Windows Analysis Report
rPROFORMAINVOICE-PO_ATS_1036.exe

Overview

General Information

Sample name:	rPROFORMAINVOICE-PO_ATS_1036.exe
Analysis ID:	1518225
MD5:	ccdc6abb91cba9b82fcea9f02aaeffac
SHA1:	8badde3b9cb21b8f6cd0fcf75f8b94a545fa35ea
SHA256:	55ead53e3dff6db18ab2e0a9e353c4f39e6d0ce7ad0dd506dd7ce92d866b7eaa
Tags:	AsyncRATexeuser-Porcupine
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Drops PE files to the user root directory

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to query locales information (e.g. system language)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Signatures

AV Detection

Found malware configuration

Source: 00000002.00000002.3247456184.0000000002B51000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["67.215.224.133"], "Port": "5454", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\rPROFORMAINVOICE-PO_ATS_1036.exe

ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: rPROFORMAINVOICE-PO_ATS_1036.exe

ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack	String decryptor: 67.215.224.133
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack	String decryptor: 5454
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack	String decryptor: <123456789>
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack	String decryptor: <Xwormmm>
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack	String decryptor: USB.exe

Source: rPROFORMAINVOICE-PO_ATS_1036.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: MSBuild.exe, 00000002.00000002.3249101557.000000000540A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\exe\MSBuild.pdb source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Accessibility.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdbCw? source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb$ source: MSBuild.exe, 00000002.00000002.3249101557.000000000540A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.PDBs source: MSBuild.exe, 00000002.00000002.3246919937.0000000001170000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n0C:\Windows\mscorlib.pdb source: MSBuild.exe, 00000002.00000002.3249101557.000000000540A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb( source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: MSBuild.exe, 00000002.00000002.3246919937.00000000010E8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\MSBuild.pdb source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\MSBuild.pdbpdbild.pdb source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdb source: MSBuild.exe, 00000002.00000002.3246919937.0000000001170000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: System.Xml.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: o.pdb source: MSBuild.exe, 00000002.00000002.3249101557.000000000540A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbZE source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: %%.pdb source: MSBuild.exe, 00000002.00000002.3249101557.000000000540A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdb source: MSBuild.exe, 00000002.00000002.3249101557.000000000540A000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3246919937.0000000001170000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3246919937.0000000001163000.00000004.00000020.00020000.00000000.sdmp, WER24F5.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: System.pdbH source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: System.Management.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdb source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: System.Management.ni.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbSx, source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: symbols\dll\mscorlib.pdbLb source: MSBuild.exe, 00000002.00000002.3249101557.000000000540A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdb' source: MSBuild.exe, 00000002.00000002.3246919937.0000000001170000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: System.ni.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER24F5.tmp.dmp.9.dr

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 4x nop then push rbx	0_2_00007FF78BA0CC30
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 4x nop then push rbx	0_2_00007FF78B9DFAA0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 4x nop then sub rsp, 28h	0_2_00007FF78BA37A90
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 4x nop then sub rsp, 28h	0_2_00007FF78B9DF9C0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 4x nop then mov rax, rcx	0_2_00007FF78B9C9FC0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 4x nop then push rdi	0_2_00007FF78BA34450
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 4x nop then push rdi	0_2_00007FF78BA30200

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:58148 -> 67.215.224.133:5454
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:58154 -> 67.215.224.133:5454

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 67.215.224.133

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 67.215.224.133:5454

Detected non-DNS traffic on DNS port

Source: global traffic

TCP traffic: 192.168.2.4:58130 -> 162.159.36.2:53

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133

Source: global traffic

DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa

Source: MSBuild.exe, 00000002.00000002.3247456184.0000000002B51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net

Source: unknown

Network traffic detected: HTTP traffic on port 49675 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack, XLogger.cs

.Net Code: KeyboardLayout

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544e23ff70.5.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544e22a9e8.4.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544e23ff70.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544e22a9e8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000002.3246247886.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1693833580.000002544BC00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1694534154.000002544E000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: rPROFORMAINVOICE-PO_ATS_1036.exe

Abnormal high CPU Usage

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B980C50	0_2_00007FF78B980C50
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B97DFD0	0_2_00007FF78B97DFD0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B969340	0_2_00007FF78B969340
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B978200	0_2_00007FF78B978200
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B976190	0_2_00007FF78B976190
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B97D16A	0_2_00007FF78B97D16A
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B978830	0_2_00007FF78B978830
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B971520	0_2_00007FF78B971520
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B974CD9	0_2_00007FF78B974CD9
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B985C20	0_2_00007FF78B985C20
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B987C79	0_2_00007FF78B987C79
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B98BBA0	0_2_00007FF78B98BBA0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78BA17BA0	0_2_00007FF78BA17BA0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B97FB40	0_2_00007FF78B97FB40
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78BA12AC0	0_2_00007FF78BA12AC0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B994A40	0_2_00007FF78B994A40
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B966A50	0_2_00007FF78B966A50
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B956A50	0_2_00007FF78B956A50
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B979A50	0_2_00007FF78B979A50
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B9899C3	0_2_00007FF78B9899C3
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B961A00	0_2_00007FF78B961A00
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B98F960	0_2_00007FF78B98F960
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B9680D0	0_2_00007FF78B9680D0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78BA200E0	0_2_00007FF78BA200E0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B96EFE0	0_2_00007FF78B96EFE0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B983F60	0_2_00007FF78B983F60
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B98BEA0	0_2_00007FF78B98BEA0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B97FDD0	0_2_00007FF78B97FDD0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B972D30	0_2_00007FF78B972D30
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B9744D0	0_2_00007FF78B9744D0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B98B4F0	0_2_00007FF78B98B4F0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B97A420	0_2_00007FF78B97A420
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B959430	0_2_00007FF78B959430
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78BA03480	0_2_00007FF78BA03480
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B960470	0_2_00007FF78B960470
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B981470	0_2_00007FF78B981470
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B9583C4	0_2_00007FF78B9583C4
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B98D320	0_2_00007FF78B98D320
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B984390	0_2_00007FF78B984390
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B970360	0_2_00007FF78B970360
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B982370	0_2_00007FF78B982370
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B9892CE	0_2_00007FF78B9892CE
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B9852E0	0_2_00007FF78B9852E0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78BA2E240	0_2_00007FF78BA2E240
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B958220	0_2_00007FF78B958220
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B98F280	0_2_00007FF78B98F280
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B9891B0	0_2_00007FF78B9891B0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B991200	0_2_00007FF78B991200
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B975200	0_2_00007FF78B975200
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B98B180	0_2_00007FF78B98B180
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B96E8A0	0_2_00007FF78B96E8A0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B95A8B0	0_2_00007FF78B95A8B0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B9B1910	0_2_00007FF78B9B1910
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B9888D9	0_2_00007FF78B9888D9
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B97A850	0_2_00007FF78B97A850
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B98A7B0	0_2_00007FF78B98A7B0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B98C800	0_2_00007FF78B98C800
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B9767F0	0_2_00007FF78B9767F0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B962750	0_2_00007FF78B962750
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B97B6B0	0_2_00007FF78B97B6B0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B973640	0_2_00007FF78B973640
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B9835C0	0_2_00007FF78B9835C0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B976610	0_2_00007FF78B976610
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B98E540	0_2_00007FF78B98E540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00FFEB98	2_2_00FFEB98

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe

Code function: String function: 00007FF78B95C1A0 appears 63 times

One or more processes crash

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 1588

Sample file is different than original file name gathered from version info

Source: rPROFORMAINVOICE-PO_ATS_1036.exe	Binary or memory string: OriginalFilename vs rPROFORMAINVOICE-PO_ATS_1036.exe
Source: rPROFORMAINVOICE-PO_ATS_1036.exe, 00000000.00000002.1694534154.000002544EA00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSYSWIN32TaskStartPromise.dllR vs rPROFORMAINVOICE-PO_ATS_1036.exe
Source: rPROFORMAINVOICE-PO_ATS_1036.exe, 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSYSWIN32TaskStartPromise.dllR vs rPROFORMAINVOICE-PO_ATS_1036.exe
Source: rPROFORMAINVOICE-PO_ATS_1036.exe, 00000000.00000002.1693833580.000002544BC00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSYSWIN32TaskStartPromise.dllR vs rPROFORMAINVOICE-PO_ATS_1036.exe
Source: rPROFORMAINVOICE-PO_ATS_1036.exe, 00000000.00000002.1693833580.000002544BC00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient2.exe4 vs rPROFORMAINVOICE-PO_ATS_1036.exe
Source: rPROFORMAINVOICE-PO_ATS_1036.exe, 00000000.00000002.1694534154.000002544E000000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSYSWIN32TaskStartPromise.dllR vs rPROFORMAINVOICE-PO_ATS_1036.exe
Source: rPROFORMAINVOICE-PO_ATS_1036.exe, 00000000.00000002.1694534154.000002544E000000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient2.exe4 vs rPROFORMAINVOICE-PO_ATS_1036.exe
Source: rPROFORMAINVOICE-PO_ATS_1036.exe, 00000000.00000002.1693833580.000002544BF88000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSYSWIN32TaskStartPromise.dllR vs rPROFORMAINVOICE-PO_ATS_1036.exe
Source: rPROFORMAINVOICE-PO_ATS_1036.exe	Binary or memory string: OriginalFilenameSYSWIN32TaskStartPromise.dllR vs rPROFORMAINVOICE-PO_ATS_1036.exe
Source: rPROFORMAINVOICE-PO_ATS_1036.exe.0.dr	Binary or memory string: OriginalFilenameSYSWIN32TaskStartPromise.dllR vs rPROFORMAINVOICE-PO_ATS_1036.exe

Yara signature match

Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544e23ff70.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544e22a9e8.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544e23ff70.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544e22a9e8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000002.3246247886.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1693833580.000002544BC00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1694534154.000002544E000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb(

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/6@1/1

Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe

Code function: 0_2_00007FF78B961830 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma,

0_2_00007FF78B961830

Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe

File created: C:\Users\user\rPROFORMAINVOICE-PO_ATS_1036.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6344:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3756
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\gZovO7Orbqb3wmDO

Source: unknown	Process created: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe "C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe"
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 1588
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winmm.dll	Jump to behavior

Source: rPROFORMAINVOICE-PO_ATS_1036.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: rPROFORMAINVOICE-PO_ATS_1036.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: rPROFORMAINVOICE-PO_ATS_1036.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: rPROFORMAINVOICE-PO_ATS_1036.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: rPROFORMAINVOICE-PO_ATS_1036.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: rPROFORMAINVOICE-PO_ATS_1036.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: rPROFORMAINVOICE-PO_ATS_1036.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: rPROFORMAINVOICE-PO_ATS_1036.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: rPROFORMAINVOICE-PO_ATS_1036.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: rPROFORMAINVOICE-PO_ATS_1036.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: rPROFORMAINVOICE-PO_ATS_1036.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)

Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack, Messages.cs	.Net Code: Memory

Source: rPROFORMAINVOICE-PO_ATS_1036.exe	Static PE information: section name: .managed
Source: rPROFORMAINVOICE-PO_ATS_1036.exe	Static PE information: section name: hydrated
Source: rPROFORMAINVOICE-PO_ATS_1036.exe.0.dr	Static PE information: section name: .managed
Source: rPROFORMAINVOICE-PO_ATS_1036.exe.0.dr	Static PE information: section name: hydrated

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Memory allocated: 25447A30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: FF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 4B50000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 1705			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 8096			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1508	Thread sleep time: -23058430092136925s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3916	Thread sleep count: 1705 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3916	Thread sleep count: 8096 > 30	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 40A000	Jump to behavior
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 40C000	Jump to behavior
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: AEE008	Jump to behavior

Source: MSBuild.exe, 00000002.00000002.3247456184.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: MSBuild.exe, 00000002.00000002.3247456184.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managert-^q
Source: MSBuild.exe, 00000002.00000002.3247456184.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: @\^q@\^q'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: MSBuild.exe, 00000002.00000002.3247456184.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: MSBuild.exe, 00000002.00000002.3247456184.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q'PING!<Xwormmm>Program Manager<Xwormmm>0Te^q

Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: GetLocaleInfoEx,		0_2_00007FF78B9E8FB0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: GetLocaleInfoEx,		0_2_00007FF78B9E9080

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: MSBuild.exe, 00000002.00000002.3246919937.0000000001170000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3246919937.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Windows Analysis Report rPROFORMAINVOICE-PO_ATS_1036.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
rPROFORMAINVOICE-PO_ATS_1036.exe

Malware Threat Intel
Provided by

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Source: Yara match	File source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544e23ff70.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544e22a9e8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544e23ff70.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544e22a9e8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3246247886.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1693833580.000002544BC00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1694534154.000002544E000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rPROFORMAINVOICE-PO_ATS_1036.exe PID: 6180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 3756, type: MEMORYSTR

Name	IP	Active
fp2e7a.wpc.phicdn.net	192.229.221.95	true
198.187.3.20.in-addr.arpa	unknown	unknown

ID:	1518225
Product:	CloudBasic
Start time:	14:24:28
Start date:	25.09.2024
Sample:	rPROFORMAINVOICE-PO_ATS_1036.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	ccdc6abb91cba9b82fcea9f02aaeffac
SHA1:	8badde3b9cb21b8f6cd0fcf75f8b94a545fa35ea
SHA256:	55ead53e3dff6db18ab2e0a9e353c4f39e6d0ce7ad0dd506dd7ce92d866b7eaa
Filetype:	Win64 Executable GUI (202006/5) 77.37%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msbuild.exe_c0d52432dfe3ceb750b4c6e7cd4c95a2e207481_11e7f0f4_f83a3f6a-ba45-452e-b37a-b98497531510\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	66CC108814C483D97B492FE85EFE7336	CA37A90FF23051EF908170041292FAD04D30C5D8	EC13F2AA645508A955EACF5DC02C1789964B8C8C8AAA2F2C90607C0A09308735
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24F5.tmp.dmp	Mini DuMP crash report, 15 streams, Wed Sep 25 12:27:39 2024, 0x1205a4 type	90CC49AAC8858896A4098D11817730D6	8FDBE9DFF0FF0DC4EB501706B1C76274399F753F	5E291D8EF29B861E061965F244C3F6C7AF73B092BD1CDC4874F8591FE993B6F2
C:\ProgramData\Microsoft\Windows\WER\Temp\WER27E4.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	88931B628AEB489AD8C495AB58063178	53CEFDE1885D76F545B97869A31882932F8C05EF	F2CA7F0FB8E2E44964FAF4CAEE480B77BA32C53612D48235D2E861343C0E42F2
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2833.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	9147A3187C8547ABBF9C751D3C16EF3B	92C8D631D03EBFBE85BA4328A86E4D8083C14A3B	FC05361E079AB959AAE1E0430385FBC124C91F93E86B64C309D5409CF9D2B97B
C:\Users\user\rPROFORMAINVOICE-PO_ATS_1036.exe	PE32+ executable (GUI) x86-64, for MS Windows	CCDC6ABB91CBA9B82FCEA9F02AAEFFAC	8BADDE3B9CB21B8F6CD0FCF75F8B94A545FA35EA	55EAD53E3DFF6DB18AB2E0A9E353C4F39E6D0CE7AD0DD506DD7CE92D866B7EAA
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	A2791C4437591F26E21ADBDA86022287	9062DBD6220E38A9B7F80232F3D6A0A59F29B24C	F918B0A1D009CF60BA2882873F985900109FAE7F909079E80512291A343E4A7C