Edit tour

Windows Analysis Report
IwSPayUcGx.exe

Overview

General Information

Sample name:	IwSPayUcGx.exe renamed because original name is a hash value
Original sample name:	210e2e98bf88e3dd17e8ac1b8bdef59cd8fd93dcc5c579bf3a59830b30bc9052.exe
Analysis ID:	1546360
MD5:	610f78dab4043f4ab8d964e226d6edcb
SHA1:	383a33247a84f1e5a23334ea1a353d2e6aa7e855
SHA256:	210e2e98bf88e3dd17e8ac1b8bdef59cd8fd93dcc5c579bf3a59830b30bc9052
Tags:	exeuser-Chainskilabs
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Detected potential crypto function

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

One or more processes crash

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

IwSPayUcGx.exe (PID: 4764 cmdline: "C:\Users\user\Desktop\IwSPayUcGx.exe" MD5: 610F78DAB4043F4AB8D964E226D6EDCB)

WerFault.exe (PID: 3276 cmdline: C:\Windows\system32\WerFault.exe -u -p 4764 -s 1652 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["23.ip.gl.ply.gg", "147.185.221.23"], "Port": "40630", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
IwSPayUcGx.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
IwSPayUcGx.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
IwSPayUcGx.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xc7ed:$s6: VirtualBox 0xc74b:$s8: Win32_ComputerSystem 0xd5db:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xd678:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xd78d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xd363:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2303303400.000000000263C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.2032779166.0000000000332000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.2032779166.0000000000332000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xc5ed:$s6: VirtualBox 0xc54b:$s8: Win32_ComputerSystem 0xd3db:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xd478:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xd58d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xd163:$cnc4: POST / HTTP/1.1
Process Memory Space: IwSPayUcGx.exe PID: 4764	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.IwSPayUcGx.exe.330000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.IwSPayUcGx.exe.330000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.IwSPayUcGx.exe.330000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xc7ed:$s6: VirtualBox 0xc74b:$s8: Win32_ComputerSystem 0xd5db:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xd678:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xd78d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xd363:$cnc4: POST / HTTP/1.1

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T20:11:18.944503+0100	2022930	1	A Network Trojan was detected	52.149.20.212	443	192.168.2.5	49712	TCP
2024-10-31T20:11:56.923215+0100	2022930	1	A Network Trojan was detected	52.149.20.212	443	192.168.2.5	49918	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: IwSPayUcGx.exe

Avira: detected

Found malware configuration

Source: IwSPayUcGx.exe

Malware Configuration Extractor: Xworm {"C2 url": ["23.ip.gl.ply.gg", "147.185.221.23"], "Port": "40630", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for submitted file

Source: IwSPayUcGx.exe

ReversingLabs: Detection: 84%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: IwSPayUcGx.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: IwSPayUcGx.exe	String decryptor: 23.ip.gl.ply.gg,147.185.221.23
Source: IwSPayUcGx.exe	String decryptor: 40630
Source: IwSPayUcGx.exe	String decryptor: <123456789>
Source: IwSPayUcGx.exe	String decryptor: <Xwormmm>
Source: IwSPayUcGx.exe	String decryptor: XWorm V5.6
Source: IwSPayUcGx.exe	String decryptor: USB.exe
Source: IwSPayUcGx.exe	String decryptor: %AppData%
Source: IwSPayUcGx.exe	String decryptor: svchost.exe

Source: IwSPayUcGx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: IwSPayUcGx.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: System.Xml.ni.pdb source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: mscorlib.pdb source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdbRSDS source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: System.pdbq1 source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: System.Management.pdb source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdb source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: System.Management.ni.pdb source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: System.Core.pdb_ source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: System.Core.pdb source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.ni.pdb source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.pdb source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: System.Xml.pdb source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdb source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: System.pdb source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdb source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WEREE8F.tmp.dmp.4.dr

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 23.ip.gl.ply.gg
Source: Malware configuration extractor	URLs: 147.185.221.23

Yara detected Generic Downloader

Source: Yara match	File source: IwSPayUcGx.exe, type: SAMPLE
Source: Yara match	File source: 0.0.IwSPayUcGx.exe.330000.0.unpack, type: UNPACKEDPE

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View

ASN Name: TUT-ASUS TUT-ASUS

Source: unknown

DNS query: name: ip-api.com

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.5:49712
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.5:49918

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ip-api.com

Source: IwSPayUcGx.exe, 00000000.00000002.2303303400.00000000026D9000.00000004.00000800.00020000.00000000.sdmp, IwSPayUcGx.exe, 00000000.00000002.2303303400.00000000026F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: IwSPayUcGx.exe	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: IwSPayUcGx.exe, 00000000.00000002.2303303400.00000000026D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net

System Summary

Malicious sample detected (through community Yara rule)

Source: IwSPayUcGx.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.IwSPayUcGx.exe.330000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.2032779166.0000000000332000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Code function: 0_2_00007FF848E96BF2	0_2_00007FF848E96BF2
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Code function: 0_2_00007FF848E92111	0_2_00007FF848E92111
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Code function: 0_2_00007FF848E916D9	0_2_00007FF848E916D9
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Code function: 0_2_00007FF848E95E46	0_2_00007FF848E95E46
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Code function: 0_2_00007FF848E925EE	0_2_00007FF848E925EE
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Code function: 0_2_00007FF848E90FF8	0_2_00007FF848E90FF8

Source: C:\Users\user\Desktop\IwSPayUcGx.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4764 -s 1652

Source: IwSPayUcGx.exe, 00000000.00000000.2032795412.0000000000384000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename771c52bb91daf4db02a5.exe4 vs IwSPayUcGx.exe
Source: IwSPayUcGx.exe	Binary or memory string: OriginalFilename771c52bb91daf4db02a5.exe4 vs IwSPayUcGx.exe

Source: IwSPayUcGx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: IwSPayUcGx.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.IwSPayUcGx.exe.330000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.2032779166.0000000000332000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: IwSPayUcGx.exe, ItRQGkfHmRTnb3UaaUyPcxLdtyfIk4uvxqJKeUZfG6HokcNro5lAya56OAzyWlsYe4nUI0.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: IwSPayUcGx.exe, ItRQGkfHmRTnb3UaaUyPcxLdtyfIk4uvxqJKeUZfG6HokcNro5lAya56OAzyWlsYe4nUI0.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: IwSPayUcGx.exe, 0kbHdTnYMVZJnJ7eBqAY21TiTOET3uflaL5yWlccI8dfcopefQT01yy8yYvcoSd6mAVS8R.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/5@1/1

Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Mutant created: \Sessions\1\BaseNamedObjects\9EabU8PCoH81Ulv6
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4764

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\e5f31d4d-ae0e-4322-a8b8-fe6287c9097a

Jump to behavior

Source: IwSPayUcGx.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: IwSPayUcGx.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\IwSPayUcGx.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: IwSPayUcGx.exe

ReversingLabs: Detection: 84%

Source: unknown	Process created: C:\Users\user\Desktop\IwSPayUcGx.exe "C:\Users\user\Desktop\IwSPayUcGx.exe"
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4764 -s 1652

Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\IwSPayUcGx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\IwSPayUcGx.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: IwSPayUcGx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: IwSPayUcGx.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: System.Xml.ni.pdb source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: mscorlib.pdb source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdbRSDS source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: System.pdbq1 source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: System.Management.pdb source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdb source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: System.Management.ni.pdb source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: System.Core.pdb_ source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: System.Core.pdb source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.ni.pdb source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.pdb source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: System.Xml.pdb source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdb source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: System.pdb source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdb source: WEREE8F.tmp.dmp.4.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WEREE8F.tmp.dmp.4.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: IwSPayUcGx.exe, HiHvEN3q7E4EXFa1w4GjyxzzabOuDPWLPqkB79Bs7VmcdqvT8XLwkqJ5SO3gRnyOHRToXkmToznlqGOjPnKtW.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{KsJt8tAoMDStvhDRg9pCig6k9pACgeas6QIyqlULuUZTD2Pj0408USYIVZb7OwoM1mxUbMU6Iot40VWd4BYIY._79PWGXonsEtgobZrnnqEKfAGcMEvgIzSuJsHrArPCHppBhqXJeIo8ORbSicOkifbFV0oCiuQstRBdiHd8H7oO,KsJt8tAoMDStvhDRg9pCig6k9pACgeas6QIyqlULuUZTD2Pj0408USYIVZb7OwoM1mxUbMU6Iot40VWd4BYIY.OxLg3BsZxN8QuGvksgiRgmd9VZx0EjM04pf2FJD9ZPVUQ6hFP6gmY7B1GJsevDRWcLylZLP3eaNN73LN0gNT5,KsJt8tAoMDStvhDRg9pCig6k9pACgeas6QIyqlULuUZTD2Pj0408USYIVZb7OwoM1mxUbMU6Iot40VWd4BYIY.H03EGrfAshI1KBsuEb73NbjuJG1Ki61uz1zMGaBbe9CMAsdKDou1vWtASyQx4ZdjYlOsf9BEhZOB6Vcipf1AQ,KsJt8tAoMDStvhDRg9pCig6k9pACgeas6QIyqlULuUZTD2Pj0408USYIVZb7OwoM1mxUbMU6Iot40VWd4BYIY.UQoHPRpZAlIaSljA5Pw80UKNHQQohxxzVzXheDbBARTYMFXHIw4SL0CWC8gfwrN0j8xxHLNC2eHCFLNq6yD0c,ItRQGkfHmRTnb3UaaUyPcxLdtyfIk4uvxqJKeUZfG6HokcNro5lAya56OAzyWlsYe4nUI0.YKFsaQfEYqCFFgzWKf4seja9WTIyNcz1nZuhzoMH3wI3ZUZqucvqs0hjoN7R1dCiqryS6K()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: IwSPayUcGx.exe, HiHvEN3q7E4EXFa1w4GjyxzzabOuDPWLPqkB79Bs7VmcdqvT8XLwkqJ5SO3gRnyOHRToXkmToznlqGOjPnKtW.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{H2K2Yr7yGt0Kj0uPdcK3q9CXwVL5vqlbIg6MC3654mY7v2LlhAskoaF7ENypIxKfveEqgk[2],ItRQGkfHmRTnb3UaaUyPcxLdtyfIk4uvxqJKeUZfG6HokcNro5lAya56OAzyWlsYe4nUI0.cnGyv04GrkulpbkZQ7twu5J72TitBoGzLpLOAxfJrRZZc2JMYx6oSrakLixKWBZVvHox6M(Convert.FromBase64String(H2K2Yr7yGt0Kj0uPdcK3q9CXwVL5vqlbIg6MC3654mY7v2LlhAskoaF7ENypIxKfveEqgk[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: IwSPayUcGx.exe, HiHvEN3q7E4EXFa1w4GjyxzzabOuDPWLPqkB79Bs7VmcdqvT8XLwkqJ5SO3gRnyOHRToXkmToznlqGOjPnKtW.cs	.Net Code: fBcNUTM5FMFo5XgzuKWwO8tzzPRGrMLGtDNqgB9HluP1SCHPLhqlAoSC9MGAyiRkgO8JpguRuHTfCTMUWdAYF System.AppDomain.Load(byte[])
Source: IwSPayUcGx.exe, HiHvEN3q7E4EXFa1w4GjyxzzabOuDPWLPqkB79Bs7VmcdqvT8XLwkqJ5SO3gRnyOHRToXkmToznlqGOjPnKtW.cs	.Net Code: fHz2DN9dbTjxn1uzf6b7MpIB3Uof0O7GfkP14roXeQOVgvFE4wCAGZ4qhnEpe9s4r3eUaF System.AppDomain.Load(byte[])
Source: IwSPayUcGx.exe, HiHvEN3q7E4EXFa1w4GjyxzzabOuDPWLPqkB79Bs7VmcdqvT8XLwkqJ5SO3gRnyOHRToXkmToznlqGOjPnKtW.cs	.Net Code: fHz2DN9dbTjxn1uzf6b7MpIB3Uof0O7GfkP14roXeQOVgvFE4wCAGZ4qhnEpe9s4r3eUaF

Source: IwSPayUcGx.exe, rNi7Uc0PJlUmHvWx4lEe1U5uOU1RJh2elX5knW7YYnaxubZW3Pi5w5l1fDjLe5APUkPKmA.cs	High entropy of concatenated method names: 'PzRhFTCcHIluvhkwUrPkwN18fOMHXQ99Ch4WrksLLRoTfpyAHpb6veBVo8vcmTRyLhqi3n', 'iIDx64fp0c5nMQt53PrbvfGlrDaK11Ts6ZaqOYABJ9tVFySjtK12ymkXj6ZE8qu8wsu1nD', 'vrGjI8pRNd19NHdw7joE1q595fgCp7LLIeGhDhR9JfAkSb7o7eVYwsGtvd3oUjrX4lbaZ5', '_3RmeH2PDLPTA', 'qDqK9zl1oGdE', 'vxeud1EOLUdl', 'PcUeZWGzGxVe', '_04GrTvQaUdAX', '_2QZv7rDob0d5', 'LHwVDDnATyys'
Source: IwSPayUcGx.exe, lVzG122TJzLRYVJjDCFUummbVfjrrw3YKSg2ODIXIbCZx9ZWoGPG5e1BgsmiNlCwCXdGRN.cs	High entropy of concatenated method names: 'xKA7pmZsLpVXm5uXbIrsSDrweXoujNdzifvtkiNEVxLWgpiypCCMX6TT6qZdZsCQP6NB8e', 'DNrmBuOlM5lw26e802qrY5yr23R1s23XTXpQVnI6e0WzpEg8YvyD9Y4gbXpUDBzk4ff5Sv', 'yqRSmGPXPbsMOMx30o2E2OZIFhBiwN73kjNxjtqiNCk1r0Oa1NTDpS0CG3bjM01ijmRddD', 'DqTnHbsjIAYNt5bBkRt2vUnDLC3gHkJIi3soiSWAk1Uu4ZBUQCpZAJxiphZnNXSAacaMGD', 'SRukC8WQ9TTH', '_8RFKPpyOahkZ', '_1I8fcBEg3WWm', 'Zn0dCZNKwbwk', 'soeDZA8VG3Q3', 'trezy31LSwRi'
Source: IwSPayUcGx.exe, ItRQGkfHmRTnb3UaaUyPcxLdtyfIk4uvxqJKeUZfG6HokcNro5lAya56OAzyWlsYe4nUI0.cs	High entropy of concatenated method names: '_3GPZropu44ZYdQVLmYzOEm7pXSiI10QMInafRLupvxNWtTowelZo9wvnoyCnry7vTujHo9', 'ip7NEBGkzfGd4FjKRzwBmcFI4tGQLdOre0MyyaoAbnUhqXKaZJ9Lm3M4FS1xbJ07nJvU4n', 'GqdizgcxT9TkZiB638IGgjOZdfvsAUiTieRYJf7eoGTGd04itRu2aMvi9YULVFrWye8hn8', 'HHo6Jxt9T5aumuDB0po7A6T8bHu1QLdDt0CHdGE2WGrmBhj5HjQ1ksfbYqCAARfvNFDNpQ', 'dzrzEDLdTfzAicJFlPYRC4LlnRYT8B3FHcOwdifKPNrHTdy2HCBRrKKkkBlcHlXDfZ6Rqa', 'R3cGoBuLKmPSinEmqEnN4hE4HKa5ycWHFurFDq2BjmYwZ2o2mTMfsHR6DaUontzcNxtEkO', 'nY91ZecuPTm1cCHfKX6Cx87NjFuW4Fu0wMrYJO05442woANwhF6R6BwG1icBeC7x06XGLP', 'MW1RZJYvITY19NtIdq35TY4bL9pJiLfb0bddjFQI2ljJdZFAQxQBYsukbj4aPDc1r0pxGJ', 'XuDj1E21FKKcY2afnE9jL0CoR44Bx5X1VVAZdK33MK8eVwngS09AQXl9J0j50bSvcZI9Ir', 'CkbqyEpR6jwakmgCY8N3Umff0pRSS3WDoBAmDlYkJ7EB8VYFV4JkSOSkaxAHxyu17WWVmp'
Source: IwSPayUcGx.exe, HiHvEN3q7E4EXFa1w4GjyxzzabOuDPWLPqkB79Bs7VmcdqvT8XLwkqJ5SO3gRnyOHRToXkmToznlqGOjPnKtW.cs	High entropy of concatenated method names: 'ceq4Ykx4tqeMFN5ZqXUfahAZ6CfaoQbBrdzhwF4caX9p3GH8XB6MqVMoZiph0B2gtrmpak1Ne9kFl1cmjWDxw', 'fBcNUTM5FMFo5XgzuKWwO8tzzPRGrMLGtDNqgB9HluP1SCHPLhqlAoSC9MGAyiRkgO8JpguRuHTfCTMUWdAYF', 'sRmziQqBht6ckxMXSvKFWvKNF8mK5zcQst8GueI110wzC8UUly2X6mGxdvINposzr46eqDLx7WmrVuwJ06xAM', 'wbeTv3oGF7U0BlcBU0xtpfwNuEWAP7DSLauk1QponQZXjXjIhMcAJHKSbqi61BNWnajEWPhzJgUqJ4BQfRgfs', 'kTWfaxIlaA8U22iTbvULlJvsBo1Co9Y8s3bhqLp2iu4TyuTa3JbhKMtGzdh3KW6Z5aqomCKDhDZI1Cn3A42UY', 'jiyBMmC0P9DF5S0njyF8AT8NhC91bZgnq9y0zb7oshC3HUGIP3JuGenv5f6JzWQiPBWdH2onxRhgcvV2pJt4E', 'HtmOma1uuXklTzExms8RYbyXda4OikwhsKqnqqFzV5TCCrwPUXYmSfG3oiRG6dx5bMY3Yrlm5oMzYF41uZaML', 'loYhPQJfkia3nFeDK2xhOZbu8UIgOuF5jb808SrHXrMo7MrKNInyZf2Ed7PjL49Iqer6tInhRMe3CoufH366M', '_372IdHiBk6RFZcEt2ZhfLrWFrv7IxJFIEzgC72zMfbuZWHJZ5TbTsLQuoulrwWcp8urrEe', 'dnhZeymVz3PHo2RAwIJJRzcZbfh0UiMEjuDbYmaymJik9VddgdKHUrqx7KYF94DGl9trQN'
Source: IwSPayUcGx.exe, E4PT1mgw7QVVYZsmXEkGc2At16Yl6k10IL8saJ9Qh7SJS5wIuWayOBEU36AiJPeMnMxPjXyYGxurj5Zxqruy7.cs	High entropy of concatenated method names: 'ihxL652rxHcTHNn9C6U08RavvazjB6kKUfw1HbOqMSYqS6D8CRkOhxUT07EZr6dAhl4of4EjDGuI3gGi6TQ1z', 'pJMkT7YJLTeEHdkRe3kwZGteLbeJ4k5m3v9ueOGOHSYNyVpyNfiZP44mBiNmCTs15DzhEoZ6TgbQ2Ig1ZcUUU', '_2OhLGWLqNrLmFm1s3vw3JTSXkWWlQZdUzDQ044GmHac2clF9SGVhkt1aZ5lVattInsLtQjO1XTMyJkx8RlFiB', '_7VahGlXtyIbBSFNeXBAedKSUkhonIAbd1bR9rez7ImW9F7dD3Sn2YpnwnUNPjnVXfaQyKMZ1hVgsz1K6jeBjB', 'LP2yjlbWeDkbqp1pIl6Uw3KBAgyYAIdqRDNWIez440yfu9PtjAP39c6q3NqaA8AtrxJXR4FdbPJz0pWiTgCit', 'EkjPddWj0cKU1HcR768wntd5llSv2so2hhRlnL9AXBo664TwpUIhPuK0ycKsRdUR6ICG7tnlfXtupGLTh3CQT', '_5MJvQfFdoJJJ1B4M7s7nf7j7hz7y3x8l5LVX1ORbOiRXcLlElFIQbbPlin8gfSPCrInyUhuzqFmL5VCipAL3W', 'bnYXGyurNrdwzHCr8ypkb73pmAUD1XQ102dlBKuEpQgopw7UZrA1HvFzHehf3yMToggeCQV081iBXV1EoqWUb', 'CRr7W63p40cMqK6BY8PdOdd2Sh72Y1fLF2eizYux9haEyZu3yES8YHAes1eiPqMHjrJVNI1rejLd1aFvbHYBE', 'JBRSJHKRX8CI3IfwL7yE8mozuVyh1zuG0kHtHB7PSpsZ9cD0DJ19ellub8iNGIRmxb5b2j0FHPB4gomcB49rR'
Source: IwSPayUcGx.exe, 0kbHdTnYMVZJnJ7eBqAY21TiTOET3uflaL5yWlccI8dfcopefQT01yy8yYvcoSd6mAVS8R.cs	High entropy of concatenated method names: 'v0YZpkp9EQ0syFMl2e4Ph9qiELU4dURWQjJQGLphhXuEnVkbSzD7gMaJyxmJIEU32GUac9', 'I6X6PoXcS6ev', 'hiw88A5ozT8f', 'actmcwEvEfWD', 'M63emJqC4Xhf'
Source: IwSPayUcGx.exe, KbuXevNnjb2x7ITRbIxUZwkpHIcK7klEeyzg5Aukh33K6NLGSp5S4FFgS5aLOCdlpM4eoHYwmDbmDCtBZx5cS.cs	High entropy of concatenated method names: 'Bz6OSJmHCPvhWzk6cVZ4OyoyLAb1pnm7MATiKOxI3uKoskvA8WhPzHrXPaGgZOY2kkajtA3JcXeMWbBhXz9x5', '_3z0Zw5YEhGL6dLN0d8CPDUL06Z3fAi54e52QknLqMLXvzBYxp2aZWlx3AkmyvTVxqq9CyoZ5xjDYRY0AgFEFk', 'mci10o1uDwdRX5KOaiAfENGHNmGX3jQKNhTmjAGBG06wyuAhTlR3YnzsiAIcFzXT68uk2uO71W2VOFfQWa1H9', 'FkvtjZdjSa53QfSPwjhbp5lWRWWUUmB1KbrqcGjl61TnMt3WjphZ8Ma4GjBiXyHisLVYpxDIyxnPoCl3WKJ0m', 'aYEZA14Q3SHBdxpJsrFqm4tNqGBMF1OCQWQ0D4UckWI0y9fXTIp5wN6zdcaDF4W4wEgsFntLdBctfTMGPoYv7', '_8wwGwALyQICuTRdzV0hRTRhUmQm27An8Pus3adCDlugbt0W0EfT0LmOhR2GRySSy0qJokZ2VCjdN5U9Vwj6TM', 'x5tEZOx9jmNdofLe58obIJtN7e9jGg4eykDNt2Nt83stdUEvqkqHpVVlzFZqVVeT8f02EA8uLNThJgrlQ4xHs', '_3yjBQKTbRu9pcOPSrgD2n9H0mznLzaEfgf2VtMwQdCGeDCfuzjP4oGTJsFGSt2V2hLLJZBuHFrwEYIbW2NcNM', 'oJreHdc0NBfjby2Fnh9DTqOo7Bh4IhLI0RsNotjZ5gaXi4A7ShId2K13FV9b2FPzdyqwu7dHwSTAEiK9EeCG8', 'RgmKWbQyWEwsHrRZ7NnIRtVGVw5IaXvIdEoV9xdBTJ9osRd8C2BCGbKPLEmIzikrsCFZzRsmPjs9SpBGQrxad'

Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: IwSPayUcGx.exe

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Memory allocated: BC0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\IwSPayUcGx.exe	Memory allocated: 1A630000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\IwSPayUcGx.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\IwSPayUcGx.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: IwSPayUcGx.exe, 00000000.00000002.2303854817.000000001B441000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: IwSPayUcGx.exe	Binary or memory string: vmware
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\IwSPayUcGx.exe

Code function: 0_2_00007FF848E97801 CheckRemoteDebuggerPresent,

0_2_00007FF848E97801

Source: C:\Users\user\Desktop\IwSPayUcGx.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\IwSPayUcGx.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\IwSPayUcGx.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\IwSPayUcGx.exe

Queries volume information: C:\Users\user\Desktop\IwSPayUcGx.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\IwSPayUcGx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: IwSPayUcGx.exe, type: SAMPLE
Source: Yara match	File source: 0.0.IwSPayUcGx.exe.330000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2303303400.000000000263C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2032779166.0000000000332000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: IwSPayUcGx.exe PID: 4764, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: IwSPayUcGx.exe, type: SAMPLE
Source: Yara match	File source: 0.0.IwSPayUcGx.exe.330000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2303303400.000000000263C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2032779166.0000000000332000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: IwSPayUcGx.exe PID: 4764, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	3 Virtualization/Sandbox Evasion	OS Credential Dumping	331 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	3 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 System Network Configuration Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
IwSPayUcGx.exe	84%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
IwSPayUcGx.exe	100%	Avira	HEUR/AGEN.1311620
IwSPayUcGx.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://upx.sf.net	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://ip-api.com/line/?fields=hosting	0%	URL Reputation	safe
http://ip-api.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
23.ip.gl.ply.gg	true		unknown
147.185.221.23	true		unknown
http://ip-api.com/line/?fields=hosting	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.4.dr	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	IwSPayUcGx.exe, 00000000.00000002.2303303400.00000000026D9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ip-api.com	IwSPayUcGx.exe, 00000000.00000002.2303303400.00000000026D9000.00000004.00000800.00020000.00000000.sdmp, IwSPayUcGx.exe, 00000000.00000002.2303303400.00000000026F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546360
Start date and time:	2024-10-31 20:10:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	IwSPayUcGx.exe renamed because original name is a hash value
Original Sample Name:	210e2e98bf88e3dd17e8ac1b8bdef59cd8fd93dcc5c579bf3a59830b30bc9052.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/5@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 5 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: IwSPayUcGx.exe

Simulations

Behavior and APIs

Time	Type	Description
15:11:25	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	gMd6of50Do.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	PZKAQY0bX5.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	El9HaBFrFM.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	aLRjksjY78.exe	Get hash	malicious	HackBrowser	Browse	ip-api.com/json/?fields=225545
	PCuK01wybv.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/line/?fields=hosting
	qbE2mhhzCq.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/line/?fields=hosting
	jF5cZUXeQm.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	New Order (2).exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	whatsappjpg.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar, WhiteSnake Stealer	Browse	ip-api.com/line?fields=query,country

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	gMd6of50Do.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	PZKAQY0bX5.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	El9HaBFrFM.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	aLRjksjY78.exe	Get hash	malicious	HackBrowser	Browse	208.95.112.1
	PCuK01wybv.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	qbE2mhhzCq.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	jF5cZUXeQm.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	New Order (2).exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	whatsappjpg.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar, WhiteSnake Stealer	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	gMd6of50Do.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	PZKAQY0bX5.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	El9HaBFrFM.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	aLRjksjY78.exe	Get hash	malicious	HackBrowser	Browse	208.95.112.1
	PCuK01wybv.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	qbE2mhhzCq.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	jF5cZUXeQm.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	New Order (2).exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	whatsappjpg.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar, WhiteSnake Stealer	Browse	208.95.112.1

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_IwSPayUcGx.exe_c5fc5f7d961217a99c72b24fb7ccb16025b5aab2_5a636975_da6c2c1a-4877-49d3-814e-eb855b36617a\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.208851484286332
Encrypted:	false
SSDEEP:	192:c57I3c9IJZFIfF0NxMJaHaWj8iyU1lxPzuiFWZ24lO8EI7nQ:I74cmZFLNxMgaY8iFxPzuiFWY4lO8EO
MD5:	AF09C52F70FA6502921D1E570451C9F9
SHA1:	800714160A0541AB6D5CEB60455636EBAD3AEE0C
SHA-256:	7DFEE03978A246FB2013B8C52C0C8DD6D2BDA1C52AED0EC321FF13B75FB5337C
SHA-512:	997779ACE7CEDAEF625BAB95641D94D8565BDB6577523D0618DC4EADEE030452D20AF30ECEF980643A07AA2872421CFB247FF64CFBB6368343699DC1BD6C0951
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.8.7.5.4.6.3.6.9.2.7.7.7.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.8.7.5.4.6.4.2.2.4.0.2.5.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.a.6.c.2.c.1.a.-.4.8.7.7.-.4.9.d.3.-.8.1.4.e.-.e.b.8.5.5.b.3.6.6.1.7.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.c.c.4.4.3.4.6.-.4.b.8.2.-.4.d.1.0.-.8.6.2.d.-.2.3.9.6.f.c.2.9.0.6.0.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.I.w.S.P.a.y.U.c.G.x...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.7.7.1.c.5.2.b.b.9.1.d.a.f.4.d.b.0.2.a.5...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.9.c.-.0.0.0.1.-.0.0.1.4.-.f.8.6.5.-.4.8.9.e.c.8.2.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.5.1.1.a.3.2.8.b.e.0.5.4.3.6.e.a.6.4.8.9.2.a.3.f.a.1.0.3.b.b.a.0.0.0.0.0.0.0.0.!.0.0.0.0.3.8.3.a.3.3.2.4.7.a.8.4.f.1.e.5.a.2.3.3.3.4.e.a.1.a.3.5.3.d.2.e.6.a.a.7.e.8.5.5.

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREE8F.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Thu Oct 31 19:11:03 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	451662
Entropy (8bit):	3.048441330255679
Encrypted:	false
SSDEEP:	6144:Ir/GmSgm1hYzCn0v8qDbZllG8fIztB3Q12t:4/ZR2wv8qPu1Q12t
MD5:	CEB217C0CAD4CCF4E971AE2100C829BD
SHA1:	7F15F0C9C2D815A39B809B5DBE7F0C086E6A1834
SHA-256:	660DE373B337F0174F8EB9BEEF8993F9C6DD4A55286FED4D37B73CA3D3EED5EE
SHA-512:	69BC320EE4FCB20655B6526C5DE6E33AD317D50CF7727BB838732BFB84ED243A5C8769E4C70BBB0980C1EACC3DF7E85561CAB6405F8412466C47E8192CDCDCE4
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......G.#g........................d...........<...X(...........(.......7..L...........l.......8...........T............@..f............6...........8..............................................................................eJ......$9......Lw......................T...........B.#g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREFE7.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8782
Entropy (8bit):	3.69897925559322
Encrypted:	false
SSDEEP:	192:R6l7wVeJXEjDY6YEInYNBMgmfZPAUpDv89bxa9fgY7m:R6lXJ4c6YEYYNKgmfipxwfg5
MD5:	4A75C363E72BD0355C0C53E3AF9246AA
SHA1:	1D952F76D9999B08F8949BB3B2C43956A2DC7E04
SHA-256:	21178F82B48CB109261F757B9D85B2B25EF8152F77DDC6CA2EB1A067CD34322F
SHA-512:	FDC274F0CD6E78E44C5503BEC6B34B42412FCF0D2424D92DF215211036D8F94AFE79B42AB62D0ABBDF58DDDD888225D8833349C31BC8C6EB3EDDD18F321ECFCB
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.7.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF017.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4793
Entropy (8bit):	4.463127444048213
Encrypted:	false
SSDEEP:	48:cvIwWl8zsTJg771I9AbWpW8VYUYm8M4JutD0PF4yq8vmtD0c6GIKYsd:uIjftI7/q7VYJkWpWYsd
MD5:	3372711F7F75B6D9EAD04991A0E8AC7D
SHA1:	C6B1D4EB026E1F48972A8A1936280D21BF4D4CA0
SHA-256:	6F7973DB96AFC32C96339E058D7DF13669206AC1EA39EAA71FE1B06BD5CE6200
SHA-512:	3A8FA7F20C7AF739C294FBA4FE3DF3D747E869C9C2FF05422777DD5086C3FABCAE982A7B1B88FF958668C5BDAEF54C11D321CBAC79AD444EAFE0D9F8D34F516B
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="567973" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4216714972802365
Encrypted:	false
SSDEEP:	6144:PSvfpi6ceLP/9skLmb0OTIWSPHaJG8nAgeMZMMhA2fX4WABlEnNS0uhiTw:avloTIW+EZMM6DFyc03w
MD5:	C14BC50CFF0CF59EC3F59487C6FBA4FF
SHA1:	3C9FA5268BD498D304BFF958BD7F08508FF59E49
SHA-256:	A0AC9C00C89CB5E5C653E4388BA418397179C596A487D405CA4F42283658B3A3
SHA-512:	C764E64AF2362FA427CDE56AE2F6D2B92F838A791DDDB3B109324D28411A814C5A159C5445803C1B97B77F0C7C260892B54699B00A935E5AC64C372205004A81
Malicious:	false
Reputation:	low
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.N6..+................................................................................................................................................................................................................................................................................................................................................!.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.4644203011133285
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	IwSPayUcGx.exe
File size:	331'776 bytes
MD5:	610f78dab4043f4ab8d964e226d6edcb
SHA1:	383a33247a84f1e5a23334ea1a353d2e6aa7e855
SHA256:	210e2e98bf88e3dd17e8ac1b8bdef59cd8fd93dcc5c579bf3a59830b30bc9052
SHA512:	0303eeb10caa59274e75676b9f1ad4c5baa7455fb8e3cb4d0a856ecc7d02224931df6c90c18e87fb2cf4212e97f33fa088ba1ae6eb93d39439bee5fbc48e7861
SSDEEP:	3072:gA5ta1bMRRlOXk12l4mJe7UmuLchHPHo4bqRH33qGCNxxOe:xAbIMl4miUdLchvo4OlnqR
TLSH:	AB640A259FC6CA9FF12ED07F55FACD65A29FC058070F11C2EE7EC0E6A3AC9686506142
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N."g.....................(......n.... ... ....@.. ....................................@................................

File Icon


Icon Hash:	cd993679681c94b4

Static PE Info

General

Entrypoint:	0x41046e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67229B4E [Wed Oct 30 20:47:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10418	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0x425d2	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x56000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe474	0xe600	f500f25630419764f21a20821bd32591	False	0.6109714673913044	data	6.1811501896005465	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x12000	0x425d2	0x42600	420d222cdfffe04bbc95a6a4549a5978	False	0.2891139948210923	data	4.8922178251996495	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x56000	0xc	0x200	ba6328c3991f22c3c40f92743aeccd23	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x12130	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 262144, resolution 39 x 39 px/m	0.28785838979791106
RT_GROUP_ICON	0x54158	0x14	data	0.9
RT_VERSION	0x5416c	0x27c	data	0.45440251572327045
RT_MANIFEST	0x543e8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-31T20:11:18.944503+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	52.149.20.212	443	192.168.2.5	49712	TCP
2024-10-31T20:11:56.923215+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	52.149.20.212	443	192.168.2.5	49918	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 20:11:03.756484032 CET	49704	80	192.168.2.5	208.95.112.1
Oct 31, 2024 20:11:03.761445999 CET	80	49704	208.95.112.1	192.168.2.5
Oct 31, 2024 20:11:03.761519909 CET	49704	80	192.168.2.5	208.95.112.1
Oct 31, 2024 20:11:03.762079954 CET	49704	80	192.168.2.5	208.95.112.1
Oct 31, 2024 20:11:03.766890049 CET	80	49704	208.95.112.1	192.168.2.5
Oct 31, 2024 20:11:04.357561111 CET	80	49704	208.95.112.1	192.168.2.5
Oct 31, 2024 20:11:04.404866934 CET	49704	80	192.168.2.5	208.95.112.1
Oct 31, 2024 20:11:27.234313011 CET	49704	80	192.168.2.5	208.95.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 20:11:03.741502047 CET	63892	53	192.168.2.5	1.1.1.1
Oct 31, 2024 20:11:03.749727964 CET	53	63892	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 31, 2024 20:11:03.741502047 CET	192.168.2.5	1.1.1.1	0xe543	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 31, 2024 20:11:03.749727964 CET	1.1.1.1	192.168.2.5	0xe543	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	208.95.112.1	80	4764	C:\Users\user\Desktop\IwSPayUcGx.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 20:11:03.762079954 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Oct 31, 2024 20:11:04.357561111 CET	174	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 19:11:03 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 5 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 74 72 75 65 0a Data Ascii: true

Target ID:	0
Start time:	15:10:58
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\IwSPayUcGx.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\IwSPayUcGx.exe"
Imagebase:	0x330000
File size:	331'776 bytes
MD5 hash:	610F78DAB4043F4AB8D964E226D6EDCB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2303303400.000000000263C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2032779166.0000000000332000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2032779166.0000000000332000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:11:03
Start date:	31/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 4764 -s 1652
Imagebase:	0x7ff79eb20000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	13.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	100%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF848E97801 Relevance: 1.6, APIs: 1, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32 ref: 00007FF848E978B0

Memory Dump Source

Source File: 00000000.00000002.2304363079.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e90000_IwSPayUcGx.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 95304c52ff5c8e10b26a7e53ce62c17fa97d99699ab8a32cac33db6e5f6a6ee7
Instruction ID: 9585a26f761c1eadb422ef4d0c54dcdd8edf796189905a6092303c755e349803
Opcode Fuzzy Hash: 95304c52ff5c8e10b26a7e53ce62c17fa97d99699ab8a32cac33db6e5f6a6ee7
Instruction Fuzzy Hash: FD31F13180C7588FCB58DF58888A6E97BE0FF65311F05416BD489D7282DB74A846CB91

Function 00007FF848E916D9 Relevance: .6, Instructions: 636
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2304363079.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e90000_IwSPayUcGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0003958724e900f21b5785d3606ae4a815261ca53e14265d210fb1fe99007b5
Instruction ID: 98c56bc58f275d00aa8cd0e73d3fcee7c2518838c7facfe4106bfe2ed4348b53
Opcode Fuzzy Hash: b0003958724e900f21b5785d3606ae4a815261ca53e14265d210fb1fe99007b5
Instruction Fuzzy Hash: B912BD61A2CA495FE798FB7884692B9B7E2FF88744F44057DE00EC32C2DF39A8418745

Function 00007FF848E95E46 Relevance: .5, Instructions: 477
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2304363079.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e90000_IwSPayUcGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eebb14b0354b450737ff6f4be5fc18f3ab6f8c9dacda3d9b7c0da53f7549644
Instruction ID: c7efaab223884412e7792be61a2a858b99a5a27b7673ce4f6b7486e642f450ed
Opcode Fuzzy Hash: 6eebb14b0354b450737ff6f4be5fc18f3ab6f8c9dacda3d9b7c0da53f7549644
Instruction Fuzzy Hash: 45F1B33090CA8D8FEBA8EF28D8557E93BE1FF54350F04426EE84DC7291DB74A9458B81

Function 00007FF848E96BF2 Relevance: .5, Instructions: 462
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2304363079.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e90000_IwSPayUcGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a44f46513b1caaa87e7b8bff3553af899c18817b09cf23b4247c6ef1068bd86f
Instruction ID: 62370f1771444bb6c3e92b1b2f847f1c4ef7fe7856c300cf240f4f9188b1597d
Opcode Fuzzy Hash: a44f46513b1caaa87e7b8bff3553af899c18817b09cf23b4247c6ef1068bd86f
Instruction Fuzzy Hash: 80E1A13090CA8E8FEBA8EF28C8557E977D1FF54350F04426EE84DC7291DB74A9458B81

Function 00007FF848E92111 Relevance: .4, Instructions: 391
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2304363079.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e90000_IwSPayUcGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d130d5de8fdaf1f5a9c9f3274025a9bb826571d2d30705b8f7d93dd3fb82be1
Instruction ID: fde3f7d88b60d3a1bd1e66d396daa494ce00639ddfdd7ed7f61810e7d8a4296a
Opcode Fuzzy Hash: 5d130d5de8fdaf1f5a9c9f3274025a9bb826571d2d30705b8f7d93dd3fb82be1
Instruction Fuzzy Hash: B5C19C20F1C94A9FEB98FB6884556B976D2FF98384F044179D05EC32C3DF68A8428786

Non-executed Functions

Function 00007FF848E925EE Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2304363079.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e90000_IwSPayUcGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b711a6440705240ab77c19ab168a6644421042a73506c532f60ac511b8754c87
Instruction ID: c62f5bfb5f264410e27549862f58c64ab1f075c13cc4e936dd7e036d31cc5a25
Opcode Fuzzy Hash: b711a6440705240ab77c19ab168a6644421042a73506c532f60ac511b8754c87
Instruction Fuzzy Hash: CB812252C0EAC25FE71767B458290A5BFE1FF13654B0D00FBC8A48B497D65A580EC356

Function 00007FF848E90FF8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2304363079.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e90000_IwSPayUcGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 146841fd9a23bbec7c455a7491041945b83fdd38188a2b53ff0842adc99a30b5
Instruction ID: 5f3e3c0352d5e03eea7a1d7155e7c069b68ac4549849fdbb35c899f802cb212e
Opcode Fuzzy Hash: 146841fd9a23bbec7c455a7491041945b83fdd38188a2b53ff0842adc99a30b5
Instruction Fuzzy Hash: AB519797A8D9623DE21A77FDB4510F96B10EF813B5F0C9177D18C8D0A39E1920868AFD

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report IwSPayUcGx.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_IwSPayUcGx.exe_c5fc5f7d961217a99c72b24fb7ccb16025b5aab2_5a636975_da6c2c1a-4877-49d3-814e-eb855b36617a\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREE8F.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREFE7.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF017.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
IwSPayUcGx.exe

Function 00007FF848E97801 Relevance: 1.6, APIs: 1, Instructions: 124
COMMON

Function 00007FF848E916D9 Relevance: .6, Instructions: 636
COMMON

Function 00007FF848E95E46 Relevance: .5, Instructions: 477
COMMON

Function 00007FF848E96BF2 Relevance: .5, Instructions: 462
COMMON

Function 00007FF848E92111 Relevance: .4, Instructions: 391
COMMON