Edit tour

Windows Analysis Report
2vPsGmF7E2.exe

Overview

General Information

Sample name:	2vPsGmF7E2.exe renamed because original name is a hash value
Original sample name:	6da7f0084b74cddda572b4c839824c50de6965c8b980dd639d15760e85c8c0d3.exe
Analysis ID:	1546368
MD5:	973b6a3341fdea0b7de82697349d3c50
SHA1:	cb0bb65f302f4a7e9b6f90e8a341726eca788b07
SHA256:	6da7f0084b74cddda572b4c839824c50de6965c8b980dd639d15760e85c8c0d3
Tags:	exeuser-Chainskilabs
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Detected potential crypto function

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

One or more processes crash

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

2vPsGmF7E2.exe (PID: 5736 cmdline: "C:\Users\user\Desktop\2vPsGmF7E2.exe" MD5: 973B6A3341FDEA0B7DE82697349D3C50)

WerFault.exe (PID: 812 cmdline: C:\Windows\system32\WerFault.exe -u -p 5736 -s 1652 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["completed-rally.gl.at.ply.gg"], "Port": "28996", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.1"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
2vPsGmF7E2.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
2vPsGmF7E2.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2vPsGmF7E2.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xe176:$s6: VirtualBox 0xe0d4:$s8: Win32_ComputerSystem 0x10084:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10121:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x10236:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xf30c:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1238170768.00000000007D2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.1238170768.00000000007D2000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xdf76:$s6: VirtualBox 0xded4:$s8: Win32_ComputerSystem 0xfe84:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xff21:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x10036:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xf10c:$cnc4: POST / HTTP/1.1
00000000.00000002.1568677036.0000000002BAC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: 2vPsGmF7E2.exe PID: 5736	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.2vPsGmF7E2.exe.7d0000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.2vPsGmF7E2.exe.7d0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.2vPsGmF7E2.exe.7d0000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xe176:$s6: VirtualBox 0xe0d4:$s8: Win32_ComputerSystem 0x10084:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10121:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x10236:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xf30c:$cnc4: POST / HTTP/1.1

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T20:13:30.961662+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.7	49730	TCP
2024-10-31T20:14:08.915337+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.7	49945	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 2vPsGmF7E2.exe

Avira: detected

Found malware configuration

Source: 2vPsGmF7E2.exe

Malware Configuration Extractor: Xworm {"C2 url": ["completed-rally.gl.at.ply.gg"], "Port": "28996", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.1"}

Multi AV Scanner detection for submitted file

Source: 2vPsGmF7E2.exe

ReversingLabs: Detection: 76%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 2vPsGmF7E2.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 2vPsGmF7E2.exe	String decryptor: completed-rally.gl.at.ply.gg
Source: 2vPsGmF7E2.exe	String decryptor: 28996
Source: 2vPsGmF7E2.exe	String decryptor: <123456789>
Source: 2vPsGmF7E2.exe	String decryptor: <Xwormmm>
Source: 2vPsGmF7E2.exe	String decryptor: XWorm V5.1
Source: 2vPsGmF7E2.exe	String decryptor: USB.exe
Source: 2vPsGmF7E2.exe	String decryptor: %AppData%
Source: 2vPsGmF7E2.exe	String decryptor: Windows Anti Virus.exe

Source: 2vPsGmF7E2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2vPsGmF7E2.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.Xml.ni.pdb source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.pdbMZ@ source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.ni.pdbRSDS source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.pdb`w source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERD106.tmp.dmp.10.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERD106.tmp.dmp.10.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.pdb source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.Xml.pdb source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.pdb source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdb source: WERD106.tmp.dmp.10.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.Management.pdb source: WERD106.tmp.dmp.10.dr
Source:	Binary string: mscorlib.pdb source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.Management.pdb source: WERD106.tmp.dmp.10.dr
Source:	Binary string: mscorlib.ni.pdb source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.Management.ni.pdb source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.Core.pdb source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.Core.pdb( source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.ni.pdb source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERD106.tmp.dmp.10.dr

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: completed-rally.gl.at.ply.gg

Yara detected Generic Downloader

Source: Yara match	File source: 2vPsGmF7E2.exe, type: SAMPLE
Source: Yara match	File source: 0.0.2vPsGmF7E2.exe.7d0000.0.unpack, type: UNPACKEDPE

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View

ASN Name: TUT-ASUS TUT-ASUS

Source: unknown

DNS query: name: ip-api.com

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.7:49730
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.7:49945

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ip-api.com

Source: 2vPsGmF7E2.exe, 00000000.00000002.1568677036.0000000002C62000.00000004.00000800.00020000.00000000.sdmp, 2vPsGmF7E2.exe, 00000000.00000002.1568677036.0000000002C49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: 2vPsGmF7E2.exe	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: 2vPsGmF7E2.exe, 00000000.00000002.1568677036.0000000002C49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.10.dr	String found in binary or memory: http://upx.sf.net
Source: 2vPsGmF7E2.exe	String found in binary or memory: https://rentry.co/8wum7vax/raw

System Summary

Malicious sample detected (through community Yara rule)

Source: 2vPsGmF7E2.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.2vPsGmF7E2.exe.7d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1238170768.00000000007D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Code function: 0_2_00007FFAACCE6156	0_2_00007FFAACCE6156
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Code function: 0_2_00007FFAACCE6F02	0_2_00007FFAACCE6F02
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Code function: 0_2_00007FFAACCE1529	0_2_00007FFAACCE1529
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Code function: 0_2_00007FFAACCE2021	0_2_00007FFAACCE2021
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Code function: 0_2_00007FFAACCE1D99	0_2_00007FFAACCE1D99
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Code function: 0_2_00007FFAACCE10E0	0_2_00007FFAACCE10E0
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Code function: 0_2_00007FFAACCE10B0	0_2_00007FFAACCE10B0

Source: C:\Users\user\Desktop\2vPsGmF7E2.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5736 -s 1652

Source: 2vPsGmF7E2.exe, 00000000.00000000.1238170768.00000000007D2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameActynBootstrapper.exe4 vs 2vPsGmF7E2.exe
Source: 2vPsGmF7E2.exe	Binary or memory string: OriginalFilenameActynBootstrapper.exe4 vs 2vPsGmF7E2.exe

Source: 2vPsGmF7E2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2vPsGmF7E2.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.2vPsGmF7E2.exe.7d0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1238170768.00000000007D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 2vPsGmF7E2.exe, AiNuWSI4GGACoEXz8ibcOqCp6KnZ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2vPsGmF7E2.exe, Z148COpZW7eomVIFwmd7cLZxNZ7z.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2vPsGmF7E2.exe, Z148COpZW7eomVIFwmd7cLZxNZ7z.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 2vPsGmF7E2.exe, QJ0R4nMk343z4QJrD4ylOeLWXCuI.cs	Base64 encoded string: 'Ikf20hhZUqigAETIr8MvAKyL8hBF1bGWrTLvuNSDUhU49a9u9hMBXMbLfc7h', 'wdWWoGHH2DJPJgHo0uvxgFLo6kLZQjbsFX0uDJvJkBQH3TYzFFW4T5NSr7cF', 'gXShdavnUDjF1r9PN5eLrsteXNrzecBwfFGj5NIvbRh3M8XRIYZymt0NofyZ'
Source: 2vPsGmF7E2.exe, Z148COpZW7eomVIFwmd7cLZxNZ7z.cs	Base64 encoded string: 'Q5ihNr51xPSGjn9s7nfcFTONHbcgqS8YPA2PSdXNrIxhva3XPeJVta9hZ1md', 'GJieL054i8c7TEn2RXm1OzZxmY0bvAbr3W0flqjkMCfOKkqVLdTqnLyBCUIK', 'sEwZdvDVUk6H3CHXQ4cjNwk3YLzE46FZew76Gdbrks2bNbgGOhKiMH3wCPUz', 'qtDNL8myricgbYHtc5hn31nLk15e5mFZvgegppgrolQ2uv3WL8LECKdBx5eZ', 'odQLr8ZWpu0MWAMG5YpKvDIPGIq2mYqKVAT1OQxNqmRy6QV0YCNGsoRWXKKH', 'WY6qceiwcDLMXOhr80jvrIYVARcm4cBO2JsoQYatpnzV47O6WiSap4TY5JL4', 'X7mFnH1A2pVDBGoeo6fbIupK0gYA23zVrnty12fYF9cfDC5N3werCSFR2dnj', 'J2z1OPnKncff2jsEckGjixfuo1tV51n6RWCbsI91JROQRM4zu3qpsebrO1Ol', 'usL2Rrk8dsMFfOO5HV5JHMZCgySoMqMZzHv7Q7PWif8CnBAEl8nI9vxnlIgm', 'HHPRpjfL9iWSxpiEJPsrZ4XEXn0XFXEHoY3p8Y1ShnFtNImsIeggH3lxqzqq', 'NwAbikHQpMQacuOOTqKMDdsv3j8p4sUxeYvZ703ebggYWyI3LJIZwntovQ3D', 'pSlQP6Gjo26nb3YPGP2dHZVe7XMnuUOWzS5ifEfL0LLmPad3sNxp1FigL8gQ', 'nCyqEviMdXYnzK01yk6HbnmR2Nk6eWKS6AZe3qCeuVXK3Wl7P6dWPkixssQm'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/5@1/1

Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5736
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Mutant created: \Sessions\1\BaseNamedObjects\eSq7zhzJxERaEZEw

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\e67078c8-dade-4780-9bff-428975872208

Jump to behavior

Source: 2vPsGmF7E2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 2vPsGmF7E2.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\2vPsGmF7E2.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 2vPsGmF7E2.exe

ReversingLabs: Detection: 76%

Source: unknown	Process created: C:\Users\user\Desktop\2vPsGmF7E2.exe "C:\Users\user\Desktop\2vPsGmF7E2.exe"
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5736 -s 1652

Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\2vPsGmF7E2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\2vPsGmF7E2.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 2vPsGmF7E2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 2vPsGmF7E2.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.Xml.ni.pdb source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.pdbMZ@ source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.ni.pdbRSDS source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.pdb`w source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERD106.tmp.dmp.10.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERD106.tmp.dmp.10.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.pdb source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.Xml.pdb source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.pdb source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdb source: WERD106.tmp.dmp.10.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.Management.pdb source: WERD106.tmp.dmp.10.dr
Source:	Binary string: mscorlib.pdb source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.Management.pdb source: WERD106.tmp.dmp.10.dr
Source:	Binary string: mscorlib.ni.pdb source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.Management.ni.pdb source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.Core.pdb source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.Core.pdb( source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.ni.pdb source: WERD106.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERD106.tmp.dmp.10.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 2vPsGmF7E2.exe, OII4MuxIOXs8bBtTpxcgCMUOtZX09WUkiQ8sqmmI6ZQ.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{JD1zUQ0yFoIMxsr7AqT2anKbhL66yZMue1uh7EDZbEA._1IynxoWdS1pQmIT3XIhDi3ajGfWUpuIepJZLh4scdDn,JD1zUQ0yFoIMxsr7AqT2anKbhL66yZMue1uh7EDZbEA.lhJ9geI1JAXlxXRxOZAvTtOgRBXn8mDxKIrKPMRSszK,JD1zUQ0yFoIMxsr7AqT2anKbhL66yZMue1uh7EDZbEA.aguBHLgTHLGHjwsvhu63fAejPBKjAYFpn9aRhFVC173,JD1zUQ0yFoIMxsr7AqT2anKbhL66yZMue1uh7EDZbEA._6JEXWpCGxwzCNrs7Wl7PvvnRWxbKkno3NsbCYWxhnZP,Z148COpZW7eomVIFwmd7cLZxNZ7z.ph51B4D2MJBTuuddjWeVnNkdhE1I()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 2vPsGmF7E2.exe, OII4MuxIOXs8bBtTpxcgCMUOtZX09WUkiQ8sqmmI6ZQ.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{GWlhyNiiEcG8QEIAbKQJXxYrry16V4ajtq5CPFp46Gh[2],Z148COpZW7eomVIFwmd7cLZxNZ7z.PNdyZHJJoHp3j9U8ZHUdtMprdXS9(Convert.FromBase64String(GWlhyNiiEcG8QEIAbKQJXxYrry16V4ajtq5CPFp46Gh[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 2vPsGmF7E2.exe, OII4MuxIOXs8bBtTpxcgCMUOtZX09WUkiQ8sqmmI6ZQ.cs	.Net Code: HuKOAQ8Ra9smFQm9aVlNCHlXPfRmVHcOXkR6yZ5iWoI System.AppDomain.Load(byte[])
Source: 2vPsGmF7E2.exe, OII4MuxIOXs8bBtTpxcgCMUOtZX09WUkiQ8sqmmI6ZQ.cs	.Net Code: JqNrYJZveCoHP63C22iH2cVoBVcAob1mkdeAHmL3NQt System.AppDomain.Load(byte[])
Source: 2vPsGmF7E2.exe, OII4MuxIOXs8bBtTpxcgCMUOtZX09WUkiQ8sqmmI6ZQ.cs	.Net Code: JqNrYJZveCoHP63C22iH2cVoBVcAob1mkdeAHmL3NQt
Source: 2vPsGmF7E2.exe, Z148COpZW7eomVIFwmd7cLZxNZ7z.cs	.Net Code: by2350DP9jGehNFeyasCru0AmuU2 System.AppDomain.Load(byte[])

Source: 2vPsGmF7E2.exe, QJ0R4nMk343z4QJrD4ylOeLWXCuI.cs	High entropy of concatenated method names: 'zwutJfCjcQaYq9ZRFD64EyulQ8p9', 'PfZhJmYvqDWw4TBP9Nt1fAFQzHHj', 'iJ3PNJbMwldh4w3GIKFZXSKmPI6k', '_4oKjOnzYnUC9aJajz5cf0oLxEk0c6lIvRVgqRI72g5lIMtjC0tI2qz9lo08Q', 'cNmBWEPBs9oaIt3XXWz8CjbzPgWq3BpDV2F4cbAF6BYKTjk6ccA3GCX7aGU7', 'uzV0CqAl1uY9SdCYeAuFxZa0DhrwsFiuvaUU7xn0TwVbloS77wFGySQspVxU', 'knzt1ikJUXi1NaKrCBEZdaLXNdpyzIijTLc4bYzRPFGJjWiuJSnRWfaV5ihI', 'BCVwV5SaN9Bu2SAZSnNeIaNNjD3Gq5LqZ4yAsU1DvWYEeukru2ANHDMUnWhD', 'e7bqskhOd6zrOjxpKFDOjA84UYClwzBMPn9YVcXxTWLQuv4jm3WS8lISxsYO', '_0nKR6blZeLmhR7V4OiyONlNF4qsk6V2Cs7otwcWvqeMGD7evyV6hRCSwvpwz'
Source: 2vPsGmF7E2.exe, aSjXvEPyn9WQ4no6OcWveqLvTtWOV5XilS6fDjSIIPp.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'sR0ZIsEMWDdEkokcYn4PmsQd2lRV', 'IqyYBjkxGLJDG75vFNsRi1CIfhbN', 'CtouWOBi9HTWvbuzckV02GnxU8NT', 'QgfdNae7jxBxFHNo7yJC4anoPRjR'
Source: 2vPsGmF7E2.exe, AiNuWSI4GGACoEXz8ibcOqCp6KnZ.cs	High entropy of concatenated method names: 'oc696g3bWWRqK0NKB3ay14U4Gq8V', 'vju65yk8hgOZgYVnbYJT8HlRUxNl', 'TqNvCEOc4qHbF8XFcZAg2HOMddxF', '_8yOaSy2rMKk5qhnTxM81uU2uMcrm', 'WyPESK0g28EyjruD9XTbuZvsnwpk'
Source: 2vPsGmF7E2.exe, OII4MuxIOXs8bBtTpxcgCMUOtZX09WUkiQ8sqmmI6ZQ.cs	High entropy of concatenated method names: 'ix73D4k23x2GSySS4Z5tUJrK7HTYk2rc5KAt5TUXwAY', 'HuKOAQ8Ra9smFQm9aVlNCHlXPfRmVHcOXkR6yZ5iWoI', '_9Zfq3mwzKXCfGSxlxydWR3h0UD3BLwJoHGrIisXDg3z', 'gqRZFrmXcm2TYqXEB6szaCM5ctPzo2ZGbZn28U7SxJg', 'OrxK11gIPOfegWjaRSSczZl2K4NeW6nWsFpVaWukQbD', 'Mv8ygDcGJ0ZQBXVhUrJMadRqV6SuZK6sM8pQcuy2pEA', '_5cBvTy4PmQ3WV3mpKAocaQ5XNJPG08iSqPhpdfaRjQS', 'xGKYOOjEApcoGuvIh4yVLZEzppVrbfzKm4YROt5e7wQ', 'wxnBH0jOVPZ3KpVgGpzjdobLRvUWLTqRVoiUZcLjnRW', '_95wsCjdoAtXnhZLQheentIQvLkGKLHnGKWGZ7QMD7oE'
Source: 2vPsGmF7E2.exe, 4UP9xk0ffk5ExCsVe7GEekSpVUia.cs	High entropy of concatenated method names: 'gcZsP1Ob9FTiZYW5A26fUxKDnZnc', '_9C5A4QtiEImNEEgf3hsHqFNw0KGq', 'E8YCZk1ZjDW0o71DX7UyirlJjlXN', 'OkXbxW3I4Qa9RFQj8ooh8Cad9YYX', 'QqvY3YxXKI2GYaOcTipbkh6NeVrT'
Source: 2vPsGmF7E2.exe, Z148COpZW7eomVIFwmd7cLZxNZ7z.cs	High entropy of concatenated method names: 'V2xXeoxm3yeCpdFdlzEOWDiEkiqr', 'SfXSBYYVgtcVCTn0MVzp9D7M7OZs', 'fCURN1eZDNjYBVZLsW3NVLjEqiz2', 'q8swJ59WCoP7ZkYw81KCpjaacywC', 'ZZuUr1K6y5dHdpmZbCp5jqGrAf8w', 'DEsIdCtdUXo2LHLFHYMnavmZ020J', 'LI9VMIvgal8Rshu5S1mydoUSIPsJ', 's0A1KjW0OZF6Qxe3EVhzp0loz8FJ', 'CNrcYd8RLLF4XwQmzxzbsAo7jvzn', 'V7ngOzrcXfvZDkfN6pf9Xyb9dgvD'
Source: 2vPsGmF7E2.exe, wZFLCy4gChI2bu38pSw3OrcGeuzB.cs	High entropy of concatenated method names: '_5vj6dDOqF0p3BevxHWKF6ImQJB7z', 'irrlpnSedhnhyVQpqw1fzY7b1rVV', 'Kj3dspT2eNms6G9w02FXM27stQMK', 'FA8fhsL0i7ghOJ7zPOhgRu7SRqP2', '_7YJIzIfMaxuHRmjBgMxYDsD5RKPS', 'PKM6g5nEmCYItKGD7xE3cg3IZFQp', 'C5dXo45kApISDJgwfzXMVX52ZW4V', 'Q3dFYkbgvEDKKfLktykmNg56vhhG', 'G4KdpvyGG7JCZR7Uxg5sm2jDm6hX', 'dyeyfzPfsBKwfz5vtqmiI3lKECWa'
Source: 2vPsGmF7E2.exe, WrqGdbr1ejCafZsJqjUyNJz1t4HlQUffZeu30F1WBzF.cs	High entropy of concatenated method names: '_5ANfkmrl6u92Q4uuOqFVLe89wonBdBSzpQ5j9HNI8de', 'zozi5ggkhubbyzgv8W8xYNpnr0ay5zHYZSRKW5I1gsm', 'cKxBVjVqpO9N5R9W9Xh3iTzDTW9KMgKifYYE12uUnVQ', 'gmqObOPDRNCZ7gflGLGrxSZgHeiae0oKNzMdaI0Y0pp', 'sg24q4jWAqBnYBUjbN8yChFLlf9xmfExsEQvTrtFFKf', 'XFEUhl8kz1cojcdAZQQey9Q6sEdCdPLVpIUFka0P3KW', 'bdrKrscnWQ6eNSgduHiTbZLyWoYdQuxRtlV6BGGVXdk', 'go654qywp2aoatRrzN5zm7EYkdBghm4Zp7Ulj9I4jp1', 'q226sO0WmQITUMg6IQmucRizLpPwlt4k2TswNjUoDwK', 'gmLA1a64lWP2dftk8nbRvK2sxvwGPAjiiVyiDwb9Win'
Source: 2vPsGmF7E2.exe, gX0Im0RwfdnoeNfprqF3dPjVigi0.cs	High entropy of concatenated method names: 'OrfT2aFhVzOkbge0JerQ5ZRk1B92', '_7QQSNnOA3s93mRLb9e9iGteNRaiK', 'CvWFWAKRU4sZMnAt8TiPRT8PZSEC', 'hHKW8N99lFD8nFhg20N7Q5FIvedx', 'wPZcnFhSWawPgFtpFCT8U8tbRNX1', 'gbDgeea2lyLBd8O4Wr4Yy0irJIwM', 'YcqpJZfaKxo6POO1Z7yF15cxtQDo', 'l7q7UVGeeCHaoOf6Wbc1wppt5i6h', 'TsllHFIr6L278vkz007uQMMO7ADa', '_789kw0XyxYukoHqmjObMyjt5oHt0'
Source: 2vPsGmF7E2.exe, FaoxczXjsOizcqlPcTtvaiLWBVeul6KgcqOp4pZPwAV.cs	High entropy of concatenated method names: '_2NfBQ4MOkumn5JsDAWDo5J5CNQXDoBe60Sjn49WmEB0', 'PmzDoyOg632u0saE128kC6c0EjHCMyRrlhgbhKruYo9', 'WgxxTEqasKa15WHrm4RbVr65OsB5NLv4c2sp2m0dGAp', 'WnergWgQeAdpW48HnBgT0m14hanRa3LWRmjqDhf9IHI', 'FdOYyLQf9607tsnHuy0N2X2GMLCcUDlfRjIXttVAOvA', '_7Tzb6NFBRBx3GUPhbzzcZI15vGs2GG6fhVk3jKSSMdi', '_8sftEjrtHiw0DsaRLmJK1sJXR5J5DLTmYti8xSi6cJL', 'kEZcAxvOtXBuMRbhxDGvKJSGMbIYDFxaNHEB7MKnsD2', 'nCxW0voH87EkFSihkmrUlnEHvrl561GHrcU4f9Gd4zw', 'XWbLMVSKAI7vvQhWRvhu8iTHvFqpohVPJrHPlR57FYu'
Source: 2vPsGmF7E2.exe, zFxJfrJrPYaC3OU29FuMprE18ohQ.cs	High entropy of concatenated method names: 'hPB6j1WFauPZwEBxnOgHJcAls5Iz', 'ZnrmJPtZLF5O6F2kSdyDdK04HJ0E', 'beDUx8re9l7NG2ZPGSwJwvQ5AT6S', '_4nio0Gcbwe5KPC8YqLlVyfpdL6rv', '_02TeP4ALdyKiWA7V2OIij3YDBnd5', 'AOQDGyOdKDYdMBWPQlCxefkQIFzt', 'BVcd4GMbIlC6noI2ZmfsfQQyDk9a', 'FRYUq9Z8wRSagY1OKXuouQdfXnn4', 'i7Rhd8EFOdsTdZnVuNyFEVR4kpKS', 'S32l2jTax1OBysuOgP3NUQ8qoXDg'

Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 2vPsGmF7E2.exe, 00000000.00000002.1568677036.0000000002BAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: 2vPsGmF7E2.exe	Binary or memory string: SBIEDLL.DLL9M6ZWHSDEOQ88PFPGS25G3YKNUPZN90Y230Z4IXL17J227DKHA84WLA33Z9H6XTB2JB8BDOM2S1JOJ26CJWIPR49VHGLBYXAS00T9T13D8RMRBBZXGVC9R57EU6CRF8KZPZ7WPW1IPXNQDAZI99YAD4NLLAOQELOTFP34FC00FFHIX9LGVWO1D49CQLU9NKY57XYIXZILJZ9MPNCWSDBDUAJEIOS6DDWT6AKJKG49A6O2XCLSREIEWBENKPF5SU0M6IAQ96MLNG06GSCPBX5HWDKKJWIVB7SZG9CGRKVH3RGJ33DMKXG6NKWNBDZJV89BZYF6KIBPCXAYNZSU1UMPHAYRJ299TCEGYBGFVTAOIDHGBGOPWUN1KGFX9CMKHGMHFTOKXYNZCJW2HFPVE925SINFO

Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Memory allocated: E10000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\2vPsGmF7E2.exe	Memory allocated: 1ABA0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\2vPsGmF7E2.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\2vPsGmF7E2.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: Amcache.hve.10.dr	Binary or memory string: VMware
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.10.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.10.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.10.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin`
Source: 2vPsGmF7E2.exe	Binary or memory string: vmware
Source: Amcache.hve.10.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.10.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: 2vPsGmF7E2.exe, 00000000.00000002.1569117563.000000001B973000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWne%SystemRoot%\system32\mswsock.dll, processorArchitecture=MSIL"/>
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.10.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.10.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.10.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.10.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.10.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\2vPsGmF7E2.exe

Code function: 0_2_00007FFAACCE7701 CheckRemoteDebuggerPresent,

0_2_00007FFAACCE7701

Source: C:\Users\user\Desktop\2vPsGmF7E2.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\2vPsGmF7E2.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\2vPsGmF7E2.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\2vPsGmF7E2.exe

Queries volume information: C:\Users\user\Desktop\2vPsGmF7E2.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\2vPsGmF7E2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 2vPsGmF7E2.exe, type: SAMPLE
Source: Yara match	File source: 0.0.2vPsGmF7E2.exe.7d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1238170768.00000000007D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1568677036.0000000002BAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2vPsGmF7E2.exe PID: 5736, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 2vPsGmF7E2.exe, type: SAMPLE
Source: Yara match	File source: 0.0.2vPsGmF7E2.exe.7d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1238170768.00000000007D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1568677036.0000000002BAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2vPsGmF7E2.exe PID: 5736, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	3 Virtualization/Sandbox Evasion	OS Credential Dumping	331 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	3 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 System Network Configuration Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
2vPsGmF7E2.exe	76%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
2vPsGmF7E2.exe	100%	Avira	TR/Dropper.Gen
2vPsGmF7E2.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://upx.sf.net	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://ip-api.com/line/?fields=hosting	0%	URL Reputation	safe
http://ip-api.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
completed-rally.gl.at.ply.gg	true		unknown
http://ip-api.com/line/?fields=hosting	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.10.dr	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	2vPsGmF7E2.exe, 00000000.00000002.1568677036.0000000002C49000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://rentry.co/8wum7vax/raw	2vPsGmF7E2.exe	false		unknown
http://ip-api.com	2vPsGmF7E2.exe, 00000000.00000002.1568677036.0000000002C62000.00000004.00000800.00020000.00000000.sdmp, 2vPsGmF7E2.exe, 00000000.00000002.1568677036.0000000002C49000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546368
Start date and time:	2024-10-31 20:12:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	2vPsGmF7E2.exe renamed because original name is a hash value
Original Sample Name:	6da7f0084b74cddda572b4c839824c50de6965c8b980dd639d15760e85c8c0d3.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/5@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 6 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.182.143.212
Excluded domains from analysis (whitelisted): onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: 2vPsGmF7E2.exe

Simulations

Behavior and APIs

Time	Type	Description
16:14:45	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	IwSPayUcGx.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	gMd6of50Do.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	PZKAQY0bX5.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	El9HaBFrFM.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	aLRjksjY78.exe	Get hash	malicious	HackBrowser	Browse	ip-api.com/json/?fields=225545
	PCuK01wybv.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/line/?fields=hosting
	qbE2mhhzCq.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/line/?fields=hosting
	jF5cZUXeQm.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	New Order (2).exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	whatsappjpg.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	IwSPayUcGx.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	gMd6of50Do.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	PZKAQY0bX5.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	El9HaBFrFM.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	aLRjksjY78.exe	Get hash	malicious	HackBrowser	Browse	208.95.112.1
	PCuK01wybv.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	qbE2mhhzCq.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	jF5cZUXeQm.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	New Order (2).exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	whatsappjpg.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	IwSPayUcGx.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	gMd6of50Do.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	PZKAQY0bX5.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	El9HaBFrFM.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	aLRjksjY78.exe	Get hash	malicious	HackBrowser	Browse	208.95.112.1
	PCuK01wybv.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	qbE2mhhzCq.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	jF5cZUXeQm.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	New Order (2).exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	whatsappjpg.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2vPsGmF7E2.exe_ebe7824e783d8dd956eebe3f8ae6df8cc8696_c718f7ac_f305f120-9219-4b40-a255-f29053f1022f\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2099610461393973
Encrypted:	false
SSDEEP:	192:4hWPxI+F0NxM4aWz8iyUp2lxPzuiFgZ24lO8mi:a4x4NxM4a48iMxPzuiFgY4lO8mi
MD5:	FBF2A5BF34BE5771992C232398959525
SHA1:	7A7531D6261B41B9179EDBB93EF9836254328099
SHA-256:	DFF8BBDB3705C0904C746C467788B45C92063A1280511BF60F730512A309FC05
SHA-512:	8EA9379AE28572C92AD708EEC0D303C73D4B60D6CD5176E1A068D108DCD5B9E9C77DA3146970976AF217E2D25FC4D95E859DF2DB401776064FF27CE34909A70E
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.8.7.5.5.9.6.8.4.4.8.9.9.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.8.7.5.5.9.7.5.7.9.2.6.1.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.3.0.5.f.1.2.0.-.9.2.1.9.-.4.b.4.0.-.a.2.5.5.-.f.2.9.0.5.3.f.1.0.2.2.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.5.d.8.1.2.6.c.-.4.e.5.2.-.4.9.1.a.-.8.a.0.c.-.1.d.5.4.1.0.4.0.d.b.5.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.2.v.P.s.G.m.F.7.E.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.A.c.t.y.n.B.o.o.t.s.t.r.a.p.p.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.6.8.-.0.0.0.1.-.0.0.1.4.-.3.c.4.5.-.b.6.e.d.c.8.2.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.3.8.4.6.a.8.1.a.a.4.a.e.b.5.b.c.0.c.d.2.0.1.7.a.3.b.d.6.d.6.d.0.0.0.0.0.0.0.0.!.0.0.0.0.c.b.0.b.b.6.5.f.3.0.2.f.4.a.7.e.9.b.6.f.9.0.e.8.a.3.4.1.7.2.6.e.c.a.7.8.8.b.0.7.!.2.v.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD106.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Thu Oct 31 19:13:17 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	450652
Entropy (8bit):	3.0636406663192397
Encrypted:	false
SSDEEP:	3072:NS6SHlKRj9Huqa1CCq3A3+vaP8MX4/bj1A2VMcSUCm5i:kFHlkjhyq3A3Qa0AUfeg4
MD5:	1D6B4DAD8F33FA9FCBB81C728FD40ACF
SHA1:	78E07509C0802B010027D10BEA94610C75009F31
SHA-256:	2B71F876C736207DB862E87003D528ACAA9D07B3AD9E26874CA5C48BD5B66E5B
SHA-512:	4EE0E17D950484861D1B00CCD0557CC877FB1B606A7507D259AC92387BA087D1C99038A614AFAE9DF00D2613ECD0EC03E6C8BBCC6FBE84F2297082E47FAEA09A
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........#g........................d...........<...X(...........(.......7..L...........l.......8...........T............@..t............6...........8..............................................................................eJ......$9......Lw......................T.......h.....#g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD29D.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8776
Entropy (8bit):	3.698935390993593
Encrypted:	false
SSDEEP:	192:R6l7wVeJNlO6YNZfAYKgmfZ71KpDG89bZkMf8Tm:R6lXJfO6YTfAYKgmf11YZ3fF
MD5:	9D95FEBB289AE48D01B99F348BF17C88
SHA1:	3C582C9FA5240739E411352E26997F33DB93DB94
SHA-256:	FABECA98FE8E721840C62859D5547FDC5CE856C21DF96B9B8D82D2A01408C639
SHA-512:	136C1399BC89DACB651D97289D873AAA1FA62CD18ED92949FFC5F26903007D3DD571D944B81E05575A471B22001198FB112629DE537411C143DDCC3F6D948DD7
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.3.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD30C.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4784
Entropy (8bit):	4.448485220945956
Encrypted:	false
SSDEEP:	48:cvIwWl8zs5Jg771I9jiJWpW8VYESYm8M4JAqPF7yq8vhqIlSCqd:uIjfLI74i47VfJtW5SCqd
MD5:	A4DD70067309A57E3041E578F9551A57
SHA1:	878C694EA8F725F761DBC400CDC53B0EBE609B15
SHA-256:	F5CFBAF121AC4463A54BA9EB89C10B86AAC07F80B3A2DC8739AB9E845E7B7D98
SHA-512:	782CA700C5365FC5D1187B632070AA3481ED35F2AD774BB29C7F0EE49421704AF46CEDEA1F9633D2ED8BD0C8AE32F2FF2C04AEE75C73292565AED8E45095A9C7
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="567975" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.416751793465787
Encrypted:	false
SSDEEP:	6144:Bcifpi6ceLPL9skLmb0mfSWSPtaJG8nAgex285i2MMhA20X4WABlGuN75+:ei58fSWIZBk2MM6AFBNo
MD5:	63304E4A74E5E6A3B3C626D158B2E096
SHA1:	5FEDD065169683D9F53A13A9A192331A83C41D36
SHA-256:	64BCD1644E4BBE2E74E145D1147DF9D4CF22146DF206157BD8BB8000F4D7DE75
SHA-512:	3BCD8A79D018900A73C899421FF52197E5F65BFEF690C64AFE78D8A610E37853EFC5194243548D1706924172B42A559A0F52AAD9BBCE4F7E34C7ECED797149C1
Malicious:	false
Reputation:	low
Preview:	regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmV=...+..............................................................................................................................................................................................................................................................................................................................................8..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.879271398005503
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	2vPsGmF7E2.exe
File size:	462'848 bytes
MD5:	973b6a3341fdea0b7de82697349d3c50
SHA1:	cb0bb65f302f4a7e9b6f90e8a341726eca788b07
SHA256:	6da7f0084b74cddda572b4c839824c50de6965c8b980dd639d15760e85c8c0d3
SHA512:	30f5c87d0164860ca8cd4cc7cc52ba1897c825f43371d22541ace8a332bb8051025dc3cc1aa57f3cf75639e40a9f3ddd5006b07b7297f4b8f1bbdf91ffe47e11
SSDEEP:	12288:/Su2YCRK4dhmsHI0s7UcGkU6nqPfgrbO2LdYm3D3:Ku29wAskynIfgPFLdYMD3
TLSH:	76A4121867F60524F2FF6BB948F27203C736FA332D03969F685A55C32A13585C8619EB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....!g............................~;... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x413b7e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6721D5B3 [Wed Oct 30 06:44:03 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x13b2c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14000	0x4f6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x16000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x11b84	0x11c00	7b8ba2ef3582c3ead56d0a1d19b47ecd	False	0.5829940580985915	data	6.039527624063681	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x14000	0x4f6	0x600	4963d98ec3a70347ebcef65d333a5adf	False	0.3802083333333333	data	3.7903436764760907	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x16000	0xc	0x200	2fa13312898bb2215706e736059a4ba2	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x140a0	0x26c	data			0.45645161290322583
RT_MANIFEST	0x1430c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-31T20:13:30.961662+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.7	49730	TCP
2024-10-31T20:14:08.915337+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.175.87.197	443	192.168.2.7	49945	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 20:13:16.153168917 CET	49699	80	192.168.2.7	208.95.112.1
Oct 31, 2024 20:13:16.158101082 CET	80	49699	208.95.112.1	192.168.2.7
Oct 31, 2024 20:13:16.158174992 CET	49699	80	192.168.2.7	208.95.112.1
Oct 31, 2024 20:13:16.158840895 CET	49699	80	192.168.2.7	208.95.112.1
Oct 31, 2024 20:13:16.163575888 CET	80	49699	208.95.112.1	192.168.2.7
Oct 31, 2024 20:13:16.768678904 CET	80	49699	208.95.112.1	192.168.2.7
Oct 31, 2024 20:13:16.811760902 CET	49699	80	192.168.2.7	208.95.112.1
Oct 31, 2024 20:13:45.593202114 CET	49699	80	192.168.2.7	208.95.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 20:13:16.138753891 CET	51151	53	192.168.2.7	1.1.1.1
Oct 31, 2024 20:13:16.145848989 CET	53	51151	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 31, 2024 20:13:16.138753891 CET	192.168.2.7	1.1.1.1	0xbf0a	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 31, 2024 20:13:16.145848989 CET	1.1.1.1	192.168.2.7	0xbf0a	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49699	208.95.112.1	80	5736	C:\Users\user\Desktop\2vPsGmF7E2.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 20:13:16.158840895 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Oct 31, 2024 20:13:16.768678904 CET	174	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 19:13:16 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 5 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 74 72 75 65 0a Data Ascii: true

Target ID:	0
Start time:	15:13:11
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\2vPsGmF7E2.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\2vPsGmF7E2.exe"
Imagebase:	0x7d0000
File size:	462'848 bytes
MD5 hash:	973B6A3341FDEA0B7DE82697349D3C50
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1238170768.00000000007D2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1238170768.00000000007D2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1568677036.0000000002BAC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:13:16
Start date:	31/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5736 -s 1652
Imagebase:	0x7ff61fbc0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	100%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFAACCE1529 Relevance: 6.8, Strings: 5, Instructions: 524
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

"r, xrefs: 00007FFAACCE1893
6, xrefs: 00007FFAACCE19BC
6, xrefs: 00007FFAACCE186F
6, xrefs: 00007FFAACCE1A58
6, xrefs: 00007FFAACCE192C

Memory Dump Source

Source File: 00000000.00000002.1569656228.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacce0000_2vPsGmF7E2.jbxd

Similarity

API ID:
String ID: 6$6$6$6$"r
API String ID: 0-3979851792
Opcode ID: 436d043dced9a17e0b706e8db8135f39b3fea01e8249a33a3a06db7eb4c36fcb
Instruction ID: a705fee1ae344a200d736501ba921317b685365653c4d5b5fbe2ec5f989bb552
Opcode Fuzzy Hash: 436d043dced9a17e0b706e8db8135f39b3fea01e8249a33a3a06db7eb4c36fcb
Instruction Fuzzy Hash: 74F1B671B29A499FE794EF38C45A6B9B7D2FF89311F404579E40EC3292DF28E8418781

Function 00007FFAACCE2021 Relevance: 5.4, Strings: 4, Instructions: 383
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

6, xrefs: 00007FFAACCE21F2
6, xrefs: 00007FFAACCE213B
6, xrefs: 00007FFAACCE2090
6, xrefs: 00007FFAACCE22D2

Memory Dump Source

Source File: 00000000.00000002.1569656228.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacce0000_2vPsGmF7E2.jbxd

Similarity

API ID:
String ID: 6$6$6$6
API String ID: 0-3214027553
Opcode ID: 8cc08123501936dc0df1c4632cc588a1d6f79cb5a6dce1c55e2ec6d7cfd221a9
Instruction ID: 99dfaf5ffc5a1d3717307727b2e9b6c0ea988fcb0141a4a9d7990467eba9ace8
Opcode Fuzzy Hash: 8cc08123501936dc0df1c4632cc588a1d6f79cb5a6dce1c55e2ec6d7cfd221a9
Instruction Fuzzy Hash: C1C19771B1DA4A8FFB98EB38845577976D2EF9A340F048179D04EC32D2EF28E8464781

Function 00007FFAACCE7701 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32 ref: 00007FFAACCE77B0

Memory Dump Source

Source File: 00000000.00000002.1569656228.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacce0000_2vPsGmF7E2.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 0cb3fb06aa911a71872d69104ed3b145b6638c2c3bf1548df0568d869bd4bfdb
Instruction ID: a0b60753042e6a5b178725bb352f778a433de14b94569c3383a862ca88eb1401
Opcode Fuzzy Hash: 0cb3fb06aa911a71872d69104ed3b145b6638c2c3bf1548df0568d869bd4bfdb
Instruction Fuzzy Hash: 5A51333180D79CCFDB55DF6888496A97FE0EF56320F0842AAD48CC7192DB38A809C781

Function 00007FFAACCE1D99 Relevance: 1.5, Strings: 1, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAACCE1E62

Memory Dump Source

Source File: 00000000.00000002.1569656228.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacce0000_2vPsGmF7E2.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: 6653a14b9ea0b5b2a64868ee1ec17f5e9348dcb86e5758729ff85a71c11d6a7b
Instruction ID: caadef8acc335b9917ab8ddb24fbffa2174f29af1488f014fe553cec8170ccc5
Opcode Fuzzy Hash: 6653a14b9ea0b5b2a64868ee1ec17f5e9348dcb86e5758729ff85a71c11d6a7b
Instruction Fuzzy Hash: 4E513461B1E6C94FE786AB7C98696757FD5DF87215B0805FAE0CDC3193DE089806C382

Function 00007FFAACCE6156 Relevance: .5, Instructions: 474
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1569656228.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacce0000_2vPsGmF7E2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baf8461be147c601e0e39934da78909634f715cedfa1827f4a27bf8eb91b0ef0
Instruction ID: 6d1e67d5e292d0fb6fea4f132a6a926d25fc3aaf942e4a8e9041d176f02fb7ce
Opcode Fuzzy Hash: baf8461be147c601e0e39934da78909634f715cedfa1827f4a27bf8eb91b0ef0
Instruction Fuzzy Hash: A7F1C570919A8D8FEBA8DF28C855BE937E1FF56310F04826EE84DC7691CB34D9458B81

Function 00007FFAACCE6F02 Relevance: .5, Instructions: 460
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1569656228.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacce0000_2vPsGmF7E2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f36290b20aa27d307f97132e74befd3a80d7b12a41103f33a89f10ad7dd67292
Instruction ID: c9a2809e7b890353325e0fb7ddc1b826ac8f4e620b1a9fae217af6dbab15fc4b
Opcode Fuzzy Hash: f36290b20aa27d307f97132e74befd3a80d7b12a41103f33a89f10ad7dd67292
Instruction Fuzzy Hash: 82E1B370909A8ECFEBA8DF28C8557E977E1EF55310F04826AE84DC7291DF38994587C1

Non-executed Functions

Function 00007FFAACCE10B0 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1569656228.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacce0000_2vPsGmF7E2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1acc62b0e08bc52facf3e41b05370a46606c20f3455a16f503b894894782c2d
Instruction ID: 4322e39c957e20e7785a07d1111857c62153ad6f09d33687409ce0499383f3a3
Opcode Fuzzy Hash: a1acc62b0e08bc52facf3e41b05370a46606c20f3455a16f503b894894782c2d
Instruction Fuzzy Hash: DD81D793E0D5A25EE61277BCB45A4F96F90DF4333970891F7D18C8E0A38F48649A82D9

Function 00007FFAACCE10E0 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1569656228.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacce0000_2vPsGmF7E2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8853fa7e9588f012048deb955774dfd88674ebdd78eb9ed24512fd7843789f3
Instruction ID: 555c49047861404e8333db0c9691d02ea2e034540ac1d641ddb1fa3fea0d9288
Opcode Fuzzy Hash: a8853fa7e9588f012048deb955774dfd88674ebdd78eb9ed24512fd7843789f3
Instruction Fuzzy Hash: 6281D593D0D6A25EE60277BCB45A4F92F90DF4333970891F7D18C8E0A39F48649A82D9

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2vPsGmF7E2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2vPsGmF7E2.exe_ebe7824e783d8dd956eebe3f8ae6df8cc8696_c718f7ac_f305f120-9219-4b40-a255-f29053f1022f\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD106.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD29D.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD30C.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
2vPsGmF7E2.exe

Function 00007FFAACCE1529 Relevance: 6.8, Strings: 5, Instructions: 524
COMMON

Function 00007FFAACCE2021 Relevance: 5.4, Strings: 4, Instructions: 383
COMMON

Function 00007FFAACCE7701 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Function 00007FFAACCE1D99 Relevance: 1.5, Strings: 1, Instructions: 201
COMMON

Function 00007FFAACCE6156 Relevance: .5, Instructions: 474
COMMON

Function 00007FFAACCE6F02 Relevance: .5, Instructions: 460
COMMON