHGHJJUILn.exe |
String found in binary or memory: http://ocsp.digicert.com0O |
| Source: HHGHJJUILn.exe |
String found in binary or memory: http://ocsp.digicert.com0P |
| Source: HHGHJJUILn.exe |
String found in binary or memory: http://ocsp.digicert.com0R |
| Source: vbc.exe, 00000004.00000003.271857889.0000000005087000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.271870029.000000000507C000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.271831148.0000000005090000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://schema.org |
| Source: vbc.exe, 00000004.00000002.510113204.0000000004FFA000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://showip.net/ |
| Source: HHGHJJUILn.exe |
String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0 |
| Source: vbc.exe, 00000004.00000003.271831148.0000000005090000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.maxmind.com |
| Source: LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.dr |
String found in binary or memory: https://ac.ecosia.org/autocomplete?q= |
| Source: HHGHJJUILn.exe, 00000000.00000002.251576631.00000252D012D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000000.246767038.0000000000401000.00000040.00000400.00020000.00000000.sdmp |
String found in binary or memory: https://api.telegram.org/bot |
| Source: LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.dr |
String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q= |
| Source: LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.dr |
String found in binary or memory: https://duckduckgo.com/ac/?q= |
| Source: vbc.exe, 00000004.00000003.272068154.00000000050B9000.00000004.00000020.00020000.00000000.sdmp, LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.dr |
String found in binary or memory: https://duckduckgo.com/chrome_newtab |
| Source: LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.dr |
String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q= |
| Source: vbc.exe, 00000004.00000003.272068154.00000000050B9000.00000004.00000020.00020000.00000000.sdmp, LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.dr |
String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search |
| Source: vbc.exe, 00000004.00000003.272068154.00000000050B9000.00000004.00000020.00020000.00000000.sdmp, LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.dr |
String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command= |
| Source: vbc.exe, 00000004.00000003.272068154.00000000050B9000.00000004.00000020.00020000.00000000.sdmp, LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.dr |
String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp |
| Source: vbc.exe, 00000004.00000003.272068154.00000000050B9000.00000004.00000020.00020000.00000000.sdmp, LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.dr |
String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf |
| Source: vbc.exe, 00000004.00000003.271857889.0000000005087000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.271870029.000000000507C000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.271831148.0000000005090000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://showip.net/ |
| Source: vbc.exe, 00000004.00000003.271857889.0000000005087000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.271870029.000000000507C000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.271831148.0000000005090000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://showip.net/?checkip= |
| Source: vbc.exe, 00000004.00000003.271831148.0000000005090000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://unpkg.com/leaflet |
| Source: HHGHJJUILn.exe |
String found in binary or memory: https://www.digicert.com/CPS0 |
| Source: vbc.exe, 00000004.00000003.272068154.00000000050B9000.00000004.00000020.00020000.00000000.sdmp, LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.dr |
String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico |
| Source: vbc.exe, 00000004.00000003.271857889.0000000005087000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.281674526.0000000005085000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.271870029.000000000507C000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.272371184.0000000005085000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.271831148.0000000005090000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.openstreetmap.org/copyright |
| Source: 0.2.HHGHJJUILn.exe.252d0175a70.4.unpack, type: UNPACKEDPE |
Matched rule: Detects A310Logger Author: ditekSHen |
| Source: 0.2.HHGHJJUILn.exe.252d012dbe0.3.unpack, type: UNPACKEDPE |
Matched rule: Detects A310Logger Author: ditekSHen |
| Source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects A310Logger Author: ditekSHen |
| Source: 0.2.HHGHJJUILn.exe.252d0175a70.4.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects A310Logger Author: ditekSHen |
| Source: 0.2.HHGHJJUILn.exe.252d012dbe0.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects A310Logger Author: ditekSHen |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
| Source: HHGHJJUILn.exe, AcmWjvFtj9egtnnJX9/dZ7qkvqcNhO85yPNrX.cs |
Long String: Length: 745497 |
| Source: HHGHJJUILn.exe, AcmWjvFtj9egtnnJX9/dZ7qkvqcNhO85yPNrX.cs |
Long String: Length: 29301 |
| Source: 0.0.HHGHJJUILn.exe.252bdc30000.0.unpack, AcmWjvFtj9egtnnJX9/dZ7qkvqcNhO85yPNrX.cs |
Long String: Length: 837648 |
| Source: 0.0.HHGHJJUILn.exe.252bdc30000.0.unpack, AcmWjvFtj9egtnnJX9/dZ7qkvqcNhO85yPNrX.cs |
Long String: Length: 29301 |
| Source: 0.2.HHGHJJUILn.exe.252bdc30000.0.unpack, AcmWjvFtj9egtnnJX9/dZ7qkvqcNhO85yPNrX.cs |
Long String: Length: 837648 |
| Source: 0.2.HHGHJJUILn.exe.252bdc30000.0.unpack, AcmWjvFtj9egtnnJX9/dZ7qkvqcNhO85yPNrX.cs |
Long String: Length: 29301 |
| Source: 0.2.HHGHJJUILn.exe.252d0175a70.4.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207 |
| Source: 0.2.HHGHJJUILn.exe.252d012dbe0.3.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207 |
| Source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207 |
| Source: 0.2.HHGHJJUILn.exe.252d0175a70.4.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207 |
| Source: 0.2.HHGHJJUILn.exe.252d012dbe0.3.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207 |
| Source: Process Memory Space: HHGHJJUILn.exe PID: 5460, type: MEMORYSTR |
Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research |
| Source: HHGHJJUILn.exe, 00000000.00000002.248728659.00000252BF9A1000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameBUMBUM.dll. vs HHGHJJUILn.exe |
| Source: HHGHJJUILn.exe, 00000000.00000002.248645893.00000252BE0D0000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameBUMBUM.dll. vs HHGHJJUILn.exe |
| Source: HHGHJJUILn.exe, 00000000.00000002.248401710.00000252BDF3C000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameclr.dllT vs HHGHJJUILn.exe |
| Source: HHGHJJUILn.exe, 00000000.00000002.251576631.00000252D012D000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamefirebase.exe vs HHGHJJUILn.exe |
| Source: unknown |
Process created: C:\Users\user\Desktop\HHGHJJUILn.exe C:\Users\user\Desktop\HHGHJJUILn.exe |
|
| Source: C:\Users\user\Desktop\HHGHJJUILn.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
|
| Source: C:\Users\user\Desktop\HHGHJJUILn.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
|
| Source: C:\Users\user\Desktop\HHGHJJUILn.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
|
| Source: C:\Users\user\Desktop\HHGHJJUILn.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
|
| Source: C:\Users\user\Desktop\HHGHJJUILn.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Jump to behavior |
| Source: C:\Users\user\Desktop\HHGHJJUILn.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Jump to behavior |
| Source: C:\Users\user\Desktop\HHGHJJUILn.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Jump to behavior |
| Source: C:\Users\user\Desktop\HHGHJJUILn.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Jump to behavior |
| Source: HHGHJJUILn.exe, 00000000.00000002.251576631.00000252D012D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000000.246767038.0000000000401000.00000040.00000400.00020000.00000000.sdmp |
Binary or memory string: C*\AC:\Users\user1\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1sqlite.vbp |
| Source: vbc.exe, 00000004.00000002.509871994.000000000043F000.00000040.00000400.00020000.00000000.sdmp |
Binary or memory string: =@*\AC:\Users\user1\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1sqlite.vbp |
| Source: HHGHJJUILn.exe, o3eGGqBtdpdaBbRpbh/yV5CsNT40LRKh3Lcnn.cs |
Cryptographic APIs: 'CreateDecryptor' |
| Source: 0.0.HHGHJJUILn.exe.252bdc30000.0.unpack, o3eGGqBtdpdaBbRpbh/yV5CsNT40LRKh3Lcnn.cs |
Cryptographic APIs: 'CreateDecryptor' |
| Source: 0.2.HHGHJJUILn.exe.252bdc30000.0.unpack, o3eGGqBtdpdaBbRpbh/yV5CsNT40LRKh3Lcnn.cs |
Cryptographic APIs: 'CreateDecryptor' |
| Source: |
Binary string: HHGHJJUILn.pdb source: HHGHJJUILn.exe |
| Source: |
Binary string: W.pdb4 source: HHGHJJUILn.exe, 00000000.00000002.251576631.00000252D012D000.00000004.00000800.00020000.00000000.sdmp, vbsqlite3.dll.4.dr |
| Source: |
Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BUMBUM.pdb source: HHGHJJUILn.exe, 00000000.00000002.248728659.00000252BF9A1000.00000004.00000800.00020000.00000000.sdmp, HHGHJJUILn.exe, 00000000.00000002.248645893.00000252BE0D0000.00000004.08000000.00040000.00000000.sdmp |
| Source: |
Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BUMBUM.pdbBSJB source: HHGHJJUILn.exe, 00000000.00000002.248728659.00000252BF9A1000.00000004.00000800.00020000.00000000.sdmp, HHGHJJUILn.exe, 00000000.00000002.248645893.00000252BE0D0000.00000004.08000000.00040000.00000000.sdmp |
| Source: HHGHJJUILn.exe, AcmWjvFtj9egtnnJX9/dZ7qkvqcNhO85yPNrX.cs |
.Net Code: Fb1AEOaU7 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
| Source: 0.0.HHGHJJUILn.exe.252bdc30000.0.unpack, AcmWjvFtj9egtnnJX9/dZ7qkvqcNhO85yPNrX.cs |
.Net Code: Fb1AEOaU7 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
| Source: 0.2.HHGHJJUILn.exe.252bdc30000.0.unpack, AcmWjvFtj9egtnnJX9/dZ7qkvqcNhO85yPNrX.cs |
.Net Code: Fb1AEOaU7 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
| Source: HHGHJJUILn.exe, o3eGGqBtdpdaBbRpbh/yV5CsNT40LRKh3Lcnn.cs |
.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0) |
| Source: 0.0.HHGHJJUILn.exe.252bdc30000.0.unpack, o3eGGqBtdpdaBbRpbh/yV5CsNT40LRKh3Lcnn.cs |
.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0) |
| Source: 0.2.HHGHJJUILn.exe.252bdc30000.0.unpack, o3eGGqBtdpdaBbRpbh/yV5CsNT40LRKh3Lcnn.cs |
.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0) |
| Source: HHGHJJUILn.exe, HHGHJJUILn/Form1.cs |
High entropy of concatenated method names: '.ctor', 'Dispose', 'YuOqfTprM', 'MLNZSZRFrajNUp8qsp', 'QKFPvBtNpBg69j7Nnf', 'OX6eQ4cexP0VbKZYHd', 'bsysAD7ggZAVgKjpwe', 'pJgmfyX8ODddoG1ri3', 'EdoPmEr7rodWECslCW', 'Wp9BtVBZUNcCDe2G4j' |
| Source: HHGHJJUILn.exe, En1Psw4F6pV2BGk3HS/ksk0w2p0NeUeOsNX1k.cs |
High entropy of concatenated method names: 'tItAnDqvZw', 'q9cAVedEOK', 'vogA065LUG', '.ctor', 'kLjw4iIsCLsZtxc4lksN0j', '.cctor', 'megHtLN4uvGf4nCRjm', 'G4LOidn2EpGskKj5dn', 'UeEp48U6NOtmIrWXau', 'Yd6kaMVw5VqNsnPYj8' |
| Source: HHGHJJUILn.exe, AcmWjvFtj9egtnnJX9/dZ7qkvqcNhO85yPNrX.cs |
High entropy of concatenated method names: 'Fb1AEOaU7', 'P6xUHAj56', '.cctor', 'A06XxWmccOiN4rKPjE', 'ckqFXlFonRXwg7hGMo', 'mi7ZZuYZOG800P2wrb', 'S2nGXdJDRjIatIq3yl', 'vKbcCMELP1Ff62L5Oc', 'dyH6VaCeOOc3qHO1sU' |
| Source: HHGHJJUILn.exe, o3eGGqBtdpdaBbRpbh/yV5CsNT40LRKh3Lcnn.cs |
High entropy of concatenated method names: '.cctor', 'w5iB4s0vtohFt', 'EVrnj8HXc', 'hW9V16hSn', 'XA20E1B6m', 'X9jZKh2WY', 'YuD7NMJ3H', 'yu2GulHW3', 'NSb63FLLs', 'ruvfdsjMx' |
| Source: HHGHJJUILn.exe, gJMOHJbIEe0MYsJbwl/GjqP19iwYoYd3r8X3Q.cs |
High entropy of concatenated method names: 'bttB4s00sthd0', '.ctor', '.cctor', 'P1FDtSURv5Uv1lFtlE', 'JVDxtvDUYWhjE6hJg7', 'hwBvASNOS9VEAeE2CW', 'nsq8D2qkGJ1RlLF3S8', 'oqM2QpLak1XUxIwwB6', 'wQNnYvW1BlqUUlaKig', 'yiPfGpOSQn7WMKo59Y' |
| Source: 0.0.HHGHJJUILn.exe.252bdc30000.0.unpack, HHGHJJUILn/Form1.cs |
High entropy of concatenated method names: '.ctor', 'Dispose', 'YuOqfTprM', 'MLNZSZRFrajNUp8qsp', 'QKFPvBtNpBg69j7Nnf', 'OX6eQ4cexP0VbKZYHd', 'bsysAD7ggZAVgKjpwe', 'pJgmfyX8ODddoG1ri3', 'EdoPmEr7rodWECslCW', 'Wp9BtVBZUNcCDe2G4j' |
| Source: 0.0.HHGHJJUILn.exe.252bdc30000.0.unpack, AcmWjvFtj9egtnnJX9/dZ7qkvqcNhO85yPNrX.cs |
High entropy of concatenated method names: 'Fb1AEOaU7', 'P6xUHAj56', '.cctor', 'A06XxWmccOiN4rKPjE', 'ckqFXlFonRXwg7hGMo', 'mi7ZZuYZOG800P2wrb', 'S2nGXdJDRjIatIq3yl', 'vKbcCMELP1Ff62L5Oc', 'dyH6VaCeOOc3qHO1sU' |
| Source: 0.0.HHGHJJUILn.exe.252bdc30000.0.unpack, En1Psw4F6pV2BGk3HS/ksk0w2p0NeUeOsNX1k.cs |
High entropy of concatenated method names: 'tItAnDqvZw', 'q9cAVedEOK', 'vogA065LUG', '.ctor', 'kLjw4iIsCLsZtxc4lksN0j', '.cctor', 'megHtLN4uvGf4nCRjm', 'G4LOidn2EpGskKj5dn', 'UeEp48U6NOtmIrWXau', 'Yd6kaMVw5VqNsnPYj8' |
| Source: 0.0.HHGHJJUILn.exe.252bdc30000.0.unpack, o3eGGqBtdpdaBbRpbh/yV5CsNT40LRKh3Lcnn.cs |
High entropy of concatenated method names: '.cctor', 'w5iB4s0vtohFt', 'EVrnj8HXc', 'hW9V16hSn', 'XA20E1B6m', 'X9jZKh2WY', 'YuD7NMJ3H', 'yu2GulHW3', 'NSb63FLLs', 'ruvfdsjMx' |
| Source: 0.0.HHGHJJUILn.exe.252bdc30000.0.unpack, gJMOHJbIEe0MYsJbwl/GjqP19iwYoYd3r8X3Q.cs |
High entropy of concatenated method names: 'bttB4s00sthd0', '.ctor', '.cctor', 'P1FDtSURv5Uv1lFtlE', 'JVDxtvDUYWhjE6hJg7', 'hwBvASNOS9VEAeE2CW', 'nsq8D2qkGJ1RlLF3S8', 'oqM2QpLak1XUxIwwB6', 'wQNnYvW1BlqUUlaKig', 'yiPfGpOSQn7WMKo59Y' |
| Source: 0.2.HHGHJJUILn.exe.252bdc30000.0.unpack, HHGHJJUILn/Form1.cs |
High entropy of concatenated method names: '.ctor', 'Dispose', 'YuOqfTprM', 'MLNZSZRFrajNUp8qsp', 'QKFPvBtNpBg69j7Nnf', 'OX6eQ4cexP0VbKZYHd', 'bsysAD7ggZAVgKjpwe', 'pJgmfyX8ODddoG1ri3', 'EdoPmEr7rodWECslCW', 'Wp9BtVBZUNcCDe2G4j' |
| Source: 0.2.HHGHJJUILn.exe.252bdc30000.0.unpack, AcmWjvFtj9egtnnJX9/dZ7qkvqcNhO85yPNrX.cs |
High entropy of concatenated method names: 'Fb1AEOaU7', 'P6xUHAj56', '.cctor', 'A06XxWmccOiN4rKPjE', 'ckqFXlFonRXwg7hGMo', 'mi7ZZuYZOG800P2wrb', 'S2nGXdJDRjIatIq3yl', 'vKbcCMELP1Ff62L5Oc', 'dyH6VaCeOOc3qHO1sU' |
| Source: 0.2.HHGHJJUILn.exe.252bdc30000.0.unpack, En1Psw4F6pV2BGk3HS/ksk0w2p0NeUeOsNX1k.cs |
High entropy of concatenated method names: 'tItAnDqvZw', 'q9cAVedEOK', 'vogA065LUG', '.ctor', 'kLjw4iIsCLsZtxc4lksN0j', '.cctor', 'megHtLN4uvGf4nCRjm', 'G4LOidn2EpGskKj5dn', 'UeEp48U6NOtmIrWXau', 'Yd6kaMVw5VqNsnPYj8' |
| Source: 0.2.HHGHJJUILn.exe.252bdc30000.0.unpack, o3eGGqBtdpdaBbRpbh/yV5CsNT40LRKh3Lcnn.cs |
High entropy of concatenated method names: '.cctor', 'w5iB4s0vtohFt', 'EVrnj8HXc', 'hW9V16hSn', 'XA20E1B6m', 'X9jZKh2WY', 'YuD7NMJ3H', 'yu2GulHW3', 'NSb63FLLs', 'ruvfdsjMx' |
| Source: 0.2.HHGHJJUILn.exe.252bdc30000.0.unpack, gJMOHJbIEe0MYsJbwl/GjqP19iwYoYd3r8X3Q.cs |
High entropy of concatenated method names: 'bttB4s00sthd0', '.ctor', '.cctor', 'P1FDtSURv5Uv1lFtlE', 'JVDxtvDUYWhjE6hJg7', 'hwBvASNOS9VEAeE2CW', 'nsq8D2qkGJ1RlLF3S8', 'oqM2QpLak1XUxIwwB6', 'wQNnYvW1BlqUUlaKig', 'yiPfGpOSQn7WMKo59Y' |
| Source: C:\Users\user\Desktop\HHGHJJUILn.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Users\user\Desktop\HHGHJJUILn.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Users\user\Desktop\HHGHJJUILn.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Users\user\Desktop\HHGHJJUILn.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Users\user\Desktop\HHGHJJUILn.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Users\user\Desktop\HHGHJJUILn.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Users\user\Desktop\HHGHJJUILn.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Users\user\Desktop\HHGHJJUILn.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Users\user\Desktop\HHGHJJUILn.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Users\user\Desktop\HHGHJJUILn.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Users\user\Desktop\HHGHJJUILn.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Users\user\Desktop\HHGHJJUILn.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Users\user\Desktop\HHGHJJUILn.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Users\user\Desktop\HHGHJJUILn.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 |
Jump to behavior |
| Source: C:\Users\user\Desktop\HHGHJJUILn.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 401000 |
Jump to behavior |
| Source: C:\Users\user\Desktop\HHGHJJUILn.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 43F000 |
Jump to behavior |
| Source: C:\Users\user\Desktop\HHGHJJUILn.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 440000 |
Jump to behavior |
| Source: C:\Users\user\Desktop\HHGHJJUILn.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4D9A008 |
Jump to behavior |
| Source: C:\Users\user\Desktop\HHGHJJUILn.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Jump to behavior |
| Source: C:\Users\user\Desktop\HHGHJJUILn.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Jump to behavior |
| Source: C:\Users\user\Desktop\HHGHJJUILn.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Jump to behavior |
| Source: C:\Users\user\Desktop\HHGHJJUILn.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Jump to behavior |
| Source: Yara match |
File source: 0.2.HHGHJJUILn.exe.252d0175a70.4.unpack, type: UNPACKEDPE |
| Source: Yara match |
File source: 0.2.HHGHJJUILn.exe.252d012dbe0.3.unpack, type: UNPACKEDPE |
| Source: Yara match |
File source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE |
| Source: Yara match |
File source: 0.2.HHGHJJUILn.exe.252d0175a70.4.raw.unpack, type: UNPACKEDPE |
| Source: Yara match |
File source: 0.2.HHGHJJUILn.exe.252d012dbe0.3.raw.unpack, type: UNPACKEDPE |
| Source: Yara match |
File source: 00000004.00000000.246767038.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
| Source: Yara match |
File source: 00000000.00000002.251576631.00000252D012D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
| Source: Yara match |
File source: Process Memory Space: HHGHJJUILn.exe PID: 5460, type: MEMORYSTR |
| Source: Yara match |
File source: Process Memory Space: vbc.exe PID: 4772, type: MEMORYSTR |
| Source: Yara match |
File source: 0.2.HHGHJJUILn.exe.252d0175a70.4.unpack, type: UNPACKEDPE |
| Source: Yara match |
File source: 0.2.HHGHJJUILn.exe.252d012dbe0.3.unpack, type: UNPACKEDPE |
| Source: Yara match |
File source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE |
| Source: Yara match |
File source: 0.2.HHGHJJUILn.exe.252d0175a70.4.raw.unpack, type: UNPACKEDPE |
| Source: Yara match |
File source: 0.2.HHGHJJUILn.exe.252d012dbe0.3.raw.unpack, type: UNPACKEDPE |
| Source: Yara match |
File source: 00000004.00000000.246767038.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
| Source: Yara match |
File source: 00000000.00000002.251576631.00000252D012D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
| Source: Yara match |
File source: Process Memory Space: HHGHJJUILn.exe PID: 5460, type: MEMORYSTR |
| Source: Yara match |
File source: Process Memory Space: vbc.exe PID: 4772, type: MEMORYSTR |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet