Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HHGHJJUILn.exe

Overview

General Information

Sample Name:HHGHJJUILn.exe
Analysis ID:764040
MD5:103f2ca898f5c7285a3651f23d926218
SHA1:aded75bc932ddb0c9b17f257f82a5be822cab8e6
SHA256:10633d83edea2308a01d9bcbd507737bf66e93550be49239cd801257f79c7d37
Tags:exe
Infos:

Detection

DarkCloud
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected DarkCloud
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Writes to foreign memory regions
Detected potential unwanted application
Tries to steal Crypto Currency Wallets
Writes or reads registry keys via WMI
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large strings
Drops PE files to the user root directory
Tries to harvest and steal browser information (history, passwords, etc)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Yara detected Credential Stealer
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Drops PE files
Binary contains a suspicious time stamp
PE / OLE file has an invalid certificate
Drops PE files to the user directory
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • HHGHJJUILn.exe (PID: 5460 cmdline: C:\Users\user\Desktop\HHGHJJUILn.exe MD5: 103F2CA898F5C7285A3651F23D926218)
    • vbc.exe (PID: 5168 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)
    • vbc.exe (PID: 5140 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)
    • vbc.exe (PID: 5132 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)
    • vbc.exe (PID: 4772 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000004.00000000.246767038.0000000000401000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
    00000000.00000002.251576631.00000252D012D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
      Process Memory Space: HHGHJJUILn.exe PID: 5460SUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
      • 0x212b6:$s2: AAAAAAAAAAoVT
      • 0x19769f:$s2: AAAAAAAAAAoVT
      • 0x2af0d0:$s2: AAAAAAAAAAoVT
      Process Memory Space: HHGHJJUILn.exe PID: 5460JoeSecurity_DarkCloudYara detected DarkCloudJoe Security
        Process Memory Space: vbc.exe PID: 4772JoeSecurity_DarkCloudYara detected DarkCloudJoe Security
          Click to see the 2 entries
          SourceRuleDescriptionAuthorStrings
          0.2.HHGHJJUILn.exe.252d0175a70.4.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
            0.2.HHGHJJUILn.exe.252d0175a70.4.unpackMALWARE_Win_A310LoggerDetects A310LoggerditekSHen
            • 0x2f958:$s1: Temporary Directory * for
            • 0x2f994:$s2: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*RD_
            • 0x31b98:$s6: Content-Disposition: form-data; name="document"; filename="
            • 0x2f940:$s7: CopyHere
            • 0x2f8fc:$s9: Shell.Application
            • 0x2fca0:$s9: shell.application
            • 0x31d0c:$s10: SetRequestHeader
            • 0x2fa3c:$s12: @TITLE Removing
            • 0x2fa74:$s13: @RD /S /Q "
            0.2.HHGHJJUILn.exe.252d012dbe0.3.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
              0.2.HHGHJJUILn.exe.252d012dbe0.3.unpackMALWARE_Win_A310LoggerDetects A310LoggerditekSHen
              • 0x77b0:$s1: Temporary Directory * for
              • 0x77ec:$s2: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*RD_
              • 0x99f0:$s6: Content-Disposition: form-data; name="document"; filename="
              • 0x7798:$s7: CopyHere
              • 0x7754:$s9: Shell.Application
              • 0x7af8:$s9: shell.application
              • 0x9b64:$s10: SetRequestHeader
              • 0x7894:$s12: @TITLE Removing
              • 0x78cc:$s13: @RD /S /Q "
              4.0.vbc.exe.400000.0.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
                Click to see the 5 entries
                No Sigma rule has matched
                No Snort rule has matched

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: HHGHJJUILn.exeJoe Sandbox ML: detected
                Source: 4.3.vbc.exe.502d8d0.0.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 0.2.HHGHJJUILn.exe.252d012dbe0.3.unpackAvira: Label: TR/Dropper.Gen
                Source: 4.0.vbc.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                Source: 4.2.vbc.exe.502d8d0.0.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: HHGHJJUILn.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: HHGHJJUILn.pdb source: HHGHJJUILn.exe
                Source: Binary string: W.pdb4 source: HHGHJJUILn.exe, 00000000.00000002.251576631.00000252D012D000.00000004.00000800.00020000.00000000.sdmp, vbsqlite3.dll.4.dr
                Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BUMBUM.pdb source: HHGHJJUILn.exe, 00000000.00000002.248728659.00000252BF9A1000.00000004.00000800.00020000.00000000.sdmp, HHGHJJUILn.exe, 00000000.00000002.248645893.00000252BE0D0000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BUMBUM.pdbBSJB source: HHGHJJUILn.exe, 00000000.00000002.248728659.00000252BF9A1000.00000004.00000800.00020000.00000000.sdmp, HHGHJJUILn.exe, 00000000.00000002.248645893.00000252BE0D0000.00000004.08000000.00040000.00000000.sdmp

                Networking

                barindex
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDNS query: name: showip.net
                Source: Joe Sandbox ViewIP Address: 162.55.60.2 162.55.60.2
                Source: HHGHJJUILn.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
                Source: HHGHJJUILn.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                Source: HHGHJJUILn.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
                Source: HHGHJJUILn.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
                Source: HHGHJJUILn.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                Source: HHGHJJUILn.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0
                Source: HHGHJJUILn.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
                Source: HHGHJJUILn.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
                Source: HHGHJJUILn.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                Source: HHGHJJUILn.exeString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                Source: HHGHJJUILn.exeString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O
                Source: HHGHJJUILn.exeString found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
                Source: HHGHJJUILn.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                Source: HHGHJJUILn.exeString found in binary or memory: http://crl3.digicert.com/sha2-ha-cs-g1.crl00
                Source: HHGHJJUILn.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
                Source: HHGHJJUILn.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
                Source: HHGHJJUILn.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                Source: HHGHJJUILn.exeString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                Source: HHGHJJUILn.exeString found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
                Source: HHGHJJUILn.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                Source: HHGHJJUILn.exeString found in binary or memory: http://crl4.digicert.com/sha2-ha-cs-g1.crl0L
                Source: HHGHJJUILn.exeString found in binary or memory: http://ocsp.digicert.com0A
                Source: HHGHJJUILn.exeString found in binary or memory: http://ocsp.digicert.com0C
                Source: HHGHJJUILn.exeString found in binary or memory: http://ocsp.digicert.com0I
                Source: HHGHJJUILn.exeString found in binary or memory: http://ocsp.digicert.com0O
                Source: HHGHJJUILn.exeString found in binary or memory: http://ocsp.digicert.com0P
                Source: HHGHJJUILn.exeString found in binary or memory: http://ocsp.digicert.com0R
                Source: vbc.exe, 00000004.00000003.271857889.0000000005087000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.271870029.000000000507C000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.271831148.0000000005090000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schema.org
                Source: vbc.exe, 00000004.00000002.510113204.0000000004FFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://showip.net/
                Source: HHGHJJUILn.exeString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                Source: vbc.exe, 00000004.00000003.271831148.0000000005090000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.maxmind.com
                Source: LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: HHGHJJUILn.exe, 00000000.00000002.251576631.00000252D012D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000000.246767038.0000000000401000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                Source: LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: vbc.exe, 00000004.00000003.272068154.00000000050B9000.00000004.00000020.00020000.00000000.sdmp, LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: vbc.exe, 00000004.00000003.272068154.00000000050B9000.00000004.00000020.00020000.00000000.sdmp, LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                Source: vbc.exe, 00000004.00000003.272068154.00000000050B9000.00000004.00000020.00020000.00000000.sdmp, LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
                Source: vbc.exe, 00000004.00000003.272068154.00000000050B9000.00000004.00000020.00020000.00000000.sdmp, LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
                Source: vbc.exe, 00000004.00000003.272068154.00000000050B9000.00000004.00000020.00020000.00000000.sdmp, LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
                Source: vbc.exe, 00000004.00000003.271857889.0000000005087000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.271870029.000000000507C000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.271831148.0000000005090000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://showip.net/
                Source: vbc.exe, 00000004.00000003.271857889.0000000005087000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.271870029.000000000507C000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.271831148.0000000005090000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://showip.net/?checkip=
                Source: vbc.exe, 00000004.00000003.271831148.0000000005090000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://unpkg.com/leaflet
                Source: HHGHJJUILn.exeString found in binary or memory: https://www.digicert.com/CPS0
                Source: vbc.exe, 00000004.00000003.272068154.00000000050B9000.00000004.00000020.00020000.00000000.sdmp, LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: vbc.exe, 00000004.00000003.271857889.0000000005087000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.281674526.0000000005085000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.271870029.000000000507C000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.272371184.0000000005085000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.271831148.0000000005090000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.openstreetmap.org/copyright
                Source: unknownDNS traffic detected: queries for: showip.net
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Project1sqliteHost: showip.net

                System Summary

                barindex
                Source: 0.2.HHGHJJUILn.exe.252d0175a70.4.unpack, type: UNPACKEDPEMatched rule: Detects A310Logger Author: ditekSHen
                Source: 0.2.HHGHJJUILn.exe.252d012dbe0.3.unpack, type: UNPACKEDPEMatched rule: Detects A310Logger Author: ditekSHen
                Source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects A310Logger Author: ditekSHen
                Source: 0.2.HHGHJJUILn.exe.252d0175a70.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects A310Logger Author: ditekSHen
                Source: 0.2.HHGHJJUILn.exe.252d012dbe0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects A310Logger Author: ditekSHen
                Source: HHGHJJUILn.exePE Siganture Subject Chain: CN=Wen Jia Liu, O=Wen Jia Liu, L=Sydney, S=New South Wales, C=AU
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                Source: HHGHJJUILn.exe, AcmWjvFtj9egtnnJX9/dZ7qkvqcNhO85yPNrX.csLong String: Length: 745497
                Source: HHGHJJUILn.exe, AcmWjvFtj9egtnnJX9/dZ7qkvqcNhO85yPNrX.csLong String: Length: 29301
                Source: 0.0.HHGHJJUILn.exe.252bdc30000.0.unpack, AcmWjvFtj9egtnnJX9/dZ7qkvqcNhO85yPNrX.csLong String: Length: 837648
                Source: 0.0.HHGHJJUILn.exe.252bdc30000.0.unpack, AcmWjvFtj9egtnnJX9/dZ7qkvqcNhO85yPNrX.csLong String: Length: 29301
                Source: 0.2.HHGHJJUILn.exe.252bdc30000.0.unpack, AcmWjvFtj9egtnnJX9/dZ7qkvqcNhO85yPNrX.csLong String: Length: 837648
                Source: 0.2.HHGHJJUILn.exe.252bdc30000.0.unpack, AcmWjvFtj9egtnnJX9/dZ7qkvqcNhO85yPNrX.csLong String: Length: 29301
                Source: 0.2.HHGHJJUILn.exe.252d0175a70.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
                Source: 0.2.HHGHJJUILn.exe.252d012dbe0.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
                Source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
                Source: 0.2.HHGHJJUILn.exe.252d0175a70.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
                Source: 0.2.HHGHJJUILn.exe.252d012dbe0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
                Source: Process Memory Space: HHGHJJUILn.exe PID: 5460, type: MEMORYSTRMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeCode function: 0_2_00007FFDC87E0E1D
                Source: HHGHJJUILn.exeStatic PE information: No import functions for PE file found
                Source: HHGHJJUILn.exe, 00000000.00000002.248728659.00000252BF9A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBUMBUM.dll. vs HHGHJJUILn.exe
                Source: HHGHJJUILn.exe, 00000000.00000002.248645893.00000252BE0D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameBUMBUM.dll. vs HHGHJJUILn.exe
                Source: HHGHJJUILn.exe, 00000000.00000002.248401710.00000252BDF3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs HHGHJJUILn.exe
                Source: HHGHJJUILn.exe, 00000000.00000002.251576631.00000252D012D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefirebase.exe vs HHGHJJUILn.exe
                Source: HHGHJJUILn.exeStatic PE information: invalid certificate
                Source: Joe Sandbox ViewDropped File: C:\Users\Public\vbsqlite3.dll DCFCD16FBF0511D3F2B3792E5493FA22D7291E4BB2EFBFA5ADE5002A04FC2CAB
                Source: vbsqlite3.dll.4.drStatic PE information: Section: UPX1 ZLIB complexity 0.9930182122564936
                Source: HHGHJJUILn.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                Source: unknownProcess created: C:\Users\user\Desktop\HHGHJJUILn.exe C:\Users\user\Desktop\HHGHJJUILn.exe
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\HHGHJJUILn.exe.logJump to behavior
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/3@1/1
                Source: HHGHJJUILn.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 47.53%
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                Source: HHGHJJUILn.exe, 00000000.00000002.251576631.00000252D012D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000000.246767038.0000000000401000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: C*\AC:\Users\user1\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1sqlite.vbp
                Source: vbc.exe, 00000004.00000002.509871994.000000000043F000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: =@*\AC:\Users\user1\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1sqlite.vbp
                Source: HHGHJJUILn.exeString found in binary or memory: %/adD
                Source: HHGHJJUILn.exe, o3eGGqBtdpdaBbRpbh/yV5CsNT40LRKh3Lcnn.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.0.HHGHJJUILn.exe.252bdc30000.0.unpack, o3eGGqBtdpdaBbRpbh/yV5CsNT40LRKh3Lcnn.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.HHGHJJUILn.exe.252bdc30000.0.unpack, o3eGGqBtdpdaBbRpbh/yV5CsNT40LRKh3Lcnn.csCryptographic APIs: 'CreateDecryptor'
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: HHGHJJUILn.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: HHGHJJUILn.exeStatic file information: File size 1631776 > 1048576
                Source: HHGHJJUILn.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: HHGHJJUILn.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x188800
                Source: HHGHJJUILn.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: HHGHJJUILn.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: HHGHJJUILn.pdb source: HHGHJJUILn.exe
                Source: Binary string: W.pdb4 source: HHGHJJUILn.exe, 00000000.00000002.251576631.00000252D012D000.00000004.00000800.00020000.00000000.sdmp, vbsqlite3.dll.4.dr
                Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BUMBUM.pdb source: HHGHJJUILn.exe, 00000000.00000002.248728659.00000252BF9A1000.00000004.00000800.00020000.00000000.sdmp, HHGHJJUILn.exe, 00000000.00000002.248645893.00000252BE0D0000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BUMBUM.pdbBSJB source: HHGHJJUILn.exe, 00000000.00000002.248728659.00000252BF9A1000.00000004.00000800.00020000.00000000.sdmp, HHGHJJUILn.exe, 00000000.00000002.248645893.00000252BE0D0000.00000004.08000000.00040000.00000000.sdmp

                Data Obfuscation

                barindex
                Source: HHGHJJUILn.exe, AcmWjvFtj9egtnnJX9/dZ7qkvqcNhO85yPNrX.cs.Net Code: Fb1AEOaU7 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.0.HHGHJJUILn.exe.252bdc30000.0.unpack, AcmWjvFtj9egtnnJX9/dZ7qkvqcNhO85yPNrX.cs.Net Code: Fb1AEOaU7 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.2.HHGHJJUILn.exe.252bdc30000.0.unpack, AcmWjvFtj9egtnnJX9/dZ7qkvqcNhO85yPNrX.cs.Net Code: Fb1AEOaU7 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: HHGHJJUILn.exe, o3eGGqBtdpdaBbRpbh/yV5CsNT40LRKh3Lcnn.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                Source: 0.0.HHGHJJUILn.exe.252bdc30000.0.unpack, o3eGGqBtdpdaBbRpbh/yV5CsNT40LRKh3Lcnn.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                Source: 0.2.HHGHJJUILn.exe.252bdc30000.0.unpack, o3eGGqBtdpdaBbRpbh/yV5CsNT40LRKh3Lcnn.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                Source: HHGHJJUILn.exeStatic PE information: real checksum: 0x194b5f should be: 0x1917bd
                Source: vbsqlite3.dll.4.drStatic PE information: real checksum: 0x0 should be: 0x2ae74
                Source: HHGHJJUILn.exeStatic PE information: 0xBC772981 [Thu Mar 13 08:46:57 2070 UTC]
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: HHGHJJUILn.exe, HHGHJJUILn/Form1.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'YuOqfTprM', 'MLNZSZRFrajNUp8qsp', 'QKFPvBtNpBg69j7Nnf', 'OX6eQ4cexP0VbKZYHd', 'bsysAD7ggZAVgKjpwe', 'pJgmfyX8ODddoG1ri3', 'EdoPmEr7rodWECslCW', 'Wp9BtVBZUNcCDe2G4j'
                Source: HHGHJJUILn.exe, En1Psw4F6pV2BGk3HS/ksk0w2p0NeUeOsNX1k.csHigh entropy of concatenated method names: 'tItAnDqvZw', 'q9cAVedEOK', 'vogA065LUG', '.ctor', 'kLjw4iIsCLsZtxc4lksN0j', '.cctor', 'megHtLN4uvGf4nCRjm', 'G4LOidn2EpGskKj5dn', 'UeEp48U6NOtmIrWXau', 'Yd6kaMVw5VqNsnPYj8'
                Source: HHGHJJUILn.exe, AcmWjvFtj9egtnnJX9/dZ7qkvqcNhO85yPNrX.csHigh entropy of concatenated method names: 'Fb1AEOaU7', 'P6xUHAj56', '.cctor', 'A06XxWmccOiN4rKPjE', 'ckqFXlFonRXwg7hGMo', 'mi7ZZuYZOG800P2wrb', 'S2nGXdJDRjIatIq3yl', 'vKbcCMELP1Ff62L5Oc', 'dyH6VaCeOOc3qHO1sU'
                Source: HHGHJJUILn.exe, o3eGGqBtdpdaBbRpbh/yV5CsNT40LRKh3Lcnn.csHigh entropy of concatenated method names: '.cctor', 'w5iB4s0vtohFt', 'EVrnj8HXc', 'hW9V16hSn', 'XA20E1B6m', 'X9jZKh2WY', 'YuD7NMJ3H', 'yu2GulHW3', 'NSb63FLLs', 'ruvfdsjMx'
                Source: HHGHJJUILn.exe, gJMOHJbIEe0MYsJbwl/GjqP19iwYoYd3r8X3Q.csHigh entropy of concatenated method names: 'bttB4s00sthd0', '.ctor', '.cctor', 'P1FDtSURv5Uv1lFtlE', 'JVDxtvDUYWhjE6hJg7', 'hwBvASNOS9VEAeE2CW', 'nsq8D2qkGJ1RlLF3S8', 'oqM2QpLak1XUxIwwB6', 'wQNnYvW1BlqUUlaKig', 'yiPfGpOSQn7WMKo59Y'
                Source: 0.0.HHGHJJUILn.exe.252bdc30000.0.unpack, HHGHJJUILn/Form1.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'YuOqfTprM', 'MLNZSZRFrajNUp8qsp', 'QKFPvBtNpBg69j7Nnf', 'OX6eQ4cexP0VbKZYHd', 'bsysAD7ggZAVgKjpwe', 'pJgmfyX8ODddoG1ri3', 'EdoPmEr7rodWECslCW', 'Wp9BtVBZUNcCDe2G4j'
                Source: 0.0.HHGHJJUILn.exe.252bdc30000.0.unpack, AcmWjvFtj9egtnnJX9/dZ7qkvqcNhO85yPNrX.csHigh entropy of concatenated method names: 'Fb1AEOaU7', 'P6xUHAj56', '.cctor', 'A06XxWmccOiN4rKPjE', 'ckqFXlFonRXwg7hGMo', 'mi7ZZuYZOG800P2wrb', 'S2nGXdJDRjIatIq3yl', 'vKbcCMELP1Ff62L5Oc', 'dyH6VaCeOOc3qHO1sU'
                Source: 0.0.HHGHJJUILn.exe.252bdc30000.0.unpack, En1Psw4F6pV2BGk3HS/ksk0w2p0NeUeOsNX1k.csHigh entropy of concatenated method names: 'tItAnDqvZw', 'q9cAVedEOK', 'vogA065LUG', '.ctor', 'kLjw4iIsCLsZtxc4lksN0j', '.cctor', 'megHtLN4uvGf4nCRjm', 'G4LOidn2EpGskKj5dn', 'UeEp48U6NOtmIrWXau', 'Yd6kaMVw5VqNsnPYj8'
                Source: 0.0.HHGHJJUILn.exe.252bdc30000.0.unpack, o3eGGqBtdpdaBbRpbh/yV5CsNT40LRKh3Lcnn.csHigh entropy of concatenated method names: '.cctor', 'w5iB4s0vtohFt', 'EVrnj8HXc', 'hW9V16hSn', 'XA20E1B6m', 'X9jZKh2WY', 'YuD7NMJ3H', 'yu2GulHW3', 'NSb63FLLs', 'ruvfdsjMx'
                Source: 0.0.HHGHJJUILn.exe.252bdc30000.0.unpack, gJMOHJbIEe0MYsJbwl/GjqP19iwYoYd3r8X3Q.csHigh entropy of concatenated method names: 'bttB4s00sthd0', '.ctor', '.cctor', 'P1FDtSURv5Uv1lFtlE', 'JVDxtvDUYWhjE6hJg7', 'hwBvASNOS9VEAeE2CW', 'nsq8D2qkGJ1RlLF3S8', 'oqM2QpLak1XUxIwwB6', 'wQNnYvW1BlqUUlaKig', 'yiPfGpOSQn7WMKo59Y'
                Source: 0.2.HHGHJJUILn.exe.252bdc30000.0.unpack, HHGHJJUILn/Form1.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'YuOqfTprM', 'MLNZSZRFrajNUp8qsp', 'QKFPvBtNpBg69j7Nnf', 'OX6eQ4cexP0VbKZYHd', 'bsysAD7ggZAVgKjpwe', 'pJgmfyX8ODddoG1ri3', 'EdoPmEr7rodWECslCW', 'Wp9BtVBZUNcCDe2G4j'
                Source: 0.2.HHGHJJUILn.exe.252bdc30000.0.unpack, AcmWjvFtj9egtnnJX9/dZ7qkvqcNhO85yPNrX.csHigh entropy of concatenated method names: 'Fb1AEOaU7', 'P6xUHAj56', '.cctor', 'A06XxWmccOiN4rKPjE', 'ckqFXlFonRXwg7hGMo', 'mi7ZZuYZOG800P2wrb', 'S2nGXdJDRjIatIq3yl', 'vKbcCMELP1Ff62L5Oc', 'dyH6VaCeOOc3qHO1sU'
                Source: 0.2.HHGHJJUILn.exe.252bdc30000.0.unpack, En1Psw4F6pV2BGk3HS/ksk0w2p0NeUeOsNX1k.csHigh entropy of concatenated method names: 'tItAnDqvZw', 'q9cAVedEOK', 'vogA065LUG', '.ctor', 'kLjw4iIsCLsZtxc4lksN0j', '.cctor', 'megHtLN4uvGf4nCRjm', 'G4LOidn2EpGskKj5dn', 'UeEp48U6NOtmIrWXau', 'Yd6kaMVw5VqNsnPYj8'
                Source: 0.2.HHGHJJUILn.exe.252bdc30000.0.unpack, o3eGGqBtdpdaBbRpbh/yV5CsNT40LRKh3Lcnn.csHigh entropy of concatenated method names: '.cctor', 'w5iB4s0vtohFt', 'EVrnj8HXc', 'hW9V16hSn', 'XA20E1B6m', 'X9jZKh2WY', 'YuD7NMJ3H', 'yu2GulHW3', 'NSb63FLLs', 'ruvfdsjMx'
                Source: 0.2.HHGHJJUILn.exe.252bdc30000.0.unpack, gJMOHJbIEe0MYsJbwl/GjqP19iwYoYd3r8X3Q.csHigh entropy of concatenated method names: 'bttB4s00sthd0', '.ctor', '.cctor', 'P1FDtSURv5Uv1lFtlE', 'JVDxtvDUYWhjE6hJg7', 'hwBvASNOS9VEAeE2CW', 'nsq8D2qkGJ1RlLF3S8', 'oqM2QpLak1XUxIwwB6', 'wQNnYvW1BlqUUlaKig', 'yiPfGpOSQn7WMKo59Y'
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Users\Public\vbsqlite3.dllJump to dropped file
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Users\Public\vbsqlite3.dllJump to dropped file

                Boot Survival

                barindex
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Users\Public\vbsqlite3.dllJump to dropped file
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\HHGHJJUILn.exe TID: 2248Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Users\Public\vbsqlite3.dllJump to dropped file
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeThread delayed: delay time: 922337203685477
                Source: vbc.exe, 00000004.00000002.510113204.0000000004FFA000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.271870029.000000000507C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeMemory allocated: page read and write | page guard

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 401000
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 43F000
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 440000
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4D9A008
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 protect: page execute and read and write
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeQueries volume information: C:\Users\user\Desktop\HHGHJJUILn.exe VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Users\user\Desktop\HHGHJJUILn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: 0.2.HHGHJJUILn.exe.252d0175a70.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.HHGHJJUILn.exe.252d012dbe0.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.HHGHJJUILn.exe.252d0175a70.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.HHGHJJUILn.exe.252d012dbe0.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000000.246767038.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.251576631.00000252D012D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: HHGHJJUILn.exe PID: 5460, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 4772, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 4772, type: MEMORYSTR
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 4772, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: 0.2.HHGHJJUILn.exe.252d0175a70.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.HHGHJJUILn.exe.252d012dbe0.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.HHGHJJUILn.exe.252d0175a70.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.HHGHJJUILn.exe.252d012dbe0.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000000.246767038.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.251576631.00000252D012D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: HHGHJJUILn.exe PID: 5460, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 4772, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 4772, type: MEMORYSTR
                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts1
                Windows Management Instrumentation
                Path Interception311
                Process Injection
                111
                Masquerading
                1
                OS Credential Dumping
                1
                Security Software Discovery
                Remote Services11
                Archive Collected Data
                Exfiltration Over Other Network Medium1
                Encrypted Channel
                Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default Accounts2
                Command and Scripting Interpreter
                Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                Disable or Modify Tools
                LSASS Memory1
                Process Discovery
                Remote Desktop Protocol2
                Data from Local System
                Exfiltration Over Bluetooth1
                Ingress Tool Transfer
                Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
                Virtualization/Sandbox Evasion
                Security Account Manager21
                Virtualization/Sandbox Evasion
                SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
                Non-Application Layer Protocol
                Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)311
                Process Injection
                NTDS1
                Remote System Discovery
                Distributed Component Object ModelInput CaptureScheduled Transfer2
                Application Layer Protocol
                SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information
                LSA Secrets1
                System Network Configuration Discovery
                SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common1
                Obfuscated Files or Information
                Cached Domain Credentials12
                System Information Discovery
                VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items221
                Software Packing
                DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                Timestomp
                Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                HHGHJJUILn.exe100%Joe Sandbox ML
                SourceDetectionScannerLabelLink
                C:\Users\Public\vbsqlite3.dll0%ReversingLabs
                C:\Users\Public\vbsqlite3.dll1%VirustotalBrowse
                SourceDetectionScannerLabelLinkDownload
                4.3.vbc.exe.502d8d0.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                0.2.HHGHJJUILn.exe.252d012dbe0.3.unpack100%AviraTR/Dropper.GenDownload File
                4.0.vbc.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
                0.2.HHGHJJUILn.exe.252d0175a70.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                4.2.vbc.exe.502d8d0.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                No Antivirus matches
                No Antivirus matches
                NameIPActiveMaliciousAntivirus DetectionReputation
                showip.net
                162.55.60.2
                truefalse
                  high
                  NameMaliciousAntivirus DetectionReputation
                  http://showip.net/false
                    high
                    NameSourceMaliciousAntivirus DetectionReputation
                    https://ac.ecosia.org/autocomplete?q=LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.drfalse
                      high
                      https://search.yahoo.com?fr=crmas_sfpvbc.exe, 00000004.00000003.272068154.00000000050B9000.00000004.00000020.00020000.00000000.sdmp, LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.drfalse
                        high
                        https://duckduckgo.com/chrome_newtabvbc.exe, 00000004.00000003.272068154.00000000050B9000.00000004.00000020.00020000.00000000.sdmp, LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.drfalse
                          high
                          http://schema.orgvbc.exe, 00000004.00000003.271857889.0000000005087000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.271870029.000000000507C000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.271831148.0000000005090000.00000004.00000020.00020000.00000000.sdmpfalse
                            high
                            https://duckduckgo.com/ac/?q=LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.drfalse
                              high
                              https://www.google.com/images/branding/product/ico/googleg_lodp.icovbc.exe, 00000004.00000003.272068154.00000000050B9000.00000004.00000020.00020000.00000000.sdmp, LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.drfalse
                                high
                                https://api.telegram.org/botHHGHJJUILn.exe, 00000000.00000002.251576631.00000252D012D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000000.246767038.0000000000401000.00000040.00000400.00020000.00000000.sdmpfalse
                                  high
                                  https://showip.net/vbc.exe, 00000004.00000003.271857889.0000000005087000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.271870029.000000000507C000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.271831148.0000000005090000.00000004.00000020.00020000.00000000.sdmpfalse
                                    high
                                    https://www.openstreetmap.org/copyrightvbc.exe, 00000004.00000003.271857889.0000000005087000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.281674526.0000000005085000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.271870029.000000000507C000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.272371184.0000000005085000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.271831148.0000000005090000.00000004.00000020.00020000.00000000.sdmpfalse
                                      high
                                      https://unpkg.com/leafletvbc.exe, 00000004.00000003.271831148.0000000005090000.00000004.00000020.00020000.00000000.sdmpfalse
                                        high
                                        https://search.yahoo.com?fr=crmas_sfpfvbc.exe, 00000004.00000003.272068154.00000000050B9000.00000004.00000020.00020000.00000000.sdmp, LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.drfalse
                                          high
                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.drfalse
                                            high
                                            https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchvbc.exe, 00000004.00000003.272068154.00000000050B9000.00000004.00000020.00020000.00000000.sdmp, LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.drfalse
                                              high
                                              http://www.maxmind.comvbc.exe, 00000004.00000003.271831148.0000000005090000.00000004.00000020.00020000.00000000.sdmpfalse
                                                high
                                                https://showip.net/?checkip=vbc.exe, 00000004.00000003.271857889.0000000005087000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.271870029.000000000507C000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.271831148.0000000005090000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  high
                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.drfalse
                                                    high
                                                    https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=vbc.exe, 00000004.00000003.272068154.00000000050B9000.00000004.00000020.00020000.00000000.sdmp, LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.drfalse
                                                      high
                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs
                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      162.55.60.2
                                                      showip.netUnited States
                                                      35893ACPCAfalse
                                                      Joe Sandbox Version:36.0.0 Rainbow Opal
                                                      Analysis ID:764040
                                                      Start date and time:2022-12-09 10:56:11 +01:00
                                                      Joe Sandbox Product:CloudBasic
                                                      Overall analysis duration:0h 6m 54s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:light
                                                      Sample file name:HHGHJJUILn.exe
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                      Number of analysed new started processes analysed:15
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • HDC enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Detection:MAL
                                                      Classification:mal100.troj.spyw.evad.winEXE@9/3@1/1
                                                      EGA Information:
                                                      • Successful, ratio: 100%
                                                      HDC Information:
                                                      • Successful, ratio: 49.2% (good quality ratio 42.7%)
                                                      • Quality average: 61.9%
                                                      • Quality standard deviation: 37.1%
                                                      HCA Information:
                                                      • Successful, ratio: 97%
                                                      • Number of executed functions: 0
                                                      • Number of non-executed functions: 0
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe
                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      TimeTypeDescription
                                                      10:57:25API Interceptor1x Sleep call for process: vbc.exe modified
                                                      No context
                                                      No context
                                                      No context
                                                      No context
                                                      No context
                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                      Category:dropped
                                                      Size (bytes):165376
                                                      Entropy (8bit):7.894371604278017
                                                      Encrypted:false
                                                      SSDEEP:3072:eNFwdmspaPg9g9oOavAQBNrPkVdc88GjU+vF6nuxRocX5GOOUleo+c:e8d1/w5KA81IJ8GpF6nuTmOOU
                                                      MD5:073A17B6CFB1112C6C838B2FBA06A657
                                                      SHA1:A54BB22489EAA8C52EB3E512AEE522320530B0BE
                                                      SHA-256:DCFCD16FBF0511D3F2B3792E5493FA22D7291E4BB2EFBFA5ADE5002A04FC2CAB
                                                      SHA-512:5BC8307350BD8BA09FA9EEDDDC62F1DBA65DB62EB09AE64E0ADFF4DFAD0937DBEC5B621F294F5980BF77033FAAC3BFE200945C0280606915EE9A82D34A003B9E
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      • Antivirus: Virustotal, Detection: 1%, Browse
                                                      Reputation:moderate, very likely benign file
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F..p.~.#.~.#.~.#.,!#.~.#.,'#.~.#%..#.~.#.~.#]~.#.,6#.~.#.,1#.~.#., #.~.#.,&#.~.#.,##.~.#Rich.~.#........PE..L......H...........!.....p... .......e.......p............................................@..........................t..D....r..(....p......................\........................................g..H...........................................UPX0....................................UPX1.....p.......h..................@....rsrc.... ...p.......l..............@......................................................................................................................................................................................................................................................................................................................................................................................................3.03.UPX!....
                                                      Process:C:\Users\user\Desktop\HHGHJJUILn.exe
                                                      File Type:CSV text
                                                      Category:dropped
                                                      Size (bytes):226
                                                      Entropy (8bit):5.354940450065058
                                                      Encrypted:false
                                                      SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2wlAsDZiIv:Q3La/KDLI4MWuPTxAIv
                                                      MD5:B10E37251C5B495643F331DB2EEC3394
                                                      SHA1:25A5FFE4C2554C2B9A7C2794C9FE215998871193
                                                      SHA-256:8A6B926C70F8DCFD915D68F167A1243B9DF7B9F642304F570CE584832D12102D
                                                      SHA-512:296BC182515900934AA96E996FC48B565B7857801A07FEFA0D3D1E0C165981B266B084E344DB5B53041D1171F9C6708B4EE0D444906391C4FC073BCC23B92C37
                                                      Malicious:true
                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..
                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                      File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
                                                      Category:dropped
                                                      Size (bytes):94208
                                                      Entropy (8bit):1.2889923589460437
                                                      Encrypted:false
                                                      SSDEEP:192:Qo1/8dpUXbSzTPJP/6oVuss8Ewn7PrH944:QS/inXrVuss8Ewn7b944
                                                      MD5:7901DD9DF50A993306401B7360977746
                                                      SHA1:E5BA33E47A3A76CC009EC1D63C5D1A810BE40521
                                                      SHA-256:1019C8ADA4DA9DEF665F59DB191CA3A613F954C12813BE5907E1F5CB91C09BE9
                                                      SHA-512:90C785D22D0D7F5DA90D52B14010719A5554BB5A7F0029C3F4E11A97AD72A7A600D846174C7B40D47D24B0995CDBAC21E255EC63AC9C07CF6E106572EA181DD5
                                                      Malicious:false
                                                      Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                      File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):4.29079911305477
                                                      TrID:
                                                      • Win64 Executable GUI Net Framework (217006/5) 47.53%
                                                      • Win64 Executable GUI (202006/5) 44.25%
                                                      • Win64 Executable (generic) Net Framework (21505/4) 4.71%
                                                      • Win64 Executable (generic) (12005/4) 2.63%
                                                      • Generic Win/DOS Executable (2004/3) 0.44%
                                                      File name:HHGHJJUILn.exe
                                                      File size:1631776
                                                      MD5:103f2ca898f5c7285a3651f23d926218
                                                      SHA1:aded75bc932ddb0c9b17f257f82a5be822cab8e6
                                                      SHA256:10633d83edea2308a01d9bcbd507737bf66e93550be49239cd801257f79c7d37
                                                      SHA512:19e9732bd86ca29458d3575db2940c14d33266e6d43fad80523a14a47f2eeaf8a6919534509ece55829a4dbeac269c0f6fafa831665af150b9dcee779d3c500a
                                                      SSDEEP:12288:nGrB8Ut5pnAYxJsBDrYPL32PWfDyVan2bAESn97ahY9ceFI/t7tH8rxnaj2/e/PD:GrBi8rxnajdM2th9VYy
                                                      TLSH:9475BC2A38BA010DB361AD9C6BBCB175910EF7F2163A5C774DF7060A25139F0CB9D626
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....)w...................... ........... ....@...... .............................._K....`................................
                                                      Icon Hash:92aca8b2b2a2b286
                                                      Entrypoint:0x400000
                                                      Entrypoint Section:
                                                      Digitally signed:true
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                      Time Stamp:0xBC772981 [Thu Mar 13 08:46:57 2070 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:
                                                      Signature Valid:false
                                                      Signature Issuer:CN=DigiCert High Assurance Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US
                                                      Signature Validation Error:The digital signature of the object did not verify
                                                      Error Number:-2146869232
                                                      Not Before, Not After
                                                      • 10/29/2013 5:00:00 PM 1/4/2017 4:00:00 AM
                                                      Subject Chain
                                                      • CN=Wen Jia Liu, O=Wen Jia Liu, L=Sydney, S=New South Wales, C=AU
                                                      Version:3
                                                      Thumbprint MD5:FB7AAB26B203432685FBC0FF17F24045
                                                      Thumbprint SHA-1:32387AEC09EB287F202E98398189B460F4C61A0D
                                                      Thumbprint SHA-256:E0E85619EEF45FCE4421E4BA581060E43BBBF25911CD757DD081DA425DD1DB51
                                                      Serial:0FF1EF66BD621C65B74B4DE41425717F
                                                      Instruction
                                                      dec ebp
                                                      pop edx
                                                      nop
                                                      add byte ptr [ebx], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax+eax], al
                                                      add byte ptr [eax], al
                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x18e0000x1bfa.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x18ac000x3a20
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x18a5900x1c.text
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000x1886340x188800False0.2850026124601911data4.209755910815595IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .sdata0x18c0000x1e80x200False0.857421875data6.638446248926509IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .rsrc0x18e0000x1bfa0x1c00False0.3529575892857143data5.504563155253437IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      NameRVASizeTypeLanguageCountry
                                                      RT_ICON0x18e1b00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224
                                                      RT_ICON0x18f2580x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088
                                                      RT_GROUP_ICON0x18f6c00x22data
                                                      RT_VERSION0x18f6e40x32cdata
                                                      RT_MANIFEST0x18fa100x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Dec 9, 2022 10:57:15.916726112 CET4971180192.168.2.7162.55.60.2
                                                      Dec 9, 2022 10:57:15.940066099 CET8049711162.55.60.2192.168.2.7
                                                      Dec 9, 2022 10:57:15.940274954 CET4971180192.168.2.7162.55.60.2
                                                      Dec 9, 2022 10:57:15.942653894 CET4971180192.168.2.7162.55.60.2
                                                      Dec 9, 2022 10:57:15.964567900 CET8049711162.55.60.2192.168.2.7
                                                      Dec 9, 2022 10:57:15.965302944 CET8049711162.55.60.2192.168.2.7
                                                      Dec 9, 2022 10:57:15.965341091 CET8049711162.55.60.2192.168.2.7
                                                      Dec 9, 2022 10:57:15.965367079 CET8049711162.55.60.2192.168.2.7
                                                      Dec 9, 2022 10:57:15.965387106 CET8049711162.55.60.2192.168.2.7
                                                      Dec 9, 2022 10:57:15.965396881 CET4971180192.168.2.7162.55.60.2
                                                      Dec 9, 2022 10:57:15.965434074 CET4971180192.168.2.7162.55.60.2
                                                      Dec 9, 2022 10:57:15.965460062 CET4971180192.168.2.7162.55.60.2
                                                      Dec 9, 2022 10:57:15.965523005 CET8049711162.55.60.2192.168.2.7
                                                      Dec 9, 2022 10:57:15.965547085 CET8049711162.55.60.2192.168.2.7
                                                      Dec 9, 2022 10:57:15.965570927 CET8049711162.55.60.2192.168.2.7
                                                      Dec 9, 2022 10:57:15.965576887 CET4971180192.168.2.7162.55.60.2
                                                      Dec 9, 2022 10:57:15.965595007 CET8049711162.55.60.2192.168.2.7
                                                      Dec 9, 2022 10:57:15.965595007 CET4971180192.168.2.7162.55.60.2
                                                      Dec 9, 2022 10:57:15.965609074 CET4971180192.168.2.7162.55.60.2
                                                      Dec 9, 2022 10:57:15.965615988 CET8049711162.55.60.2192.168.2.7
                                                      Dec 9, 2022 10:57:15.965636015 CET8049711162.55.60.2192.168.2.7
                                                      Dec 9, 2022 10:57:15.965637922 CET4971180192.168.2.7162.55.60.2
                                                      Dec 9, 2022 10:57:15.965660095 CET4971180192.168.2.7162.55.60.2
                                                      Dec 9, 2022 10:57:15.965668917 CET4971180192.168.2.7162.55.60.2
                                                      Dec 9, 2022 10:57:30.987771988 CET8049711162.55.60.2192.168.2.7
                                                      Dec 9, 2022 10:57:30.987884998 CET4971180192.168.2.7162.55.60.2
                                                      Dec 9, 2022 10:57:46.072297096 CET8049711162.55.60.2192.168.2.7
                                                      Dec 9, 2022 10:57:46.072392941 CET4971180192.168.2.7162.55.60.2
                                                      Dec 9, 2022 10:58:01.175959110 CET8049711162.55.60.2192.168.2.7
                                                      Dec 9, 2022 10:58:01.176172018 CET4971180192.168.2.7162.55.60.2
                                                      Dec 9, 2022 10:58:16.280128956 CET8049711162.55.60.2192.168.2.7
                                                      Dec 9, 2022 10:58:16.280333996 CET4971180192.168.2.7162.55.60.2
                                                      Dec 9, 2022 10:58:31.385688066 CET8049711162.55.60.2192.168.2.7
                                                      Dec 9, 2022 10:58:31.386337042 CET4971180192.168.2.7162.55.60.2
                                                      Dec 9, 2022 10:58:46.488641977 CET8049711162.55.60.2192.168.2.7
                                                      Dec 9, 2022 10:58:46.488744020 CET4971180192.168.2.7162.55.60.2
                                                      Dec 9, 2022 10:59:01.591901064 CET8049711162.55.60.2192.168.2.7
                                                      Dec 9, 2022 10:59:01.592098951 CET4971180192.168.2.7162.55.60.2
                                                      Dec 9, 2022 10:59:05.735914946 CET4971180192.168.2.7162.55.60.2
                                                      Dec 9, 2022 10:59:05.758949995 CET8049711162.55.60.2192.168.2.7
                                                      Dec 9, 2022 10:59:05.759134054 CET4971180192.168.2.7162.55.60.2
                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Dec 9, 2022 10:57:15.882508039 CET5050553192.168.2.78.8.8.8
                                                      Dec 9, 2022 10:57:15.901057959 CET53505058.8.8.8192.168.2.7
                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Dec 9, 2022 10:57:15.882508039 CET192.168.2.78.8.8.80x51cbStandard query (0)showip.netA (IP address)IN (0x0001)false
                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Dec 9, 2022 10:57:15.901057959 CET8.8.8.8192.168.2.70x51cbNo error (0)showip.net162.55.60.2A (IP address)IN (0x0001)false
                                                      • showip.net

                                                      Click to jump to process

                                                      Target ID:0
                                                      Start time:10:57:07
                                                      Start date:09/12/2022
                                                      Path:C:\Users\user\Desktop\HHGHJJUILn.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Users\user\Desktop\HHGHJJUILn.exe
                                                      Imagebase:0x252bdc30000
                                                      File size:1631776 bytes
                                                      MD5 hash:103F2CA898F5C7285A3651F23D926218
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000000.00000002.251576631.00000252D012D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:low

                                                      Target ID:1
                                                      Start time:10:57:08
                                                      Start date:09/12/2022
                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                      Imagebase:0x8c0000
                                                      File size:2688096 bytes
                                                      MD5 hash:B3A917344F5610BEEC562556F11300FA
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Target ID:2
                                                      Start time:10:57:08
                                                      Start date:09/12/2022
                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                      Imagebase:0x8c0000
                                                      File size:2688096 bytes
                                                      MD5 hash:B3A917344F5610BEEC562556F11300FA
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Target ID:3
                                                      Start time:10:57:08
                                                      Start date:09/12/2022
                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                      Imagebase:0x8c0000
                                                      File size:2688096 bytes
                                                      MD5 hash:B3A917344F5610BEEC562556F11300FA
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Target ID:4
                                                      Start time:10:57:09
                                                      Start date:09/12/2022
                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                      Imagebase:0x8c0000
                                                      File size:2688096 bytes
                                                      MD5 hash:B3A917344F5610BEEC562556F11300FA
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:Visual Basic
                                                      Yara matches:
                                                      • Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000004.00000000.246767038.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:high

                                                      No disassembly