Click to jump to signature section
Source: 4.3.vbc.exe.502d8d0.0.unpack | Avira: Label: TR/Patched.Ren.Gen |
Source: 0.2.HHGHJJUILn.exe.252d012dbe0.3.unpack | Avira: Label: TR/Dropper.Gen |
Source: 4.0.vbc.exe.400000.0.unpack | Avira: Label: TR/Dropper.Gen |
Source: 4.2.vbc.exe.502d8d0.0.unpack | Avira: Label: TR/Patched.Ren.Gen |
Source: | Binary string: HHGHJJUILn.pdb source: HHGHJJUILn.exe |
Source: | Binary string: W.pdb4 source: HHGHJJUILn.exe, 00000000.00000002.251576631.00000252D012D000.00000004.00000800.00020000.00000000.sdmp, vbsqlite3.dll.4.dr |
Source: | Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BUMBUM.pdb source: HHGHJJUILn.exe, 00000000.00000002.248728659.00000252BF9A1000.00000004.00000800.00020000.00000000.sdmp, HHGHJJUILn.exe, 00000000.00000002.248645893.00000252BE0D0000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BUMBUM.pdbBSJB source: HHGHJJUILn.exe, 00000000.00000002.248728659.00000252BF9A1000.00000004.00000800.00020000.00000000.sdmp, HHGHJJUILn.exe, 00000000.00000002.248645893.00000252BE0D0000.00000004.08000000.00040000.00000000.sdmp |
Source: HHGHJJUILn.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0 |
Source: HHGHJJUILn.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: HHGHJJUILn.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0 |
Source: HHGHJJUILn.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0 |
Source: HHGHJJUILn.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
Source: HHGHJJUILn.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0 |
Source: HHGHJJUILn.exe | String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08 |
Source: HHGHJJUILn.exe | String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: HHGHJJUILn.exe | String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
Source: HHGHJJUILn.exe | String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0 |
Source: HHGHJJUILn.exe | String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O |
Source: HHGHJJUILn.exe | String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0. |
Source: HHGHJJUILn.exe | String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
Source: HHGHJJUILn.exe | String found in binary or memory: http://crl3.digicert.com/sha2-ha-cs-g1.crl00 |
Source: HHGHJJUILn.exe | String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w |
Source: HHGHJJUILn.exe | String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0 |
Source: HHGHJJUILn.exe | String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: HHGHJJUILn.exe | String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0 |
Source: HHGHJJUILn.exe | String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L |
Source: HHGHJJUILn.exe | String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
Source: HHGHJJUILn.exe | String found in binary or memory: http://crl4.digicert.com/sha2-ha-cs-g1.crl0L |
Source: HHGHJJUILn.exe | String found in binary or memory: http://ocsp.digicert.com0A |
Source: HHGHJJUILn.exe | String found in binary or memory: http://ocsp.digicert.com0C |
Source: HHGHJJUILn.exe | String found in binary or memory: http://ocsp.digicert.com0I |
Source: HHGHJJUILn.exe | String found in binary or memory: http://ocsp.digicert.com0O |
Source: HHGHJJUILn.exe | String found in binary or memory: http://ocsp.digicert.com0P |
Source: HHGHJJUILn.exe | String found in binary or memory: http://ocsp.digicert.com0R |
Source: vbc.exe, 00000004.00000003.271857889.0000000005087000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.271870029.000000000507C000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.271831148.0000000005090000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://schema.org |
Source: vbc.exe, 00000004.00000002.510113204.0000000004FFA000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://showip.net/ |
Source: HHGHJJUILn.exe | String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0 |
Source: vbc.exe, 00000004.00000003.271831148.0000000005090000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://www.maxmind.com |
Source: LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.dr | String found in binary or memory: https://ac.ecosia.org/autocomplete?q= |
Source: HHGHJJUILn.exe, 00000000.00000002.251576631.00000252D012D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000000.246767038.0000000000401000.00000040.00000400.00020000.00000000.sdmp | String found in binary or memory: https://api.telegram.org/bot |
Source: LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.dr | String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q= |
Source: LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.dr | String found in binary or memory: https://duckduckgo.com/ac/?q= |
Source: vbc.exe, 00000004.00000003.272068154.00000000050B9000.00000004.00000020.00020000.00000000.sdmp, LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.dr | String found in binary or memory: https://duckduckgo.com/chrome_newtab |
Source: LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.dr | String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q= |
Source: vbc.exe, 00000004.00000003.272068154.00000000050B9000.00000004.00000020.00020000.00000000.sdmp, LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.dr | String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search |
Source: vbc.exe, 00000004.00000003.272068154.00000000050B9000.00000004.00000020.00020000.00000000.sdmp, LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.dr | String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command= |
Source: vbc.exe, 00000004.00000003.272068154.00000000050B9000.00000004.00000020.00020000.00000000.sdmp, LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.dr | String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp |
Source: vbc.exe, 00000004.00000003.272068154.00000000050B9000.00000004.00000020.00020000.00000000.sdmp, LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.dr | String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf |
Source: vbc.exe, 00000004.00000003.271857889.0000000005087000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.271870029.000000000507C000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.271831148.0000000005090000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://showip.net/ |
Source: vbc.exe, 00000004.00000003.271857889.0000000005087000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.271870029.000000000507C000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.271831148.0000000005090000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://showip.net/?checkip= |
Source: vbc.exe, 00000004.00000003.271831148.0000000005090000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://unpkg.com/leaflet |
Source: HHGHJJUILn.exe | String found in binary or memory: https://www.digicert.com/CPS0 |
Source: vbc.exe, 00000004.00000003.272068154.00000000050B9000.00000004.00000020.00020000.00000000.sdmp, LogvangVfuSkfsNcHkxYKVGcfUjjBLLTgabama.4.dr | String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico |
Source: vbc.exe, 00000004.00000003.271857889.0000000005087000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.281674526.0000000005085000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.271870029.000000000507C000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.272371184.0000000005085000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.271831148.0000000005090000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://www.openstreetmap.org/copyright |
Source: 0.2.HHGHJJUILn.exe.252d0175a70.4.unpack, type: UNPACKEDPE | Matched rule: Detects A310Logger Author: ditekSHen |
Source: 0.2.HHGHJJUILn.exe.252d012dbe0.3.unpack, type: UNPACKEDPE | Matched rule: Detects A310Logger Author: ditekSHen |
Source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Detects A310Logger Author: ditekSHen |
Source: 0.2.HHGHJJUILn.exe.252d0175a70.4.raw.unpack, type: UNPACKEDPE | Matched rule: Detects A310Logger Author: ditekSHen |
Source: 0.2.HHGHJJUILn.exe.252d012dbe0.3.raw.unpack, type: UNPACKEDPE | Matched rule: Detects A310Logger Author: ditekSHen |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: HHGHJJUILn.exe, AcmWjvFtj9egtnnJX9/dZ7qkvqcNhO85yPNrX.cs | Long String: Length: 745497 |
Source: HHGHJJUILn.exe, AcmWjvFtj9egtnnJX9/dZ7qkvqcNhO85yPNrX.cs | Long String: Length: 29301 |
Source: 0.0.HHGHJJUILn.exe.252bdc30000.0.unpack, AcmWjvFtj9egtnnJX9/dZ7qkvqcNhO85yPNrX.cs | Long String: Length: 837648 |
Source: 0.0.HHGHJJUILn.exe.252bdc30000.0.unpack, AcmWjvFtj9egtnnJX9/dZ7qkvqcNhO85yPNrX.cs | Long String: Length: 29301 |
Source: 0.2.HHGHJJUILn.exe.252bdc30000.0.unpack, AcmWjvFtj9egtnnJX9/dZ7qkvqcNhO85yPNrX.cs | Long String: Length: 837648 |
Source: 0.2.HHGHJJUILn.exe.252bdc30000.0.unpack, AcmWjvFtj9egtnnJX9/dZ7qkvqcNhO85yPNrX.cs | Long String: Length: 29301 |
Source: 0.2.HHGHJJUILn.exe.252d0175a70.4.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207 |
Source: 0.2.HHGHJJUILn.exe.252d012dbe0.3.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207 |
Source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207 |
Source: 0.2.HHGHJJUILn.exe.252d0175a70.4.raw.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207 |
Source: 0.2.HHGHJJUILn.exe.252d012dbe0.3.raw.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207 |
Source: Process Memory Space: HHGHJJUILn.exe PID: 5460, type: MEMORYSTR | Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research |
Source: HHGHJJUILn.exe, 00000000.00000002.248728659.00000252BF9A1000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameBUMBUM.dll. vs HHGHJJUILn.exe |
Source: HHGHJJUILn.exe, 00000000.00000002.248645893.00000252BE0D0000.00000004.08000000.00040000.00000000.sdmp | Binary or memory string: OriginalFilenameBUMBUM.dll. vs HHGHJJUILn.exe |
Source: HHGHJJUILn.exe, 00000000.00000002.248401710.00000252BDF3C000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameclr.dllT vs HHGHJJUILn.exe |
Source: HHGHJJUILn.exe, 00000000.00000002.251576631.00000252D012D000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenamefirebase.exe vs HHGHJJUILn.exe |
Source: unknown | Process created: C:\Users\user\Desktop\HHGHJJUILn.exe C:\Users\user\Desktop\HHGHJJUILn.exe |
Source: C:\Users\user\Desktop\HHGHJJUILn.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Source: C:\Users\user\Desktop\HHGHJJUILn.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Source: C:\Users\user\Desktop\HHGHJJUILn.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Source: C:\Users\user\Desktop\HHGHJJUILn.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Source: C:\Users\user\Desktop\HHGHJJUILn.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Source: C:\Users\user\Desktop\HHGHJJUILn.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Source: C:\Users\user\Desktop\HHGHJJUILn.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Source: C:\Users\user\Desktop\HHGHJJUILn.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Source: HHGHJJUILn.exe, 00000000.00000002.251576631.00000252D012D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000000.246767038.0000000000401000.00000040.00000400.00020000.00000000.sdmp | Binary or memory string: C*\AC:\Users\user1\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1sqlite.vbp |
Source: vbc.exe, 00000004.00000002.509871994.000000000043F000.00000040.00000400.00020000.00000000.sdmp | Binary or memory string: =@*\AC:\Users\user1\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1sqlite.vbp |
Source: HHGHJJUILn.exe, o3eGGqBtdpdaBbRpbh/yV5CsNT40LRKh3Lcnn.cs | Cryptographic APIs: 'CreateDecryptor' |
Source: 0.0.HHGHJJUILn.exe.252bdc30000.0.unpack, o3eGGqBtdpdaBbRpbh/yV5CsNT40LRKh3Lcnn.cs | Cryptographic APIs: 'CreateDecryptor' |
Source: 0.2.HHGHJJUILn.exe.252bdc30000.0.unpack, o3eGGqBtdpdaBbRpbh/yV5CsNT40LRKh3Lcnn.cs | Cryptographic APIs: 'CreateDecryptor' |
Source: | Binary string: HHGHJJUILn.pdb source: HHGHJJUILn.exe |
Source: | Binary string: W.pdb4 source: HHGHJJUILn.exe, 00000000.00000002.251576631.00000252D012D000.00000004.00000800.00020000.00000000.sdmp, vbsqlite3.dll.4.dr |
Source: | Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BUMBUM.pdb source: HHGHJJUILn.exe, 00000000.00000002.248728659.00000252BF9A1000.00000004.00000800.00020000.00000000.sdmp, HHGHJJUILn.exe, 00000000.00000002.248645893.00000252BE0D0000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BUMBUM.pdbBSJB source: HHGHJJUILn.exe, 00000000.00000002.248728659.00000252BF9A1000.00000004.00000800.00020000.00000000.sdmp, HHGHJJUILn.exe, 00000000.00000002.248645893.00000252BE0D0000.00000004.08000000.00040000.00000000.sdmp |
Source: HHGHJJUILn.exe, AcmWjvFtj9egtnnJX9/dZ7qkvqcNhO85yPNrX.cs | .Net Code: Fb1AEOaU7 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 0.0.HHGHJJUILn.exe.252bdc30000.0.unpack, AcmWjvFtj9egtnnJX9/dZ7qkvqcNhO85yPNrX.cs | .Net Code: Fb1AEOaU7 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 0.2.HHGHJJUILn.exe.252bdc30000.0.unpack, AcmWjvFtj9egtnnJX9/dZ7qkvqcNhO85yPNrX.cs | .Net Code: Fb1AEOaU7 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: HHGHJJUILn.exe, o3eGGqBtdpdaBbRpbh/yV5CsNT40LRKh3Lcnn.cs | .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0) |
Source: 0.0.HHGHJJUILn.exe.252bdc30000.0.unpack, o3eGGqBtdpdaBbRpbh/yV5CsNT40LRKh3Lcnn.cs | .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0) |
Source: 0.2.HHGHJJUILn.exe.252bdc30000.0.unpack, o3eGGqBtdpdaBbRpbh/yV5CsNT40LRKh3Lcnn.cs | .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0) |
Source: HHGHJJUILn.exe, HHGHJJUILn/Form1.cs | High entropy of concatenated method names: '.ctor', 'Dispose', 'YuOqfTprM', 'MLNZSZRFrajNUp8qsp', 'QKFPvBtNpBg69j7Nnf', 'OX6eQ4cexP0VbKZYHd', 'bsysAD7ggZAVgKjpwe', 'pJgmfyX8ODddoG1ri3', 'EdoPmEr7rodWECslCW', 'Wp9BtVBZUNcCDe2G4j' |
Source: HHGHJJUILn.exe, En1Psw4F6pV2BGk3HS/ksk0w2p0NeUeOsNX1k.cs | High entropy of concatenated method names: 'tItAnDqvZw', 'q9cAVedEOK', 'vogA065LUG', '.ctor', 'kLjw4iIsCLsZtxc4lksN0j', '.cctor', 'megHtLN4uvGf4nCRjm', 'G4LOidn2EpGskKj5dn', 'UeEp48U6NOtmIrWXau', 'Yd6kaMVw5VqNsnPYj8' |
Source: HHGHJJUILn.exe, AcmWjvFtj9egtnnJX9/dZ7qkvqcNhO85yPNrX.cs | High entropy of concatenated method names: 'Fb1AEOaU7', 'P6xUHAj56', '.cctor', 'A06XxWmccOiN4rKPjE', 'ckqFXlFonRXwg7hGMo', 'mi7ZZuYZOG800P2wrb', 'S2nGXdJDRjIatIq3yl', 'vKbcCMELP1Ff62L5Oc', 'dyH6VaCeOOc3qHO1sU' |
Source: HHGHJJUILn.exe, o3eGGqBtdpdaBbRpbh/yV5CsNT40LRKh3Lcnn.cs | High entropy of concatenated method names: '.cctor', 'w5iB4s0vtohFt', 'EVrnj8HXc', 'hW9V16hSn', 'XA20E1B6m', 'X9jZKh2WY', 'YuD7NMJ3H', 'yu2GulHW3', 'NSb63FLLs', 'ruvfdsjMx' |
Source: HHGHJJUILn.exe, gJMOHJbIEe0MYsJbwl/GjqP19iwYoYd3r8X3Q.cs | High entropy of concatenated method names: 'bttB4s00sthd0', '.ctor', '.cctor', 'P1FDtSURv5Uv1lFtlE', 'JVDxtvDUYWhjE6hJg7', 'hwBvASNOS9VEAeE2CW', 'nsq8D2qkGJ1RlLF3S8', 'oqM2QpLak1XUxIwwB6', 'wQNnYvW1BlqUUlaKig', 'yiPfGpOSQn7WMKo59Y' |
Source: 0.0.HHGHJJUILn.exe.252bdc30000.0.unpack, HHGHJJUILn/Form1.cs | High entropy of concatenated method names: '.ctor', 'Dispose', 'YuOqfTprM', 'MLNZSZRFrajNUp8qsp', 'QKFPvBtNpBg69j7Nnf', 'OX6eQ4cexP0VbKZYHd', 'bsysAD7ggZAVgKjpwe', 'pJgmfyX8ODddoG1ri3', 'EdoPmEr7rodWECslCW', 'Wp9BtVBZUNcCDe2G4j' |
Source: 0.0.HHGHJJUILn.exe.252bdc30000.0.unpack, AcmWjvFtj9egtnnJX9/dZ7qkvqcNhO85yPNrX.cs | High entropy of concatenated method names: 'Fb1AEOaU7', 'P6xUHAj56', '.cctor', 'A06XxWmccOiN4rKPjE', 'ckqFXlFonRXwg7hGMo', 'mi7ZZuYZOG800P2wrb', 'S2nGXdJDRjIatIq3yl', 'vKbcCMELP1Ff62L5Oc', 'dyH6VaCeOOc3qHO1sU' |
Source: 0.0.HHGHJJUILn.exe.252bdc30000.0.unpack, En1Psw4F6pV2BGk3HS/ksk0w2p0NeUeOsNX1k.cs | High entropy of concatenated method names: 'tItAnDqvZw', 'q9cAVedEOK', 'vogA065LUG', '.ctor', 'kLjw4iIsCLsZtxc4lksN0j', '.cctor', 'megHtLN4uvGf4nCRjm', 'G4LOidn2EpGskKj5dn', 'UeEp48U6NOtmIrWXau', 'Yd6kaMVw5VqNsnPYj8' |
Source: 0.0.HHGHJJUILn.exe.252bdc30000.0.unpack, o3eGGqBtdpdaBbRpbh/yV5CsNT40LRKh3Lcnn.cs | High entropy of concatenated method names: '.cctor', 'w5iB4s0vtohFt', 'EVrnj8HXc', 'hW9V16hSn', 'XA20E1B6m', 'X9jZKh2WY', 'YuD7NMJ3H', 'yu2GulHW3', 'NSb63FLLs', 'ruvfdsjMx' |
Source: 0.0.HHGHJJUILn.exe.252bdc30000.0.unpack, gJMOHJbIEe0MYsJbwl/GjqP19iwYoYd3r8X3Q.cs | High entropy of concatenated method names: 'bttB4s00sthd0', '.ctor', '.cctor', 'P1FDtSURv5Uv1lFtlE', 'JVDxtvDUYWhjE6hJg7', 'hwBvASNOS9VEAeE2CW', 'nsq8D2qkGJ1RlLF3S8', 'oqM2QpLak1XUxIwwB6', 'wQNnYvW1BlqUUlaKig', 'yiPfGpOSQn7WMKo59Y' |
Source: 0.2.HHGHJJUILn.exe.252bdc30000.0.unpack, HHGHJJUILn/Form1.cs | High entropy of concatenated method names: '.ctor', 'Dispose', 'YuOqfTprM', 'MLNZSZRFrajNUp8qsp', 'QKFPvBtNpBg69j7Nnf', 'OX6eQ4cexP0VbKZYHd', 'bsysAD7ggZAVgKjpwe', 'pJgmfyX8ODddoG1ri3', 'EdoPmEr7rodWECslCW', 'Wp9BtVBZUNcCDe2G4j' |
Source: 0.2.HHGHJJUILn.exe.252bdc30000.0.unpack, AcmWjvFtj9egtnnJX9/dZ7qkvqcNhO85yPNrX.cs | High entropy of concatenated method names: 'Fb1AEOaU7', 'P6xUHAj56', '.cctor', 'A06XxWmccOiN4rKPjE', 'ckqFXlFonRXwg7hGMo', 'mi7ZZuYZOG800P2wrb', 'S2nGXdJDRjIatIq3yl', 'vKbcCMELP1Ff62L5Oc', 'dyH6VaCeOOc3qHO1sU' |
Source: 0.2.HHGHJJUILn.exe.252bdc30000.0.unpack, En1Psw4F6pV2BGk3HS/ksk0w2p0NeUeOsNX1k.cs | High entropy of concatenated method names: 'tItAnDqvZw', 'q9cAVedEOK', 'vogA065LUG', '.ctor', 'kLjw4iIsCLsZtxc4lksN0j', '.cctor', 'megHtLN4uvGf4nCRjm', 'G4LOidn2EpGskKj5dn', 'UeEp48U6NOtmIrWXau', 'Yd6kaMVw5VqNsnPYj8' |
Source: 0.2.HHGHJJUILn.exe.252bdc30000.0.unpack, o3eGGqBtdpdaBbRpbh/yV5CsNT40LRKh3Lcnn.cs | High entropy of concatenated method names: '.cctor', 'w5iB4s0vtohFt', 'EVrnj8HXc', 'hW9V16hSn', 'XA20E1B6m', 'X9jZKh2WY', 'YuD7NMJ3H', 'yu2GulHW3', 'NSb63FLLs', 'ruvfdsjMx' |
Source: 0.2.HHGHJJUILn.exe.252bdc30000.0.unpack, gJMOHJbIEe0MYsJbwl/GjqP19iwYoYd3r8X3Q.cs | High entropy of concatenated method names: 'bttB4s00sthd0', '.ctor', '.cctor', 'P1FDtSURv5Uv1lFtlE', 'JVDxtvDUYWhjE6hJg7', 'hwBvASNOS9VEAeE2CW', 'nsq8D2qkGJ1RlLF3S8', 'oqM2QpLak1XUxIwwB6', 'wQNnYvW1BlqUUlaKig', 'yiPfGpOSQn7WMKo59Y' |
Source: C:\Users\user\Desktop\HHGHJJUILn.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\HHGHJJUILn.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\HHGHJJUILn.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\HHGHJJUILn.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\HHGHJJUILn.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\HHGHJJUILn.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\HHGHJJUILn.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\HHGHJJUILn.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\HHGHJJUILn.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\HHGHJJUILn.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\HHGHJJUILn.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\HHGHJJUILn.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\HHGHJJUILn.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\HHGHJJUILn.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 |
Source: C:\Users\user\Desktop\HHGHJJUILn.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 401000 |
Source: C:\Users\user\Desktop\HHGHJJUILn.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 43F000 |
Source: C:\Users\user\Desktop\HHGHJJUILn.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 440000 |
Source: C:\Users\user\Desktop\HHGHJJUILn.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4D9A008 |
Source: C:\Users\user\Desktop\HHGHJJUILn.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Source: C:\Users\user\Desktop\HHGHJJUILn.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Source: C:\Users\user\Desktop\HHGHJJUILn.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Source: C:\Users\user\Desktop\HHGHJJUILn.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Source: C:\Users\user\Desktop\HHGHJJUILn.exe | Queries volume information: C:\Users\user\Desktop\HHGHJJUILn.exe VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | Queries volume information: C:\ VolumeInformation |
Source: Yara match | File source: 0.2.HHGHJJUILn.exe.252d0175a70.4.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.HHGHJJUILn.exe.252d012dbe0.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.HHGHJJUILn.exe.252d0175a70.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.HHGHJJUILn.exe.252d012dbe0.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000004.00000000.246767038.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.251576631.00000252D012D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: HHGHJJUILn.exe PID: 5460, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: vbc.exe PID: 4772, type: MEMORYSTR |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data |
Source: Yara match | File source: 0.2.HHGHJJUILn.exe.252d0175a70.4.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.HHGHJJUILn.exe.252d012dbe0.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.HHGHJJUILn.exe.252d0175a70.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.HHGHJJUILn.exe.252d012dbe0.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000004.00000000.246767038.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.251576631.00000252D012D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: HHGHJJUILn.exe PID: 5460, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: vbc.exe PID: 4772, type: MEMORYSTR |