Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe

Overview

General Information

Sample name:SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe
Analysis ID:1538162
MD5:5219070f480d13acc2c7f195d0cc2ce0
SHA1:333cbb9b6dc707e1c5cec3d9b4f8b92ef3331c4e
SHA256:e200874f8b157dee0137b88d2773dd4666f56acd558a7bb453dbc72e95605b9c
Tags:exe
Infos:

Detection

SheetRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected SheetRat
.NET source code contains potential unpacker
AI detected suspicious sample
Allows loading of unsigned dll using appinit_dll
Contains functionality to capture screen (.Net source)
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Drops large PE files
Machine Learning detection for sample
Modifies the windows firewall
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file does not import any functions
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion NT Autorun Keys Modification
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe (PID: 3320 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe" MD5: 5219070F480D13ACC2C7F195D0CC2CE0)
    • WmiPrvSE.exe (PID: 5548 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • cmd.exe (PID: 2836 cmdline: "CMD" netsh advfirewall firewall add rule name=",`f @A"X@f_J@M" dir=in action=allow program="C:\Windows\System32\xdwdDRkernel.exe" enable=yes & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6928 cmdline: "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "AppID\CrashReporter_NvTew" /tr "C:\Windows\System32\xdwdDRkernel.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 5672 cmdline: schtasks /create /f /sc minute /mo 1 /tn "AppID\CrashReporter_NvTew" /tr "C:\Windows\System32\xdwdDRkernel.exe" /RL HIGHEST MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • cmd.exe (PID: 2568 cmdline: "cmd" /c schtasks /create /f /sc minute /mo 30 /tn "Maps\MachineCoreGoogleUpdateTor" /tr "C:\Windows\Scenarios\xdwdgrwMedia.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 7160 cmdline: schtasks /create /f /sc minute /mo 30 /tn "Maps\MachineCoreGoogleUpdateTor" /tr "C:\Windows\Scenarios\xdwdgrwMedia.exe" /RL HIGHEST MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • xdwdDRkernel.exe (PID: 5780 cmdline: "C:\Windows\System32\xdwdDRkernel.exe" MD5: DAB505417386641EDA6647664B05B461)
  • xdwdDRkernel.exe (PID: 344 cmdline: C:\Windows\System32\xdwdDRkernel.exe MD5: DAB505417386641EDA6647664B05B461)
  • xdwdgrwMedia.exe (PID: 5852 cmdline: C:\Windows\Scenarios\xdwdgrwMedia.exe MD5: 55D55E337345200FE48FDCA4C7F21BC1)
  • xdwdDRkernel.exe (PID: 1908 cmdline: C:\Windows\System32\xdwdDRkernel.exe MD5: DAB505417386641EDA6647664B05B461)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1852045554.0000000013961000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SheetRatYara detected SheetRatJoe Security
    Process Memory Space: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe PID: 3320JoeSecurity_SheetRatYara detected SheetRatJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe.13983b30.0.raw.unpackJoeSecurity_SheetRatYara detected SheetRatJoe Security
        0.2.SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe.13983b30.0.unpackJoeSecurity_SheetRatYara detected SheetRatJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Invoke-Obfuscation CLIP+ Launcher
          Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "AppID\CrashReporter_NvTew" /tr "C:\Windows\System32\xdwdDRkernel.exe" /RL HIGHEST & exit, CommandLine: "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "AppID\CrashReporter_NvTew" /tr "C:\Windows\System32\xdwdDRkernel.exe" /RL HIGHEST & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, ParentProcessId: 3320, ParentProcessName: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, ProcessCommandLine: "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "AppID\CrashReporter_NvTew" /tr "C:\Windows\System32\xdwdDRkernel.exe" /RL HIGHEST & exit, ProcessId: 6928, ProcessName: cmd.exe
          Sigma detected: Invoke-Obfuscation VAR+ Launcher
          Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "AppID\CrashReporter_NvTew" /tr "C:\Windows\System32\xdwdDRkernel.exe" /RL HIGHEST & exit, CommandLine: "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "AppID\CrashReporter_NvTew" /tr "C:\Windows\System32\xdwdDRkernel.exe" /RL HIGHEST & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, ParentProcessId: 3320, ParentProcessName: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, ProcessCommandLine: "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "AppID\CrashReporter_NvTew" /tr "C:\Windows\System32\xdwdDRkernel.exe" /RL HIGHEST & exit, ProcessId: 6928, ProcessName: cmd.exe
          Sigma detected: CurrentVersion NT Autorun Keys Modification
          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\System32\userinit.exe,C:\Windows\System32\xdwdDRkernel.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, ProcessId: 3320, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for dropped file
          Source: C:\Windows\System32\xdwdDRkernel.exeAvira: detection malicious, Label: TR/Crypt.OPACK.Gen
          Multi AV Scanner detection for submitted file
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeReversingLabs: Detection: 47%
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeJoe Sandbox ML: detected
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: C:\Users\Malware\Desktop\hack tool\Backdoor\SheetRat\SheetRat\bin\Release\Stub\UserMode.pdb source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, 00000000.00000002.1852045554.0000000013961000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeFile opened: C:\Users\userJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeFile opened: C:\Users\user\AppDataJump to behavior
          Source: global trafficTCP traffic: 192.168.2.4:49734 -> 147.185.221.21:51965
          Source: Joe Sandbox ViewIP Address: 147.185.221.21 147.185.221.21
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: ships-florist.gl.at.ply.gg
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, xdwdDRkernel.exe.0.drString found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, xdwdDRkernel.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, xdwdDRkernel.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, xdwdDRkernel.exe.0.drString found in binary or memory: http://crl.entrust.net/2048ca.crl0
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, xdwdDRkernel.exe.0.drString found in binary or memory: http://crl.entrust.net/ts1ca.crl0
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, xdwdDRkernel.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, xdwdDRkernel.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, xdwdDRkernel.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, xdwdDRkernel.exe.0.drString found in binary or memory: http://ocsp.digicert.com0
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, xdwdDRkernel.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, xdwdDRkernel.exe.0.drString found in binary or memory: http://ocsp.entrust.net02
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, xdwdDRkernel.exe.0.drString found in binary or memory: http://ocsp.entrust.net03
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, 00000000.00000002.1841482183.0000000003931000.00000004.00000800.00020000.00000000.sdmp, xdwdDRkernel.exe, 0000000B.00000002.2895757862.0000000003AA1000.00000004.00000800.00020000.00000000.sdmp, xdwdgrwMedia.exe, 0000000D.00000002.1867424029.0000000003036000.00000004.00000800.00020000.00000000.sdmp, xdwdDRkernel.exe, 00000010.00000002.2365913464.0000000003499000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: xdwdDRkernel.exe, 0000000A.00000002.1866718861.0000000003AF6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, xdwdDRkernel.exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, xdwdDRkernel.exe.0.drString found in binary or memory: http://www.entrust.net/rpa03
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, 00000000.00000002.1854489683.000000001E2C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, 00000000.00000002.1854489683.000000001E2C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirm
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, xdwdDRkernel.exe.0.drString found in binary or memory: https://www.entrust.net/rpa0

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Contains functionality to capture screen (.Net source)
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, Methods.cs.Net Code: CaptureResizeReduceQuality
          Source: xdwdDRkernel.exe.0.dr, Methods.cs.Net Code: CaptureResizeReduceQuality

          System Summary

          barindex
          Drops large PE files
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeFile dump: xdwdDRkernel.exe.0.dr 737630248Jump to dropped file
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeCode function: 0_2_00007FFD9B788B9E NtProtectVirtualMemory,0_2_00007FFD9B788B9E
          Source: C:\Windows\System32\xdwdDRkernel.exeCode function: 10_2_00007FFD9B778B9E NtProtectVirtualMemory,10_2_00007FFD9B778B9E
          Source: C:\Windows\System32\xdwdDRkernel.exeCode function: 11_2_00007FFD9B788B9E NtProtectVirtualMemory,11_2_00007FFD9B788B9E
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeCode function: 13_2_00007FFD9B758B9E NtProtectVirtualMemory,13_2_00007FFD9B758B9E
          Source: C:\Windows\System32\xdwdDRkernel.exeCode function: 16_2_00007FFD9B788B9E NtProtectVirtualMemory,16_2_00007FFD9B788B9E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeFile created: C:\Windows\System32\xdwdDRkernel.exeJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeFile created: C:\Windows\ScenariosJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeFile created: C:\Windows\Scenarios\xdwdgrwMedia.exeJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeFile created: C:\Windows\xdwd.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeCode function: 0_2_00007FFD9B784EF60_2_00007FFD9B784EF6
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeCode function: 0_2_00007FFD9B7885100_2_00007FFD9B788510
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeCode function: 0_2_00007FFD9B785CA20_2_00007FFD9B785CA2
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeCode function: 0_2_00007FFD9B7884FD0_2_00007FFD9B7884FD
          Source: C:\Windows\System32\xdwdDRkernel.exeCode function: 10_2_00007FFD9B774EF610_2_00007FFD9B774EF6
          Source: C:\Windows\System32\xdwdDRkernel.exeCode function: 10_2_00007FFD9B77851010_2_00007FFD9B778510
          Source: C:\Windows\System32\xdwdDRkernel.exeCode function: 10_2_00007FFD9B775CA210_2_00007FFD9B775CA2
          Source: C:\Windows\System32\xdwdDRkernel.exeCode function: 10_2_00007FFD9B7784FD10_2_00007FFD9B7784FD
          Source: C:\Windows\System32\xdwdDRkernel.exeCode function: 11_2_00007FFD9B784EF611_2_00007FFD9B784EF6
          Source: C:\Windows\System32\xdwdDRkernel.exeCode function: 11_2_00007FFD9B78851011_2_00007FFD9B788510
          Source: C:\Windows\System32\xdwdDRkernel.exeCode function: 11_2_00007FFD9B785CA211_2_00007FFD9B785CA2
          Source: C:\Windows\System32\xdwdDRkernel.exeCode function: 11_2_00007FFD9B7884FD11_2_00007FFD9B7884FD
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeCode function: 13_2_00007FFD9B754EF613_2_00007FFD9B754EF6
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeCode function: 13_2_00007FFD9B75851013_2_00007FFD9B758510
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeCode function: 13_2_00007FFD9B755CA213_2_00007FFD9B755CA2
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeCode function: 13_2_00007FFD9B7584FD13_2_00007FFD9B7584FD
          Source: C:\Windows\System32\xdwdDRkernel.exeCode function: 16_2_00007FFD9B784EF616_2_00007FFD9B784EF6
          Source: C:\Windows\System32\xdwdDRkernel.exeCode function: 16_2_00007FFD9B78851016_2_00007FFD9B788510
          Source: C:\Windows\System32\xdwdDRkernel.exeCode function: 16_2_00007FFD9B785CA216_2_00007FFD9B785CA2
          Source: C:\Windows\System32\xdwdDRkernel.exeCode function: 16_2_00007FFD9B7884FD16_2_00007FFD9B7884FD
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeStatic PE information: invalid certificate
          Source: xdwdDRkernel.exe.0.drStatic PE information: No import functions for PE file found
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeStatic PE information: No import functions for PE file found
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, 00000000.00000002.1854820521.000000001E303000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, 00000000.00000000.1649046167.0000000000560000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename. vs SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeBinary or memory string: OriginalFilename. vs SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: xdwdDRkernel.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: xdwdDRkernel.exe.0.dr, SecrityHidden.csSecurity API names: File.GetAccessControl
          Source: xdwdDRkernel.exe.0.dr, SecrityHidden.csSecurity API names: File.SetAccessControl
          Source: xdwdDRkernel.exe.0.dr, SecrityHidden.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, SecrityHidden.csSecurity API names: File.GetAccessControl
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, SecrityHidden.csSecurity API names: File.SetAccessControl
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, SecrityHidden.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: xdwdDRkernel.exe.0.dr, Config.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: xdwdDRkernel.exe.0.dr, Config.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, Config.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, Config.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@20/3@1/1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe.logJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeMutant created: NULL
          Source: C:\Windows\System32\xdwdDRkernel.exeMutant created: \Sessions\1\BaseNamedObjects\ydkmzmj(c(yjjtg7m_ya3b&!iwa*
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1196:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6932:120:WilError_03
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Windows\System32\xdwdDRkernel.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\xdwdDRkernel.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Windows\System32\xdwdDRkernel.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\xdwdDRkernel.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Windows\System32\xdwdDRkernel.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\xdwdDRkernel.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeReversingLabs: Detection: 47%
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe"
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess created: C:\Windows\System32\cmd.exe "CMD" netsh advfirewall firewall add rule name=",`f @A"X@f_J@M" dir=in action=allow program="C:\Windows\System32\xdwdDRkernel.exe" enable=yes & exit
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "AppID\CrashReporter_NvTew" /tr "C:\Windows\System32\xdwdDRkernel.exe" /RL HIGHEST & exit
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc minute /mo 1 /tn "AppID\CrashReporter_NvTew" /tr "C:\Windows\System32\xdwdDRkernel.exe" /RL HIGHEST
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc minute /mo 30 /tn "Maps\MachineCoreGoogleUpdateTor" /tr "C:\Windows\Scenarios\xdwdgrwMedia.exe" /RL HIGHEST & exit
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc minute /mo 30 /tn "Maps\MachineCoreGoogleUpdateTor" /tr "C:\Windows\Scenarios\xdwdgrwMedia.exe" /RL HIGHEST
          Source: unknownProcess created: C:\Windows\System32\xdwdDRkernel.exe C:\Windows\System32\xdwdDRkernel.exe
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess created: C:\Windows\System32\xdwdDRkernel.exe "C:\Windows\System32\xdwdDRkernel.exe"
          Source: unknownProcess created: C:\Windows\Scenarios\xdwdgrwMedia.exe C:\Windows\Scenarios\xdwdgrwMedia.exe
          Source: unknownProcess created: C:\Windows\System32\xdwdDRkernel.exe C:\Windows\System32\xdwdDRkernel.exe
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess created: C:\Windows\System32\cmd.exe "CMD" netsh advfirewall firewall add rule name=",`f @A"X@f_J@M" dir=in action=allow program="C:\Windows\System32\xdwdDRkernel.exe" enable=yes & exitJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "AppID\CrashReporter_NvTew" /tr "C:\Windows\System32\xdwdDRkernel.exe" /RL HIGHEST & exitJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc minute /mo 30 /tn "Maps\MachineCoreGoogleUpdateTor" /tr "C:\Windows\Scenarios\xdwdgrwMedia.exe" /RL HIGHEST & exitJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess created: C:\Windows\System32\xdwdDRkernel.exe "C:\Windows\System32\xdwdDRkernel.exe" Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc minute /mo 1 /tn "AppID\CrashReporter_NvTew" /tr "C:\Windows\System32\xdwdDRkernel.exe" /RL HIGHEST Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc minute /mo 30 /tn "Maps\MachineCoreGoogleUpdateTor" /tr "C:\Windows\Scenarios\xdwdgrwMedia.exe" /RL HIGHEST Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: twext.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: cscui.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: workfoldersshell.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: ntshrui.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: cscapi.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: twinapi.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: starttiledata.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: usermgrcli.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: usermgrproxy.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: acppage.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: msi.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: aepic.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeStatic PE information: Image base 0x140000000 > 0x60000000
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: C:\Users\Malware\Desktop\hack tool\Backdoor\SheetRat\SheetRat\bin\Release\Stub\UserMode.pdb source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, 00000000.00000002.1852045554.0000000013961000.00000004.00000800.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, PluginLoader.cs.Net Code: Load System.AppDomain.Load(byte[])
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, PluginLoader.cs.Net Code: Load
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, AsmiAndETW.cs.Net Code: AggresivAmsiActivate System.Reflection.Assembly.Load(byte[])
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, Updater.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
          Source: xdwdDRkernel.exe.0.dr, PluginLoader.cs.Net Code: Load System.AppDomain.Load(byte[])
          Source: xdwdDRkernel.exe.0.dr, PluginLoader.cs.Net Code: Load
          Source: xdwdDRkernel.exe.0.dr, AsmiAndETW.cs.Net Code: AggresivAmsiActivate System.Reflection.Assembly.Load(byte[])
          Source: xdwdDRkernel.exe.0.dr, Updater.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeCode function: 0_2_00007FFD9B7800BD pushad ; iretd 0_2_00007FFD9B7800C1
          Source: C:\Windows\System32\xdwdDRkernel.exeCode function: 10_2_00007FFD9B7700BD pushad ; iretd 10_2_00007FFD9B7700C1
          Source: C:\Windows\System32\xdwdDRkernel.exeCode function: 11_2_00007FFD9B7800BD pushad ; iretd 11_2_00007FFD9B7800C1
          Source: C:\Windows\System32\xdwdDRkernel.exeCode function: 11_2_00007FFD9B789E41 push ss; retf 11_2_00007FFD9B789E1F
          Source: C:\Windows\System32\xdwdDRkernel.exeCode function: 11_2_00007FFD9B789DD6 push ss; retf 11_2_00007FFD9B789E1F
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeCode function: 13_2_00007FFD9B7500BD pushad ; iretd 13_2_00007FFD9B7500C1
          Source: C:\Windows\System32\xdwdDRkernel.exeCode function: 16_2_00007FFD9B7800BD pushad ; iretd 16_2_00007FFD9B7800C1
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeStatic PE information: section name: .text entropy: 7.7538884297444755
          Source: xdwdDRkernel.exe.0.drStatic PE information: section name: .text entropy: 7.7538884297444755

          Persistence and Installation Behavior

          barindex
          Drops executables to the windows directory (C:\Windows) and starts them
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeExecutable created and started: C:\Windows\System32\xdwdDRkernel.exeJump to behavior
          Source: unknownExecutable created and started: C:\Windows\Scenarios\xdwdgrwMedia.exe
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeFile created: C:\Windows\System32\xdwdDRkernel.exeJump to dropped file
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeFile created: C:\Windows\System32\xdwdDRkernel.exeJump to dropped file

          Boot Survival

          barindex
          Allows loading of unsigned dll using appinit_dll
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeRegistry value created: RequireSignedAppInit_DLLs 0Jump to behavior
          Creates an undocumented autostart registry key
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLsJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows LoadAppInit_DLLsJump to behavior
          Uses schtasks.exe or at.exe to add and modify task schedules
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc minute /mo 1 /tn "AppID\CrashReporter_NvTew" /tr "C:\Windows\System32\xdwdDRkernel.exe" /RL HIGHEST
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE PNPClass = 'Camera'
          Source: C:\Windows\System32\xdwdDRkernel.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE PNPClass = 'Camera'
          Source: C:\Windows\System32\xdwdDRkernel.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE PNPClass = 'Camera'
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE PNPClass = 'Camera'
          Source: C:\Windows\System32\xdwdDRkernel.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE PNPClass = 'Camera'
          Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
          Source: C:\Windows\System32\xdwdDRkernel.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
          Source: C:\Windows\System32\xdwdDRkernel.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
          Source: C:\Windows\System32\xdwdDRkernel.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
          Source: C:\Windows\System32\xdwdDRkernel.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
          Source: C:\Windows\System32\xdwdDRkernel.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
          Source: C:\Windows\System32\xdwdDRkernel.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
          Source: C:\Windows\System32\xdwdDRkernel.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
          Source: C:\Windows\System32\xdwdDRkernel.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
          Source: C:\Windows\System32\xdwdDRkernel.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\System32\xdwdDRkernel.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\System32\xdwdDRkernel.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\System32\xdwdDRkernel.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeMemory allocated: ED0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeMemory allocated: 1B930000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeMemory allocated: 1480000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeMemory allocated: 1BAE0000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeMemory allocated: 1450000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeMemory allocated: 1BAA0000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeMemory allocated: E80000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeMemory allocated: 1B020000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeMemory allocated: D60000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeMemory allocated: 1B460000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe TID: 1396Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exe TID: 4484Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exe TID: 4940Thread sleep count: 161 > 30Jump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exe TID: 2676Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exe TID: 7084Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Windows\System32\xdwdDRkernel.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\xdwdDRkernel.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Windows\System32\xdwdDRkernel.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\xdwdDRkernel.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Windows\System32\xdwdDRkernel.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\xdwdDRkernel.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\xdwdDRkernel.exeLast function: Thread delayed
          Source: C:\Windows\System32\xdwdDRkernel.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeFile opened: C:\Users\userJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeFile opened: C:\Users\user\AppDataJump to behavior
          Source: xdwdDRkernel.exe, 0000000B.00000002.2900965280.000000001D160000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWur%SystemRoot%\system32\mswsock.dll0a3a"
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess created: C:\Windows\System32\cmd.exe "CMD" netsh advfirewall firewall add rule name=",`f @A"X@f_J@M" dir=in action=allow program="C:\Windows\System32\xdwdDRkernel.exe" enable=yes & exitJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "AppID\CrashReporter_NvTew" /tr "C:\Windows\System32\xdwdDRkernel.exe" /RL HIGHEST & exitJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc minute /mo 30 /tn "Maps\MachineCoreGoogleUpdateTor" /tr "C:\Windows\Scenarios\xdwdgrwMedia.exe" /RL HIGHEST & exitJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess created: C:\Windows\System32\xdwdDRkernel.exe "C:\Windows\System32\xdwdDRkernel.exe" Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc minute /mo 1 /tn "AppID\CrashReporter_NvTew" /tr "C:\Windows\System32\xdwdDRkernel.exe" /RL HIGHEST Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc minute /mo 30 /tn "Maps\MachineCoreGoogleUpdateTor" /tr "C:\Windows\Scenarios\xdwdgrwMedia.exe" /RL HIGHEST Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe VolumeInformationJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeQueries volume information: C:\Windows\System32\xdwdDRkernel.exe VolumeInformationJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeQueries volume information: C:\Windows\System32\xdwdDRkernel.exe VolumeInformationJump to behavior
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeQueries volume information: C:\Windows\Scenarios\xdwdgrwMedia.exe VolumeInformationJump to behavior
          Source: C:\Windows\System32\xdwdDRkernel.exeQueries volume information: C:\Windows\System32\xdwdDRkernel.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Modifies the windows firewall
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeProcess created: C:\Windows\System32\cmd.exe "CMD" netsh advfirewall firewall add rule name=",`f @A"X@f_J@M" dir=in action=allow program="C:\Windows\System32\xdwdDRkernel.exe" enable=yes & exit
          Source: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, 00000000.00000002.1838209943.0000000000EAA000.00000004.00000020.00020000.00000000.sdmp, xdwdDRkernel.exe, 0000000A.00000002.1863508154.0000000001660000.00000004.00000020.00020000.00000000.sdmp, xdwdDRkernel.exe, 0000000A.00000002.1866169655.000000000166E000.00000004.00000020.00020000.00000000.sdmp, xdwdDRkernel.exe, 0000000B.00000002.2894747091.0000000001321000.00000004.00000020.00020000.00000000.sdmp, xdwdgrwMedia.exe, 0000000D.00000002.1866025596.00000000009C2000.00000004.00000020.00020000.00000000.sdmp, xdwdDRkernel.exe, 00000010.00000002.2365241575.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, xdwdDRkernel.exe, 00000010.00000002.2365241575.0000000000E30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\System32\xdwdDRkernel.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\System32\xdwdDRkernel.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Scenarios\xdwdgrwMedia.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\System32\xdwdDRkernel.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

          Stealing of Sensitive Information

          barindex
          Yara detected SheetRat
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe.13983b30.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe.13983b30.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.1852045554.0000000013961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe PID: 3320, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected SheetRat
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe.13983b30.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe.13983b30.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.1852045554.0000000013961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe PID: 3320, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
          Windows Management Instrumentation          		1
          Scheduled Task/Job          		11
          Process Injection          		121
          Masquerading          		OS Credential Dumping331
          Security Software Discovery          		Remote Services1
          Screen Capture          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Scheduled Task/Job          		2
          Registry Run Keys / Startup Folder          		1
          Scheduled Task/Job          		11
          Disable or Modify Tools          		LSASS Memory341
          Virtualization/Sandbox Evasion          		Remote Desktop Protocol1
          Archive Collected Data          		1
          Non-Standard Port          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAt1
          DLL Side-Loading          		2
          Registry Run Keys / Startup Folder          		341
          Virtualization/Sandbox Evasion          		Security Account Manager2
          File and Directory Discovery          		SMB/Windows Admin SharesData from Network Shared Drive1
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
          DLL Side-Loading          		11
          Process Injection          		NTDS213
          System Information Discovery          		Distributed Component Object ModelInput Capture1
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
          Obfuscated Files or Information          		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
          Software Packing          		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          DLL Side-Loading          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1538162 Sample: SecuriteInfo.com.Trojan.Dow... Startdate: 20/10/2024 Architecture: WINDOWS Score: 100 40 ships-florist.gl.at.ply.gg 2->40 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected SheetRat 2->48 50 .NET source code contains potential unpacker 2->50 52 6 other signatures 2->52 8 SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe 1 6 2->8         started        12 xdwdDRkernel.exe 1 2->12         started        14 xdwdgrwMedia.exe 1 2->14         started        16 xdwdDRkernel.exe 2->16         started        signatures3 process4 file5 38 C:\Windows\System32\xdwdDRkernel.exe, PE32+ 8->38 dropped 54 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->54 56 Creates an undocumented autostart registry key 8->56 58 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 8->58 64 4 other signatures 8->64 18 cmd.exe 1 8->18         started        21 cmd.exe 1 8->21         started        23 cmd.exe 1 8->23         started        25 2 other processes 8->25 60 Antivirus detection for dropped file 12->60 62 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 12->62 signatures6 process7 dnsIp8 44 Uses schtasks.exe or at.exe to add and modify task schedules 18->44 28 conhost.exe 18->28         started        30 conhost.exe 21->30         started        32 schtasks.exe 1 21->32         started        34 conhost.exe 23->34         started        36 schtasks.exe 1 23->36         started        42 ships-florist.gl.at.ply.gg 147.185.221.21, 49734, 49742, 49747 SALSGIVERUS United States 25->42 signatures9 process10

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe47%ReversingLabsByteCode-MSIL.Trojan.DCRat
          SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Windows\System32\xdwdDRkernel.exe100%AviraTR/Crypt.OPACK.Gen

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://aia.entrust.net/ts1-chain256.cer010%URL Reputationsafe
          http://crl.entrust.net/ts1ca.crl00%URL Reputationsafe
          http://ocsp.entrust.net030%URL Reputationsafe
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
          http://ocsp.entrust.net020%URL Reputationsafe
          http://www.entrust.net/rpa030%URL Reputationsafe
          http://crl.entrust.net/2048ca.crl00%URL Reputationsafe
          https://aka.ms/Vh5j3k0%URL Reputationsafe
          https://www.entrust.net/rpa00%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          ships-florist.gl.at.ply.gg
          		147.185.221.21
          		truefalse
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://aia.entrust.net/ts1-chain256.cer01SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, xdwdDRkernel.exe.0.drfalse
            • URL Reputation: safe
            		unknown
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0xdwdDRkernel.exe, 0000000A.00000002.1866718861.0000000003AF6000.00000004.00000800.00020000.00000000.sdmpfalse
              		unknown
              http://crl.entrust.net/ts1ca.crl0SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, xdwdDRkernel.exe.0.drfalse
              • URL Reputation: safe
              		unknown
              http://ocsp.entrust.net03SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, xdwdDRkernel.exe.0.drfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, 00000000.00000002.1841482183.0000000003931000.00000004.00000800.00020000.00000000.sdmp, xdwdDRkernel.exe, 0000000B.00000002.2895757862.0000000003AA1000.00000004.00000800.00020000.00000000.sdmp, xdwdgrwMedia.exe, 0000000D.00000002.1867424029.0000000003036000.00000004.00000800.00020000.00000000.sdmp, xdwdDRkernel.exe, 00000010.00000002.2365913464.0000000003499000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://ocsp.entrust.net02SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, xdwdDRkernel.exe.0.drfalse
              • URL Reputation: safe
              		unknown
              http://www.entrust.net/rpa03SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, xdwdDRkernel.exe.0.drfalse
              • URL Reputation: safe
              		unknown
              http://crl.entrust.net/2048ca.crl0SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, xdwdDRkernel.exe.0.drfalse
              • URL Reputation: safe
              		unknown
              https://aka.ms/Vh5j3kSecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, 00000000.00000002.1854489683.000000001E2C6000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://www.entrust.net/rpa0SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, xdwdDRkernel.exe.0.drfalse
              • URL Reputation: safe
              		unknown
              https://aka.ms/odirmSecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe, 00000000.00000002.1854489683.000000001E2C6000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                147.185.221.21
                		ships-florist.gl.at.ply.ggUnited States
                		12087SALSGIVERUSfalse

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1538162
                Start date and time:2024-10-20 17:35:03 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 6m 7s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:18
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe
                Detection:MAL
                Classification:mal100.troj.spyw.evad.winEXE@20/3@1/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 21
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • VT rate limit hit for: SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                16:36:07Task SchedulerRun new task: CrashReporter_NvTew path: C:\Windows\System32\xdwdDRkernel.exe
                16:36:09Task SchedulerRun new task: MachineCoreGoogleUpdateTor path: C:\Windows\Scenarios\xdwdgrwMedia.exe

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                147.185.221.21mIURiU8n2P.exeGet hashmaliciousXWormBrowse
                  PixpFUv4G7.exeGet hashmaliciousQuasar, XWormBrowse
                    r4RF3TX5Mi.exeGet hashmaliciousXWormBrowse
                      ra66DSpa.exeGet hashmaliciousXWormBrowse
                        Q5N7WOpk8J.batGet hashmaliciousUnknownBrowse
                          NzEsfIiAc0.exeGet hashmaliciousXWormBrowse
                            Y666Gn09a1.exeGet hashmaliciousXWormBrowse
                              Uhj9qfwbYG.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                WIN CHANGER 2.3.exeGet hashmaliciousXWormBrowse
                                  jj7svxNeaQ.exeGet hashmaliciousXWormBrowse

                                    Domains

                                    No context

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    SALSGIVERUSgPEbJi1xiY.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.22
                                    lx3vLwrX57.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.23
                                    arm7.elfGet hashmaliciousUnknownBrowse
                                    • 147.168.93.87
                                    file.exeGet hashmaliciousAsyncRATBrowse
                                    • 147.185.221.20
                                    arm7.elfGet hashmaliciousUnknownBrowse
                                    • 147.168.203.92
                                    MjrlHJvNyq.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.20
                                    r8k29DBraE.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.18
                                    SpeedHack666Cheat (no VM detected).exeGet hashmaliciousNjrat, RevengeRATBrowse
                                    • 147.185.221.23
                                    mIURiU8n2P.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.21
                                    8svMXMXNRn.exeGet hashmaliciousNoCry, XWormBrowse
                                    • 147.185.221.23

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\xdwdDRkernel.exe.log

                                    Download File
                                    Process:C:\Windows\System32\xdwdDRkernel.exe
                                    File Type:CSV text
                                    Category:dropped
                                    Size (bytes):642
                                    Entropy (8bit):5.349816875832946
                                    Encrypted:false
                                    SSDEEP:12:Q3La/KDLI4MWuPXcp1WzAbDLI4MNepQZaOKbbDLI4MWuPOKfSSI6Khav:ML9E4KQMsXE4NpOKDE4KGKZI6Khk
                                    MD5:CE2C9B879749D2DDE6CEE82813F4ED9D
                                    SHA1:45614E9485EF4EEAD572387D9DD69480D1C79888
                                    SHA-256:8F7CD246CA33FC6FF7ED3C425842EEC6433FCDA26F4603C26C3A498273AE83CB
                                    SHA-512:5AB487F6AE9F2E749114FE50DB1EF9FB181B3B0968C92AA787362C59788376FF50F6411ECFAE835CD1001B68E9B1961398A695AB16D5412F09E49A44A769F5EE
                                    Malicious:false
                                    Reputation:low
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\8af759007c012da690062882e06694f1\System.Management.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\xdwdgrwMedia.exe.log

                                    Download File
                                    Process:C:\Windows\Scenarios\xdwdgrwMedia.exe
                                    File Type:CSV text
                                    Category:dropped
                                    Size (bytes):642
                                    Entropy (8bit):5.349816875832946
                                    Encrypted:false
                                    SSDEEP:12:Q3La/KDLI4MWuPXcp1WzAbDLI4MNepQZaOKbbDLI4MWuPOKfSSI6Khav:ML9E4KQMsXE4NpOKDE4KGKZI6Khk
                                    MD5:CE2C9B879749D2DDE6CEE82813F4ED9D
                                    SHA1:45614E9485EF4EEAD572387D9DD69480D1C79888
                                    SHA-256:8F7CD246CA33FC6FF7ED3C425842EEC6433FCDA26F4603C26C3A498273AE83CB
                                    SHA-512:5AB487F6AE9F2E749114FE50DB1EF9FB181B3B0968C92AA787362C59788376FF50F6411ECFAE835CD1001B68E9B1961398A695AB16D5412F09E49A44A769F5EE
                                    Malicious:false
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\8af759007c012da690062882e06694f1\System.Management.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..

                                    C:\Windows\System32\xdwdDRkernel.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe
                                    File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):737630248
                                    Entropy (8bit):0.010686776300131142
                                    Encrypted:false
                                    SSDEEP:
                                    MD5:DAB505417386641EDA6647664B05B461
                                    SHA1:904B6A96404A243EABF27015BDFF2F25E5F21BDD
                                    SHA-256:AFF05B82ED6192011AD2F3FF2AE04221C6AA2FFCE86E6B78B067068DEBD1739D
                                    SHA-512:EDDC154251A36FF654EFD9B88F6E32F39F050E994BBF6CACCAE32B7D36206EB4624ED95304C82E9CA7887AF9535D9F9C356613ADEEC10C1A21E7D9B9DA9371DF
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...a..f.........."...0......d........... .....@..... ....................................@...@......@............... ...................................b...........2..(&........................................................................... ..H............text...,.... ...................... ..`.rsrc....b.......d..................@..@........................................H............`...... ....e...$...........................................W.......4...f.2..W.....H3......3.........(!...*J.($....o%...(....*6..(&...o....*"..o....*F($....(....o0...*2.o....(1...*".o.....*.sD........*.(%...-#(&...-.($...-.('...-.((...-.(*...,..(K...*.r3..p(j...sL...sM...(N...oO......*.rs..p(j...sL...sM...(N...oO......*.s-........*.....*n.r=..p(j...rQ..p(j...(2...*b.{%....o<...(v....ow...*2~.....o....*...}+.....}*.....{*....8...}(.....})...*....C...s....s.....{(...(.....

                                    Static File Info

                                    General

                                    File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):6.716386309664472
                                    TrID:
                                    • Win64 Executable GUI Net Framework (217006/5) 49.88%
                                    • Win64 Executable GUI (202006/5) 46.43%
                                    • Win64 Executable (generic) (12005/4) 2.76%
                                    • Generic Win/DOS Executable (2004/3) 0.46%
                                    • DOS Executable Generic (2002/1) 0.46%
                                    File name:SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe
                                    File size:481'320 bytes
                                    MD5:5219070f480d13acc2c7f195d0cc2ce0
                                    SHA1:333cbb9b6dc707e1c5cec3d9b4f8b92ef3331c4e
                                    SHA256:e200874f8b157dee0137b88d2773dd4666f56acd558a7bb453dbc72e95605b9c
                                    SHA512:5549fc0d454cb898fb2e089b1247e0196898c18e2299b87052d16053629afb9807c2512abe9b6875cc158bd17ba5ee132b657058f1fc97b5c8d7763c3f8d2924
                                    SSDEEP:6144:RefGRHh9jUIsWRZovT3ST4sbs4ebd89sX0ChUp1hsJ8EH:sfGBbjUeRZoLSUCN6vUp1a+EH
                                    TLSH:5BA429B28B831DB3D4C2E2BB3F0501DA9998AA4325FD015B617DF66EC26D6585343E0F
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...a..f.........."...0......d........... .....@..... ....................................@...@......@............... .....

                                    File Icon

                                    Icon Hash:0f6955a88855290f

                                    Static PE Info

                                    General

                                    Entrypoint:0x140000000
                                    Entrypoint Section:
                                    Digitally signed:true
                                    Imagebase:0x140000000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x66CCF161 [Mon Aug 26 21:19:29 2024 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:

                                    Authenticode Signature

                                    Signature Valid:false
                                    Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                    Signature Validation Error:The digital signature of the object did not verify
                                    Error Number:-2146869232
                                    Not Before, Not After
                                    • 26/02/2022 00:00:00 01/03/2023 23:59:59
                                    Subject Chain
                                    • CN=Nvidia Corporation, OU=IT-MIS, O=Nvidia Corporation, L=Santa Clara, S=California, C=US
                                    Version:3
                                    Thumbprint MD5:1CCB73FCDB6A7BE7C04978F53E40695A
                                    Thumbprint SHA-1:CA0F1595C0C349C003D41743460E448E887F9477
                                    Thumbprint SHA-256:1E56D8CFAE4119883632D8FD6E1E3ACDF16CDDAB9621FCA4D6CFFB1A663E74D1
                                    Serial:0800EE4ED1A959CC9887E905AD662BFE

                                    Entrypoint Preview

                                    Instruction
                                    dec ebp
                                    pop edx
                                    nop
                                    add byte ptr [ebx], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax+eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x300000x4620c.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x732000x2628.rsrc
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000x2cb2c0x2cc007692a5e86ecb764bcc92bf6f0ae274f5False0.88294343575419data7.7538884297444755IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rsrc0x300000x4620c0x464000a3c5de5f63ddfb385dd703e5147abd8False0.16322842526690393data5.544214903643953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_ICON0x301c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.6480496453900709
                                    RT_ICON0x306280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.4376172607879925
                                    RT_ICON0x316d00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.35892116182572614
                                    RT_ICON0x33c780x42028Device independent bitmap graphic, 256 x 512 x 32, image size 00.1473170695623872
                                    RT_GROUP_ICON0x75ca00x3edata0.7580645161290323
                                    RT_VERSION0x75ce00x340data0.43990384615384615
                                    RT_MANIFEST0x760200x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                    Network Behavior

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Oct 20, 2024 17:36:12.634309053 CEST4973451965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:36:12.639552116 CEST5196549734147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:36:12.639621973 CEST4973451965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:36:12.776011944 CEST4973451965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:36:12.780859947 CEST5196549734147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:36:20.288965940 CEST5196549734147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:36:20.289031982 CEST4973451965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:36:20.504091024 CEST4973451965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:36:20.504951000 CEST4974251965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:36:20.509044886 CEST5196549734147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:36:20.509789944 CEST5196549742147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:36:20.509968996 CEST4974251965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:36:20.510272980 CEST4974251965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:36:20.515115023 CEST5196549742147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:36:28.120836973 CEST5196549742147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:36:28.121068954 CEST4974251965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:36:28.331571102 CEST4974251965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:36:28.332695007 CEST4974751965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:36:28.336704969 CEST5196549742147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:36:28.337675095 CEST5196549747147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:36:28.337749004 CEST4974751965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:36:28.338041067 CEST4974751965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:36:28.342776060 CEST5196549747147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:36:35.943000078 CEST5196549747147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:36:35.943269968 CEST4974751965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:36:36.159586906 CEST4974751965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:36:36.160435915 CEST4974851965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:36:36.164381027 CEST5196549747147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:36:36.165262938 CEST5196549748147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:36:36.165348053 CEST4974851965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:36:36.171225071 CEST4974851965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:36:36.176045895 CEST5196549748147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:36:43.774478912 CEST5196549748147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:36:43.774596930 CEST4974851965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:36:43.987988949 CEST4974851965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:36:43.989671946 CEST4974951965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:36:43.992870092 CEST5196549748147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:36:43.994508982 CEST5196549749147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:36:43.994599104 CEST4974951965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:36:43.995342970 CEST4974951965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:36:44.000442982 CEST5196549749147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:36:51.608449936 CEST5196549749147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:36:51.608549118 CEST4974951965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:36:51.815913916 CEST4974951965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:36:51.816845894 CEST4975051965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:36:51.821229935 CEST5196549749147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:36:51.821803093 CEST5196549750147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:36:51.821888924 CEST4975051965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:36:51.822141886 CEST4975051965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:36:51.827009916 CEST5196549750147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:36:59.448327065 CEST5196549750147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:36:59.448388100 CEST4975051965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:36:59.659603119 CEST4975051965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:36:59.660358906 CEST4977551965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:36:59.664525986 CEST5196549750147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:36:59.665271044 CEST5196549775147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:36:59.665334940 CEST4977551965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:36:59.665545940 CEST4977551965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:36:59.670514107 CEST5196549775147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:37:07.288518906 CEST5196549775147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:37:07.290239096 CEST4977551965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:37:07.503489017 CEST4977551965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:37:07.504504919 CEST4980951965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:37:07.508291006 CEST5196549775147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:37:07.509475946 CEST5196549809147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:37:07.509547949 CEST4980951965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:37:07.509814024 CEST4980951965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:37:07.515062094 CEST5196549809147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:37:15.126517057 CEST5196549809147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:37:15.126583099 CEST4980951965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:37:15.331713915 CEST4980951965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:37:15.332813025 CEST4984951965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:37:15.336679935 CEST5196549809147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:37:15.337739944 CEST5196549849147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:37:15.337809086 CEST4984951965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:37:15.338062048 CEST4984951965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:37:15.342832088 CEST5196549849147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:37:22.950733900 CEST5196549849147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:37:22.950939894 CEST4984951965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:37:23.159801006 CEST4984951965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:37:23.160541058 CEST4988251965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:37:23.165294886 CEST5196549849147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:37:23.166261911 CEST5196549882147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:37:23.166318893 CEST4988251965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:37:23.166548014 CEST4988251965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:37:23.171319008 CEST5196549882147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:37:30.791578054 CEST5196549882147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:37:30.791647911 CEST4988251965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:37:31.003467083 CEST4988251965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:37:31.004232883 CEST4991551965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:37:31.008363008 CEST5196549882147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:37:31.009083986 CEST5196549915147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:37:31.009146929 CEST4991551965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:37:31.009373903 CEST4991551965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:37:31.014182091 CEST5196549915147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:37:38.614792109 CEST5196549915147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:37:38.614962101 CEST4991551965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:37:38.816013098 CEST4991551965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:37:38.817079067 CEST4994651965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:37:38.821099997 CEST5196549915147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:37:38.822165012 CEST5196549946147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:37:38.822235107 CEST4994651965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:37:38.822715044 CEST4994651965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:37:38.827660084 CEST5196549946147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:37:46.439300060 CEST5196549946147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:37:46.439369917 CEST4994651965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:37:46.644418001 CEST4994651965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:37:46.645440102 CEST4998051965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:37:46.649548054 CEST5196549946147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:37:46.650468111 CEST5196549980147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:37:46.650542021 CEST4998051965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:37:46.650840044 CEST4998051965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:37:46.656346083 CEST5196549980147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:37:54.280622005 CEST5196549980147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:37:54.280688047 CEST4998051965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:37:54.487946033 CEST4998051965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:37:54.488917112 CEST5001551965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:37:54.493721008 CEST5196549980147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:37:54.495568991 CEST5196550015147.185.221.21192.168.2.4
                                    Oct 20, 2024 17:37:54.495650053 CEST5001551965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:37:54.495897055 CEST5001551965192.168.2.4147.185.221.21
                                    Oct 20, 2024 17:37:54.501622915 CEST5196550015147.185.221.21192.168.2.4

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Oct 20, 2024 17:36:12.591021061 CEST5720853192.168.2.41.1.1.1
                                    Oct 20, 2024 17:36:12.605979919 CEST53572081.1.1.1192.168.2.4

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Oct 20, 2024 17:36:12.591021061 CEST192.168.2.41.1.1.10x9eedStandard query (0)ships-florist.gl.at.ply.ggA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Oct 20, 2024 17:36:12.605979919 CEST1.1.1.1192.168.2.40x9eedNo error (0)ships-florist.gl.at.ply.gg147.185.221.21A (IP address)IN (0x0001)false

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:11:35:52
                                    Start date:20/10/2024
                                    Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe"
                                    Imagebase:0x530000
                                    File size:481'320 bytes
                                    MD5 hash:5219070F480D13ACC2C7F195D0CC2CE0
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_SheetRat, Description: Yara detected SheetRat, Source: 00000000.00000002.1852045554.0000000013961000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:1
                                    Start time:11:36:06
                                    Start date:20/10/2024
                                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                    Imagebase:0x7ff693ab0000
                                    File size:496'640 bytes
                                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                    Has elevated privileges:true
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:2
                                    Start time:11:36:06
                                    Start date:20/10/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:"CMD" netsh advfirewall firewall add rule name=",`f @A"X@f_J@M" dir=in action=allow program="C:\Windows\System32\xdwdDRkernel.exe" enable=yes & exit
                                    Imagebase:0x7ff716910000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:3
                                    Start time:11:36:06
                                    Start date:20/10/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:4
                                    Start time:11:36:06
                                    Start date:20/10/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "AppID\CrashReporter_NvTew" /tr "C:\Windows\System32\xdwdDRkernel.exe" /RL HIGHEST & exit
                                    Imagebase:0x7ff716910000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:11:36:07
                                    Start date:20/10/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff70f330000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:6
                                    Start time:11:36:07
                                    Start date:20/10/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks /create /f /sc minute /mo 1 /tn "AppID\CrashReporter_NvTew" /tr "C:\Windows\System32\xdwdDRkernel.exe" /RL HIGHEST
                                    Imagebase:0x7ff76f990000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:7
                                    Start time:11:36:07
                                    Start date:20/10/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "Maps\MachineCoreGoogleUpdateTor" /tr "C:\Windows\Scenarios\xdwdgrwMedia.exe" /RL HIGHEST & exit
                                    Imagebase:0x7ff716910000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:8
                                    Start time:11:36:07
                                    Start date:20/10/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:9
                                    Start time:11:36:07
                                    Start date:20/10/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:schtasks /create /f /sc minute /mo 30 /tn "Maps\MachineCoreGoogleUpdateTor" /tr "C:\Windows\Scenarios\xdwdgrwMedia.exe" /RL HIGHEST
                                    Imagebase:0x7ff76f990000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:10
                                    Start time:11:36:09
                                    Start date:20/10/2024
                                    Path:C:\Windows\System32\xdwdDRkernel.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\System32\xdwdDRkernel.exe
                                    Imagebase:0xbe0000
                                    File size:737'630'248 bytes
                                    MD5 hash:DAB505417386641EDA6647664B05B461
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:11
                                    Start time:11:36:10
                                    Start date:20/10/2024
                                    Path:C:\Windows\System32\xdwdDRkernel.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\xdwdDRkernel.exe"
                                    Imagebase:0xab0000
                                    File size:737'630'248 bytes
                                    MD5 hash:DAB505417386641EDA6647664B05B461
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:false

                                    General

                                    Target ID:13
                                    Start time:11:36:12
                                    Start date:20/10/2024
                                    Path:C:\Windows\Scenarios\xdwdgrwMedia.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\Scenarios\xdwdgrwMedia.exe
                                    Imagebase:0xd0000
                                    File size:778'524'712 bytes
                                    MD5 hash:55D55E337345200FE48FDCA4C7F21BC1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:16
                                    Start time:11:37:03
                                    Start date:20/10/2024
                                    Path:C:\Windows\System32\xdwdDRkernel.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\System32\xdwdDRkernel.exe
                                    Imagebase:0x4b0000
                                    File size:737'630'248 bytes
                                    MD5 hash:DAB505417386641EDA6647664B05B461
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:28%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:100%
                                      Total number of Nodes:3
                                      Total number of Limit Nodes:0
                                      execution_graph 4316 7ffd9b788b9e 4317 7ffd9b788c21 NtProtectVirtualMemory 4316->4317 4319 7ffd9b788ca5 4317->4319

                                      Executed Functions

                                      Function 00007FFD9B788B9E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 145nativeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1857656497.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b780000_SecuriteInfo.jbxd
                                      Similarity
                                      • API ID: MemoryProtectVirtual
                                      • String ID: U
                                      • API String ID: 2706961497-3372436214
                                      • Opcode ID: fc1e2923c484f0d8d576e3c06bcf581d5b423679d513219abc675dcbd1891006
                                      • Instruction ID: 10816e4d83a0e454bc786405512427e28e27363375693bb2c427c7c48069d3f4
                                      • Opcode Fuzzy Hash: fc1e2923c484f0d8d576e3c06bcf581d5b423679d513219abc675dcbd1891006
                                      • Instruction Fuzzy Hash: E541D83090CB884FDB199B6898156E97FF1EB9A320F0442EFE489D7297CA755805CB92
                                      Function 00007FFD9B7884FD Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1857656497.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b780000_SecuriteInfo.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: U
                                      • API String ID: 0-3372436214
                                      • Opcode ID: 15b68a81ca4f55d7bc8b83df591b7794ad69ec869820d2b48aed5ce9d418b4e1
                                      • Instruction ID: 8c6e0af888cdc41a7380eb95e019fd351615dee77ba5d0681917fbeca8e85de8
                                      • Opcode Fuzzy Hash: 15b68a81ca4f55d7bc8b83df591b7794ad69ec869820d2b48aed5ce9d418b4e1
                                      • Instruction Fuzzy Hash: FE41F331E18A094BF72DEF6088A65FA73E1EF54315F84453ED49BD24EBED38B4068681
                                      Function 00007FFD9B784EF6 Relevance: .5, Instructions: 470COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1857656497.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b780000_SecuriteInfo.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7a6fadc58ec9e0cd52e97f879b0e0675a56a048aa52c0476bc4fbcf846c5d462
                                      • Instruction ID: f797149ba2e414acee85a9549902db2137237d5878696f3df2cf77c1db845db9
                                      • Opcode Fuzzy Hash: 7a6fadc58ec9e0cd52e97f879b0e0675a56a048aa52c0476bc4fbcf846c5d462
                                      • Instruction Fuzzy Hash: E7F1A430A09A4D4FEBA8DF28C8957E977E1FF54311F04426EE84DC72A5DB7899418B82
                                      Function 00007FFD9B785CA2 Relevance: .5, Instructions: 456COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1857656497.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b780000_SecuriteInfo.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 990e73708e703711784314274472e40d8f6b80fb9d5d3a1a9ef7d2cfaa26f831
                                      • Instruction ID: cffe7760ea6164f8508b75694fc21139307659088370954ab2f47d1a7c65ab8a
                                      • Opcode Fuzzy Hash: 990e73708e703711784314274472e40d8f6b80fb9d5d3a1a9ef7d2cfaa26f831
                                      • Instruction Fuzzy Hash: E7E1B530A09E4D8FEBA8DF28C8957E977E1FF54311F04436AD84DC72A5DE7499418782
                                      Function 00007FFD9B788510 Relevance: .4, Instructions: 377COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1857656497.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b780000_SecuriteInfo.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 08e7b4d6137e99b8eef7abfdfa2ae16cead25225ca9b2b43a7fec486bee4bf8c
                                      • Instruction ID: e767eb2f4bd3260219cf447ab32652eb39ac76ddd2d1951ca1b6809572926445
                                      • Opcode Fuzzy Hash: 08e7b4d6137e99b8eef7abfdfa2ae16cead25225ca9b2b43a7fec486bee4bf8c
                                      • Instruction Fuzzy Hash: BEA12721F09E494BE71DAB788CAA5FA77D1EF95315F04417EE09BC31EBDD2864028281

                                      Execution Graph

                                      Execution Coverage:22.1%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:4
                                      Total number of Limit Nodes:1
                                      execution_graph 4334 7ffd9b778b9e 4335 7ffd9b778b67 4334->4335 4336 7ffd9b778bcc NtProtectVirtualMemory 4334->4336 4338 7ffd9b778c97 4336->4338

                                      Executed Functions

                                      Function 00007FFD9B778B9E Relevance: 1.7, APIs: 1, Instructions: 170nativeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1881972059.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7ffd9b770000_xdwdDRkernel.jbxd
                                      Similarity
                                      • API ID: MemoryProtectVirtual
                                      • String ID:
                                      • API String ID: 2706961497-0
                                      • Opcode ID: 81b82173c89ffd6e0f00e5b973f4675110d5a40589ab83d19e9a7be40a2249d0
                                      • Instruction ID: d893a1ecdbe6a6bb6215bed1e1ddf4f70e57aad833fa41f8764d91fc86382ac6
                                      • Opcode Fuzzy Hash: 81b82173c89ffd6e0f00e5b973f4675110d5a40589ab83d19e9a7be40a2249d0
                                      • Instruction Fuzzy Hash: 01412B71A0D7884FDB599B6C98556E97FE1EF86320F0442AFE08DC72A3CE7568058782

                                      Execution Graph

                                      Execution Coverage:24.9%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:3
                                      Total number of Limit Nodes:0
                                      execution_graph 3211 7ffd9b788b9e 3212 7ffd9b788c21 NtProtectVirtualMemory 3211->3212 3214 7ffd9b788ca5 3212->3214

                                      Executed Functions

                                      Function 00007FFD9B788B9E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 145nativeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2902061905.00007FFD9B784000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B784000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd9b784000_xdwdDRkernel.jbxd
                                      Similarity
                                      • API ID: MemoryProtectVirtual
                                      • String ID: U
                                      • API String ID: 2706961497-3372436214
                                      • Opcode ID: 3cb6ce66883eef50efb255582a58b17c08ba782d30fa9e175fbd1452832be908
                                      • Instruction ID: 10816e4d83a0e454bc786405512427e28e27363375693bb2c427c7c48069d3f4
                                      • Opcode Fuzzy Hash: 3cb6ce66883eef50efb255582a58b17c08ba782d30fa9e175fbd1452832be908
                                      • Instruction Fuzzy Hash: E541D83090CB884FDB199B6898156E97FF1EB9A320F0442EFE489D7297CA755805CB92
                                      Function 00007FFD9B780F45 Relevance: 1.6, Strings: 1, Instructions: 377COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2902061905.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd9b780000_xdwdDRkernel.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: W
                                      • API String ID: 0-655174618
                                      • Opcode ID: 497890dd7e260c26ce6d6a00e10fdbdedfa8e449027621e2c8ba02bda08a9e66
                                      • Instruction ID: bf4e008dde5ecbcfccc5b4652ff2e8ea053111f75eeaf6f0ec5f034e3e91d86b
                                      • Opcode Fuzzy Hash: 497890dd7e260c26ce6d6a00e10fdbdedfa8e449027621e2c8ba02bda08a9e66
                                      • Instruction Fuzzy Hash: DBC10221F25D1E4BD698F7BC80B55BD71D2FF88202B8145B5E05EC36EAFE2CA9028754
                                      Function 00007FFD9B780955 Relevance: 1.6, Strings: 1, Instructions: 352COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2902061905.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd9b780000_xdwdDRkernel.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: U
                                      • API String ID: 0-3372436214
                                      • Opcode ID: 901fc7de652bd0f911c44e59ec684bb9fb5f0d0527f46219dafac6cd486dcda2
                                      • Instruction ID: 976cf9050a17fa1bbfb4259c5ce53f5f8c150b81b71abdf373ef81ae3eaedb3f
                                      • Opcode Fuzzy Hash: 901fc7de652bd0f911c44e59ec684bb9fb5f0d0527f46219dafac6cd486dcda2
                                      • Instruction Fuzzy Hash: 28B1A535B18A0A8FE798F76C84A5B69B3D2FF98705F5101B9E05DC32E6DE38B8418741
                                      Function 00007FFD9B780745 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 407 7ffd9b780745-7ffd9b780762 410 7ffd9b780763-7ffd9b780771 407->410 412 7ffd9b780773-7ffd9b780775 410->412 413 7ffd9b7807da-7ffd9b7808a7 410->413 414 7ffd9b780777-7ffd9b780799 412->414 415 7ffd9b780776 412->415 444 7ffd9b7808a9-7ffd9b7808b7 call 7ffd9b780618 413->444 414->410 427 7ffd9b78079b-7ffd9b7807a9 414->427 415->414 427->415 433 7ffd9b7807ab-7ffd9b7807d7 427->433 433->413 447 7ffd9b7808bc-7ffd9b7808d0 444->447
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2902061905.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd9b780000_xdwdDRkernel.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: M_^
                                      • API String ID: 0-921959145
                                      • Opcode ID: 4b3f7dbdf44fd4b8365c42cb43afcae6a7ca1429129519879304a4933091642a
                                      • Instruction ID: 1dd4a95d69a0a69f58d7be8b2da2d7c6015821499e48fe171e6a7ec83ce946ef
                                      • Opcode Fuzzy Hash: 4b3f7dbdf44fd4b8365c42cb43afcae6a7ca1429129519879304a4933091642a
                                      • Instruction Fuzzy Hash: F1512B52F0FBC65EEB2257B808B90E83F90FF12655B0942FBC0948A0F3ED286549C751
                                      Function 00007FFD9B7827EC Relevance: .2, Instructions: 195COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2902061905.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd9b780000_xdwdDRkernel.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3591f1854efeaf390a0a95413103257e1b4a2822889e5ef37b456fcf5e2a3475
                                      • Instruction ID: 35a965a72a54ca26cf3c72176f57fabc81db2949bb446d5a4774efe66e150151
                                      • Opcode Fuzzy Hash: 3591f1854efeaf390a0a95413103257e1b4a2822889e5ef37b456fcf5e2a3475
                                      • Instruction Fuzzy Hash: FD519631D08B1C8FDB58DB58D855BE9BBF1FB59311F0082AAD44DE3252DE34A9858F81
                                      Function 00007FFD9B780760 Relevance: .2, Instructions: 156COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2902061905.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd9b780000_xdwdDRkernel.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e12a7cec08318479f7877bd39869a6b217bd9da88c5cd26880bbdaf7524ea272
                                      • Instruction ID: 7ed8a89bf1c06eacaeee06c7f47d4a5cda8a5129854c5aa0efad6e975fb2626d
                                      • Opcode Fuzzy Hash: e12a7cec08318479f7877bd39869a6b217bd9da88c5cd26880bbdaf7524ea272
                                      • Instruction Fuzzy Hash: 89510C52F0FBC65FEB1267B818B90E87F90BF22655B0942FBD0948A0F3DD286945C745
                                      Function 00007FFD9B780500 Relevance: .0, Instructions: 1COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2902061905.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd9b780000_xdwdDRkernel.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dfc070b3ccba141fd05d1cb72e5bd350ed7a84c15ff47c9249ffea2d5d6028a5
                                      • Instruction ID: 6bb0c6c546bf7b688e8e0cd65d695f0093137464128c39a491bc45143f9c05b7
                                      • Opcode Fuzzy Hash: dfc070b3ccba141fd05d1cb72e5bd350ed7a84c15ff47c9249ffea2d5d6028a5
                                      • Instruction Fuzzy Hash:

                                      Execution Graph

                                      Execution Coverage:20.7%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:4
                                      Total number of Limit Nodes:1
                                      execution_graph 4073 7ffd9b758b9e 4074 7ffd9b758b67 4073->4074 4075 7ffd9b758bcc NtProtectVirtualMemory 4073->4075 4077 7ffd9b758c97 4075->4077

                                      Executed Functions

                                      Function 00007FFD9B758B9E Relevance: 1.7, APIs: 1, Instructions: 215nativeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1883034038.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b750000_xdwdgrwMedia.jbxd
                                      Similarity
                                      • API ID: MemoryProtectVirtual
                                      • String ID:
                                      • API String ID: 2706961497-0
                                      • Opcode ID: 5d003a6fee32953949e3489992cf39d15a56c9a5b1acd82e791c5dc4297e3e68
                                      • Instruction ID: 72f8cdf4bc5ccaf5150bc82225d52f51ae7266cacff2f8061bad0c3cd42abf0b
                                      • Opcode Fuzzy Hash: 5d003a6fee32953949e3489992cf39d15a56c9a5b1acd82e791c5dc4297e3e68
                                      • Instruction Fuzzy Hash: DE512D71A0E7884FD75997AC98256A97FE1EF96320F0502FFD089C71E3CD656806C782

                                      Execution Graph

                                      Execution Coverage:22.7%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:3
                                      Total number of Limit Nodes:0
                                      execution_graph 3027 7ffd9b788b9e 3028 7ffd9b788c21 NtProtectVirtualMemory 3027->3028 3030 7ffd9b788ca5 3028->3030

                                      Executed Functions

                                      Function 00007FFD9B788B9E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 145nativeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2370287682.00007FFD9B784000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B784000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffd9b784000_xdwdDRkernel.jbxd
                                      Similarity
                                      • API ID: MemoryProtectVirtual
                                      • String ID: U
                                      • API String ID: 2706961497-3372436214
                                      • Opcode ID: 3cb6ce66883eef50efb255582a58b17c08ba782d30fa9e175fbd1452832be908
                                      • Instruction ID: 10816e4d83a0e454bc786405512427e28e27363375693bb2c427c7c48069d3f4
                                      • Opcode Fuzzy Hash: 3cb6ce66883eef50efb255582a58b17c08ba782d30fa9e175fbd1452832be908
                                      • Instruction Fuzzy Hash: E541D83090CB884FDB199B6898156E97FF1EB9A320F0442EFE489D7297CA755805CB92
                                      Function 00007FFD9B780F45 Relevance: 1.6, Strings: 1, Instructions: 377COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2370287682.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffd9b780000_xdwdDRkernel.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: W
                                      • API String ID: 0-655174618
                                      • Opcode ID: 234f9d60bbb89d5bf2ffb7e9069d08f862f3e11710fbb37f87045a14806ce3ef
                                      • Instruction ID: 2bb1fed5d685baef7c646fb6ec878bfbfcc24362c07929a1d1ecca2a47f79232
                                      • Opcode Fuzzy Hash: 234f9d60bbb89d5bf2ffb7e9069d08f862f3e11710fbb37f87045a14806ce3ef
                                      • Instruction Fuzzy Hash: C0C1D160F25D1E4BD798FBB844B5ABD61D2BF88605B8145F8E01ED36EAED2CAD018740
                                      Function 00007FFD9B780955 Relevance: 1.6, Strings: 1, Instructions: 352COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2370287682.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffd9b780000_xdwdDRkernel.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: U
                                      • API String ID: 0-3372436214
                                      • Opcode ID: d3ff0e9a34deb6603f7b131be91b39783371b8a2a857268ed37fd38083dfdf1b
                                      • Instruction ID: 01866d1fa013fc0112953711403c86ba65101d23134f778a8b726adb6f607662
                                      • Opcode Fuzzy Hash: d3ff0e9a34deb6603f7b131be91b39783371b8a2a857268ed37fd38083dfdf1b
                                      • Instruction Fuzzy Hash: AEB19634B19A098FE798FB6884A5B69B3D2FF94705F5101B9E01DC36E6CE38F8418781
                                      Function 00007FFD9B780745 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 516 7ffd9b780745-7ffd9b780762 519 7ffd9b780763-7ffd9b780771 516->519 521 7ffd9b780773-7ffd9b780775 519->521 522 7ffd9b7807da-7ffd9b7808a7 519->522 524 7ffd9b780777-7ffd9b780799 521->524 525 7ffd9b780776 521->525 552 7ffd9b7808a9-7ffd9b7808b7 call 7ffd9b780618 522->552 524->519 536 7ffd9b78079b-7ffd9b7807a9 524->536 525->524 536->525 541 7ffd9b7807ab-7ffd9b7807d7 536->541 541->522 556 7ffd9b7808bc-7ffd9b7808d0 552->556
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2370287682.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffd9b780000_xdwdDRkernel.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: M_^
                                      • API String ID: 0-921959145
                                      • Opcode ID: 7664a4deaa732c5a914f8cbeef59a53abe008bbc1f0062c6c064c8e6a7002603
                                      • Instruction ID: c43a204d1d66273f80a2f698898a23fb2a0d2a6ce8da146676b14d1613228f9b
                                      • Opcode Fuzzy Hash: 7664a4deaa732c5a914f8cbeef59a53abe008bbc1f0062c6c064c8e6a7002603
                                      • Instruction Fuzzy Hash: 56512B52F0FBC65EEB2257B808B90E83F90FF12655B0942FBC0948A0F3ED286549C741
                                      Function 00007FFD9B7827EC Relevance: .2, Instructions: 195COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2370287682.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffd9b780000_xdwdDRkernel.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3591f1854efeaf390a0a95413103257e1b4a2822889e5ef37b456fcf5e2a3475
                                      • Instruction ID: 35a965a72a54ca26cf3c72176f57fabc81db2949bb446d5a4774efe66e150151
                                      • Opcode Fuzzy Hash: 3591f1854efeaf390a0a95413103257e1b4a2822889e5ef37b456fcf5e2a3475
                                      • Instruction Fuzzy Hash: FD519631D08B1C8FDB58DB58D855BE9BBF1FB59311F0082AAD44DE3252DE34A9858F81
                                      Function 00007FFD9B780760 Relevance: .2, Instructions: 156COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2370287682.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffd9b780000_xdwdDRkernel.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 758d4dd29a2d4695c57c11e56dd1df37ffa0eb83ee8b2058d7a9253f44bea61e
                                      • Instruction ID: 30e81617dfb24a5a568cd2def02276fdec9eb81f179e69c236b2be141e3977e2
                                      • Opcode Fuzzy Hash: 758d4dd29a2d4695c57c11e56dd1df37ffa0eb83ee8b2058d7a9253f44bea61e
                                      • Instruction Fuzzy Hash: E9510C52F0FBC65FEB1267B818B90E87F90BF22655B0942FBD0A48A0F3DD286945C745
                                      Function 00007FFD9B780500 Relevance: .0, Instructions: 1COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2370287682.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffd9b780000_xdwdDRkernel.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dfc070b3ccba141fd05d1cb72e5bd350ed7a84c15ff47c9249ffea2d5d6028a5
                                      • Instruction ID: 6bb0c6c546bf7b688e8e0cd65d695f0093137464128c39a491bc45143f9c05b7
                                      • Opcode Fuzzy Hash: dfc070b3ccba141fd05d1cb72e5bd350ed7a84c15ff47c9249ffea2d5d6028a5
                                      • Instruction Fuzzy Hash: