Windows Analysis Report
SOA-injazfe-10424.vbs

Overview

General Information

Sample name: SOA-injazfe-10424.vbs
Analysis ID: 1526836
MD5: d1d114a2cb6d4a5fcc20e0db06755948
SHA1: eafdcba5d2d41934ae19628ac35675f7fce924c1
SHA256: f71d04f863721491823b5ed2b83d2f30d67084025bf7ea9fc52c615ba0fd3040
Tags: Formbookvbsuser-abuse_ch
Infos:

Detection

XWorm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected Telegram RAT
Yara detected XWorm
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for dropped file
PE file contains section with special chars
PE file has nameless sections
Potential malicious VBS script found (has network functionality)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Use Short Name Path in Command Line
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SOA-injazfe-10424.vbs Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\task.exe Avira: detection malicious, Label: TR/Dropper.Gen
Found malware configuration
Source: 0000000C.00000002.1401173350.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Xworm {"C2 url": ["isika.ddns.net"], "Port": "7000", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2", "Telegram URL": "https://api.telegram.org/bot7048705146:AAEWMpbRl0e1tLVdgRabv3lMkCrjbYtiS70/sendMessage?chat_id=7062075018"}
Source: WindowsApp.exe.1204.7.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7048705146:AAEWMpbRl0e1tLVdgRabv3lMkCrjbYtiS70/sendMessage"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.8% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\task.exe Joe Sandbox ML: detected
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: Binary string: .pdb} source: WindowsApp.exe, 00000007.00000002.2433622723.000000001C948000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb_b9 source: WindowsApp.exe, 00000007.00000002.2432794842.000000001C142000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.pdbH source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: System.Xml.ni.pdb source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb1&0 source: WindowsApp.exe, 00000007.00000002.2432794842.000000001C155000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: WindowsApp.exe, 00000007.00000002.2432794842.000000001C155000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbra source: WindowsApp.exe, 00000007.00000002.2431833922.000000001B516000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.pdb@w^ source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: System.ni.pdbRSDS source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: System.Windows.Forms.ni.pdb source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: Microsoft.VisualBasic.pdbp source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: System.Drawing.ni.pdb source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: System.Configuration.ni.pdb source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: WindowsApp.exe, 00000007.00000002.2433622723.000000001C948000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: *Win32_OperatingSystemblib.pdb A source: WindowsApp.exe, 00000007.00000002.2432794842.000000001C155000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.pdb source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: System.Drawing.ni.pdbRSDS source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbwA source: WindowsApp.exe, 00000007.00000002.2432794842.000000001C155000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.pdb source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: System.pdb source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: 0C:\Windows\mscorlib.pdb source: WindowsApp.exe, 00000007.00000002.2433622723.000000001C948000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: System.Core.ni.pdb source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: System.Windows.Forms.pdb source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: System.Drawing.pdbq source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: WindowsApp.exe, 00000007.00000002.2432794842.000000001C142000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: WindowsApp.exe, 00000007.00000002.2432794842.000000001C130000.00000004.00000020.00020000.00000000.sdmp, WindowsApp.exe, 00000007.00000002.2432794842.000000001C197000.00000004.00000020.00020000.00000000.sdmp, WER2B9E.tmp.dmp.23.dr
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: WindowsApp.exe, 00000007.00000002.2432794842.000000001C155000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: System.Management.pdb source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: System.Drawing.pdb source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: mscorlib.ni.pdb source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: \??\C:\Windows\mscorlib.pdbVa} source: WindowsApp.exe, 00000007.00000002.2431833922.000000001B516000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.ni.pdb source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: System.Core.pdb source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: msymbols\dll\mscorlib.pdbpdb` source: WindowsApp.exe, 00000007.00000002.2433622723.000000001C948000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: orlib.pdb source: WindowsApp.exe, 00000007.00000002.2433622723.000000001C948000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbm source: WindowsApp.exe, 00000007.00000002.2433622723.000000001C948000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: System.ni.pdb source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER2B9E.tmp.dmp.23.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Code function: 4x nop then dec eax 7_2_00007FFAAC4E7EDD
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Code function: 4x nop then dec eax 7_2_00007FFAAC4E3799
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Code function: 4x nop then dec eax 7_2_00007FFAAC4E9D77
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Code function: 4x nop then cmp dword ptr [ebp-58h], 00000000h 7_2_00007FFAAC4E07E8
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Code function: 4x nop then cmp dword ptr [ebp-58h], 00000000h 7_2_00007FFAAC4E0235

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49494 -> 45.88.91.147:7000
Source: Network traffic Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49621 -> 45.88.91.147:7000
Source: Network traffic Suricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.7:49701 -> 149.154.167.220:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: isika.ddns.net
Potential malicious VBS script found (has network functionality)
Source: Initial file: binaryStream.SaveToFile executablePath, 2 ' Overwrite if file exists
Uses dynamic DNS services
Source: unknown DNS query: name: isika.ddns.net
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49712 -> 45.88.91.147:7000
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /bot7048705146:AAEWMpbRl0e1tLVdgRabv3lMkCrjbYtiS70/sendMessage?chat_id=7062075018&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A662C920EC437F040F44A%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%201YPBEL4ES%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.2 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View ASN Name: LVLT-10753US LVLT-10753US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: ip-api.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /bot7048705146:AAEWMpbRl0e1tLVdgRabv3lMkCrjbYtiS70/sendMessage?chat_id=7062075018&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A662C920EC437F040F44A%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%201YPBEL4ES%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.2 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: ip-api.com
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic DNS traffic detected: DNS query: isika.ddns.net
Source: global traffic DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
Source: global traffic DNS traffic detected: DNS query: 50.23.12.20.in-addr.arpa
Source: task.exe, 00000014.00000002.2187461763.000000000324C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: WindowsApp.exe, 00000007.00000002.2427816962.0000000002481000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WindowsApp.exe, 00000007.00000002.2427816962.0000000002481000.00000004.00000800.00020000.00000000.sdmp, task.exe, 0000000C.00000002.1401173350.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp, task.exe, 0000000E.00000002.1470803241.000000000313A000.00000004.00000800.00020000.00000000.sdmp, task.exe, 0000000F.00000002.1517385326.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, task.exe, 00000010.00000002.1554860101.000000000231E000.00000004.00000800.00020000.00000000.sdmp, task.exe, 00000014.00000002.2187461763.000000000324C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: WindowsApp.exe, 00000007.00000002.2427816962.0000000002481000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot7048705146:AAEWMpbRl0e1tLVdgRabv3lMkCrjbYtiS70/sendMessage?chat_id=70620
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49701 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 12.2.task.exe.12fce598.5.raw.unpack, XLogger.cs .Net Code: KeyboardLayout
Source: 12.2.task.exe.13f0000.2.raw.unpack, XLogger.cs .Net Code: KeyboardLayout
Source: 12.2.task.exe.12f80918.3.raw.unpack, XLogger.cs .Net Code: KeyboardLayout
Source: 12.2.task.exe.12fa7760.4.raw.unpack, XLogger.cs .Net Code: KeyboardLayout
Source: 16.2.task.exe.122c9ac0.0.raw.unpack, XLogger.cs .Net Code: KeyboardLayout
Source: 16.2.task.exe.122f0908.2.raw.unpack, XLogger.cs .Net Code: KeyboardLayout
Source: 16.2.task.exe.12317740.1.raw.unpack, XLogger.cs .Net Code: KeyboardLayout
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0000000C.00000002.1401173350.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000010.00000002.1554860101.000000000231E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000E.00000002.1470803241.000000000313A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000F.00000002.1517385326.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000014.00000002.2187461763.000000000324C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000007.00000002.2427816962.0000000002481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: WindowsApp.exe PID: 1204, type: MEMORYSTR Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: task.exe PID: 7172, type: MEMORYSTR Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: task.exe PID: 7352, type: MEMORYSTR Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: task.exe PID: 7480, type: MEMORYSTR Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: task.exe PID: 7532, type: MEMORYSTR Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: task.exe PID: 7912, type: MEMORYSTR Matched rule: Detects AsyncRAT Author: ditekSHen
PE file contains section with special chars
Source: WindowsApp.exe.2.dr Static PE information: section name: dCocB{
Source: task.exe.7.dr Static PE information: section name: dCocB{
PE file has nameless sections
Source: WindowsApp.exe.2.dr Static PE information: section name:
Source: task.exe.7.dr Static PE information: section name:
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Code function: 7_2_00007FFAAC4DEDF6 7_2_00007FFAAC4DEDF6
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Code function: 7_2_00007FFAAC4DDF5A 7_2_00007FFAAC4DDF5A
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Code function: 7_2_00007FFAAC4DF3B2 7_2_00007FFAAC4DF3B2
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Code function: 7_2_00007FFAAC4D85D8 7_2_00007FFAAC4D85D8
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Code function: 7_2_00007FFAAC4DD7DD 7_2_00007FFAAC4DD7DD
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Code function: 7_2_00007FFAAC4E51A1 7_2_00007FFAAC4E51A1
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Code function: 7_2_00007FFAAC4D18CB 7_2_00007FFAAC4D18CB
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Code function: 7_2_00007FFAAC4CFE79 7_2_00007FFAAC4CFE79
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Code function: 7_2_00007FFAAC4D1924 7_2_00007FFAAC4D1924
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Code function: 7_2_00007FFAAC4D11A9 7_2_00007FFAAC4D11A9
Source: C:\Users\user\AppData\Roaming\task.exe Code function: 16_2_00007FFAAC4C07C5 16_2_00007FFAAC4C07C5
Java / VBScript file with very long strings (likely obfuscated code)
Source: SOA-injazfe-10424.vbs Initial sample: Strings found which are bigger than 50
One or more processes crash
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1204 -s 3304
Yara signature match
Source: 0000000C.00000002.1401173350.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000010.00000002.1554860101.000000000231E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000E.00000002.1470803241.000000000313A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000F.00000002.1517385326.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000014.00000002.2187461763.000000000324C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000007.00000002.2427816962.0000000002481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: WindowsApp.exe PID: 1204, type: MEMORYSTR Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: task.exe PID: 7172, type: MEMORYSTR Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: task.exe PID: 7352, type: MEMORYSTR Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: task.exe PID: 7480, type: MEMORYSTR Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: task.exe PID: 7532, type: MEMORYSTR Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: task.exe PID: 7912, type: MEMORYSTR Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: WindowsApp.exe.2.dr Static PE information: Section: dCocB{ ZLIB complexity 1.0003641419491525
Source: task.exe.7.dr Static PE information: Section: dCocB{ ZLIB complexity 1.0003641419491525
Source: 12.2.task.exe.12fce598.5.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.task.exe.12fce598.5.raw.unpack, Helper.cs Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.task.exe.12fce598.5.raw.unpack, AlgorithmAES.cs Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.task.exe.12fce598.5.raw.unpack, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.task.exe.13f0000.2.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.task.exe.13f0000.2.raw.unpack, Helper.cs Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.task.exe.13f0000.2.raw.unpack, AlgorithmAES.cs Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.task.exe.13f0000.2.raw.unpack, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.task.exe.12f80918.3.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.task.exe.12f80918.3.raw.unpack, Helper.cs Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.task.exe.12f80918.3.raw.unpack, AlgorithmAES.cs Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.task.exe.12f80918.3.raw.unpack, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 16.2.task.exe.12317740.1.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 16.2.task.exe.12317740.1.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 16.2.task.exe.122c9ac0.0.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 16.2.task.exe.122c9ac0.0.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 12.2.task.exe.12fa7760.4.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.2.task.exe.12fa7760.4.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 12.2.task.exe.13f0000.2.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.2.task.exe.13f0000.2.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 12.2.task.exe.12fce598.5.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.2.task.exe.12fce598.5.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 16.2.task.exe.122f0908.2.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 16.2.task.exe.122f0908.2.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 12.2.task.exe.12f80918.3.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.2.task.exe.12f80918.3.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winVBS@12/9@6/3
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe File created: C:\Users\user\AppData\Roaming\task.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1204
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6912:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Mutant created: \Sessions\1\BaseNamedObjects\orLUmecz6hXR75b4
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user~1\AppData\Local\Temp\WindowsApp.exe Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SOA-injazfe-10424.vbs"
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SOA-injazfe-10424.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\WindowsApp.exe "C:\Users\user~1\AppData\Local\Temp\WindowsApp.exe"
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "task" /tr "C:\Users\user\AppData\Roaming\task.exe"
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\task.exe C:\Users\user\AppData\Roaming\task.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\task.exe "C:\Users\user\AppData\Roaming\task.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\task.exe C:\Users\user\AppData\Roaming\task.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\task.exe "C:\Users\user\AppData\Roaming\task.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\task.exe C:\Users\user\AppData\Roaming\task.exe
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1204 -s 3304
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\WindowsApp.exe "C:\Users\user~1\AppData\Local\Temp\WindowsApp.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "task" /tr "C:\Users\user\AppData\Roaming\task.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msdart.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: task.lnk.7.dr LNK file: ..\..\..\..\..\task.exe
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: .pdb} source: WindowsApp.exe, 00000007.00000002.2433622723.000000001C948000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb_b9 source: WindowsApp.exe, 00000007.00000002.2432794842.000000001C142000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.pdbH source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: System.Xml.ni.pdb source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb1&0 source: WindowsApp.exe, 00000007.00000002.2432794842.000000001C155000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: WindowsApp.exe, 00000007.00000002.2432794842.000000001C155000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbra source: WindowsApp.exe, 00000007.00000002.2431833922.000000001B516000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.pdb@w^ source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: System.ni.pdbRSDS source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: System.Windows.Forms.ni.pdb source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: Microsoft.VisualBasic.pdbp source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: System.Drawing.ni.pdb source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: System.Configuration.ni.pdb source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: WindowsApp.exe, 00000007.00000002.2433622723.000000001C948000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: *Win32_OperatingSystemblib.pdb A source: WindowsApp.exe, 00000007.00000002.2432794842.000000001C155000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.pdb source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: System.Drawing.ni.pdbRSDS source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbwA source: WindowsApp.exe, 00000007.00000002.2432794842.000000001C155000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.pdb source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: System.pdb source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: 0C:\Windows\mscorlib.pdb source: WindowsApp.exe, 00000007.00000002.2433622723.000000001C948000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: System.Core.ni.pdb source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: System.Windows.Forms.pdb source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: System.Drawing.pdbq source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: WindowsApp.exe, 00000007.00000002.2432794842.000000001C142000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: WindowsApp.exe, 00000007.00000002.2432794842.000000001C130000.00000004.00000020.00020000.00000000.sdmp, WindowsApp.exe, 00000007.00000002.2432794842.000000001C197000.00000004.00000020.00020000.00000000.sdmp, WER2B9E.tmp.dmp.23.dr
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: WindowsApp.exe, 00000007.00000002.2432794842.000000001C155000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: System.Management.pdb source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: System.Drawing.pdb source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: mscorlib.ni.pdb source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: \??\C:\Windows\mscorlib.pdbVa} source: WindowsApp.exe, 00000007.00000002.2431833922.000000001B516000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.ni.pdb source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: System.Core.pdb source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: msymbols\dll\mscorlib.pdbpdb` source: WindowsApp.exe, 00000007.00000002.2433622723.000000001C948000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: orlib.pdb source: WindowsApp.exe, 00000007.00000002.2433622723.000000001C948000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbm source: WindowsApp.exe, 00000007.00000002.2433622723.000000001C948000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: System.ni.pdb source: WER2B9E.tmp.dmp.23.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER2B9E.tmp.dmp.23.dr

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: .Run("C:\Users\user~1\AppData\Local\Temp\WindowsApp.exe", "1", "true");
.NET source code contains potential unpacker
Source: 12.2.task.exe.12fce598.5.raw.unpack, Messages.cs .Net Code: _202E_202C_200F_206F_200D_206F_206F_202E_206A_200F_202A_200C_202E_206C_206C_206C_200E_202A_206A_206D_202E_200F_206C_206C_206C_206B_206A_206D_202E_206C_202B_202C_206E_202E_202B_206D_206D_206D_202A_200E_202E System.AppDomain.Load(byte[])
Source: 12.2.task.exe.13f0000.2.raw.unpack, Messages.cs .Net Code: _202E_202C_200F_206F_200D_206F_206F_202E_206A_200F_202A_200C_202E_206C_206C_206C_200E_202A_206A_206D_202E_200F_206C_206C_206C_206B_206A_206D_202E_206C_202B_202C_206E_202E_202B_206D_206D_206D_202A_200E_202E System.AppDomain.Load(byte[])
Source: 12.2.task.exe.12f80918.3.raw.unpack, Messages.cs .Net Code: _202E_202C_200F_206F_200D_206F_206F_202E_206A_200F_202A_200C_202E_206C_206C_206C_200E_202A_206A_206D_202E_200F_206C_206C_206C_206B_206A_206D_202E_206C_202B_202C_206E_202E_202B_206D_206D_206D_202A_200E_202E System.AppDomain.Load(byte[])
Source: 12.2.task.exe.12fa7760.4.raw.unpack, Messages.cs .Net Code: _202E_202C_200F_206F_200D_206F_206F_202E_206A_200F_202A_200C_202E_206C_206C_206C_200E_202A_206A_206D_202E_200F_206C_206C_206C_206B_206A_206D_202E_206C_202B_202C_206E_202E_202B_206D_206D_206D_202A_200E_202E System.AppDomain.Load(byte[])
Source: 16.2.task.exe.122c9ac0.0.raw.unpack, Messages.cs .Net Code: _202E_202C_200F_206F_200D_206F_206F_202E_206A_200F_202A_200C_202E_206C_206C_206C_200E_202A_206A_206D_202E_200F_206C_206C_206C_206B_206A_206D_202E_206C_202B_202C_206E_202E_202B_206D_206D_206D_202A_200E_202E System.AppDomain.Load(byte[])
Source: 16.2.task.exe.122f0908.2.raw.unpack, Messages.cs .Net Code: _202E_202C_200F_206F_200D_206F_206F_202E_206A_200F_202A_200C_202E_206C_206C_206C_200E_202A_206A_206D_202E_200F_206C_206C_206C_206B_206A_206D_202E_206C_202B_202C_206E_202E_202B_206D_206D_206D_202A_200E_202E System.AppDomain.Load(byte[])
Source: 16.2.task.exe.12317740.1.raw.unpack, Messages.cs .Net Code: _202E_202C_200F_206F_200D_206F_206F_202E_206A_200F_202A_200C_202E_206C_206C_206C_200E_202A_206A_206D_202E_200F_206C_206C_206C_206B_206A_206D_202E_206C_202B_202C_206E_202E_202B_206D_206D_206D_202A_200E_202E System.AppDomain.Load(byte[])
PE file contains sections with non-standard names
Source: WindowsApp.exe.2.dr Static PE information: section name: dCocB{
Source: WindowsApp.exe.2.dr Static PE information: section name:
Source: task.exe.7.dr Static PE information: section name: dCocB{
Source: task.exe.7.dr Static PE information: section name:
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Code function: 7_2_00007FFAAC4E976F pushfd ; ret 7_2_00007FFAAC4E97C1
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Code function: 7_2_00007FFAAC4D5926 push ds; iretd 7_2_00007FFAAC4D5929
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Code function: 7_2_00007FFAAC4E7483 push ebx; ret 7_2_00007FFAAC4E7484
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Code function: 7_2_00007FFAAC4C00BD pushad ; iretd 7_2_00007FFAAC4C00C1
Source: C:\Users\user\AppData\Roaming\task.exe Code function: 12_2_00BDC92F push rbx; ret 12_2_00BDC931
Source: C:\Users\user\AppData\Roaming\task.exe Code function: 12_2_00007FFAAC4B3D85 push esp; retf 12_2_00007FFAAC4B3D86
Source: C:\Users\user\AppData\Roaming\task.exe Code function: 14_2_00007FFAAC4A3D85 push esp; retf 14_2_00007FFAAC4A3D86
Source: C:\Users\user\AppData\Roaming\task.exe Code function: 15_2_00007FFAAC4D00BD pushad ; iretd 15_2_00007FFAAC4D00C1
Source: C:\Users\user\AppData\Roaming\task.exe Code function: 15_2_00007FFAAC4D3D85 push esp; retf 15_2_00007FFAAC4D3D86
Source: C:\Users\user\AppData\Roaming\task.exe Code function: 16_2_00007FFAAC4C00BD pushad ; iretd 16_2_00007FFAAC4C00C1
Source: C:\Users\user\AppData\Roaming\task.exe Code function: 16_2_00007FFAAC4C3D85 push esp; retf 16_2_00007FFAAC4C3D86
Source: C:\Users\user\AppData\Roaming\task.exe Code function: 20_2_00007FFAAC4C00BD pushad ; iretd 20_2_00007FFAAC4C00C1
Source: C:\Users\user\AppData\Roaming\task.exe Code function: 20_2_00007FFAAC4D5926 push ds; iretd 20_2_00007FFAAC4D5929
Source: C:\Users\user\AppData\Roaming\task.exe Code function: 20_2_00007FFAAC4D7A41 push ecx; iretd 20_2_00007FFAAC4D7A42
Source: WindowsApp.exe.2.dr Static PE information: section name: dCocB{ entropy: 7.998877154551337
Source: task.exe.7.dr Static PE information: section name: dCocB{ entropy: 7.998877154551337
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe File created: C:\Users\user\AppData\Roaming\task.exe Jump to dropped file
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "task" /tr "C:\Users\user\AppData\Roaming\task.exe"
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\task.lnk Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\task.lnk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run task Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run task Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Check if machine is in data center or colocation facility
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: WindowsApp.exe, 00000007.00000002.2427816962.0000000002481000.00000004.00000800.00020000.00000000.sdmp, task.exe, 0000000C.00000002.1401173350.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp, task.exe, 0000000E.00000002.1470803241.000000000313A000.00000004.00000800.00020000.00000000.sdmp, task.exe, 0000000F.00000002.1517385326.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, task.exe, 00000010.00000002.1554860101.000000000231E000.00000004.00000800.00020000.00000000.sdmp, task.exe, 00000014.00000002.2187461763.000000000324C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Memory allocated: 860000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Memory allocated: 1A480000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Memory allocated: 1110000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Memory allocated: 1AF50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Memory allocated: 1660000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Memory allocated: 1B0C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Memory allocated: F30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Memory allocated: 1ACC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Memory allocated: 7A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Memory allocated: 1A2C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Memory allocated: 1380000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Memory allocated: 1B1D0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Thread delayed: delay time: 599872 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Thread delayed: delay time: 599546 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Thread delayed: delay time: 599218 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Thread delayed: delay time: 599090 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Thread delayed: delay time: 598984 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Thread delayed: delay time: 598875 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Thread delayed: delay time: 598760 Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Window / User API: threadDelayed 5882 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Window / User API: threadDelayed 3890 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe TID: 520 Thread sleep time: -33204139332677172s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe TID: 520 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe TID: 520 Thread sleep time: -599872s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe TID: 520 Thread sleep time: -599765s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe TID: 520 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe TID: 520 Thread sleep time: -599546s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe TID: 520 Thread sleep time: -599437s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe TID: 520 Thread sleep time: -599328s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe TID: 520 Thread sleep time: -599218s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe TID: 520 Thread sleep time: -599090s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe TID: 520 Thread sleep time: -598984s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe TID: 520 Thread sleep time: -598875s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe TID: 520 Thread sleep time: -598760s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe TID: 7204 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe TID: 7376 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe TID: 7500 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe TID: 7556 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe TID: 7932 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Thread delayed: delay time: 599872 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Thread delayed: delay time: 599546 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Thread delayed: delay time: 599218 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Thread delayed: delay time: 599090 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Thread delayed: delay time: 598984 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Thread delayed: delay time: 598875 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Thread delayed: delay time: 598760 Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: task.exe, 00000014.00000002.2187461763.000000000324C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: WindowsApp.exe, 00000007.00000002.2431833922.000000001B450000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllqq|;
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Code function: 7_2_00007FFAAC4E07E8 CheckRemoteDebuggerPresent, 7_2_00007FFAAC4E07E8
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\System32\wscript.exe File created: WindowsApp.exe.2.dr Jump to dropped file
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\WindowsApp.exe "C:\Users\user~1\AppData\Local\Temp\WindowsApp.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "task" /tr "C:\Users\user\AppData\Roaming\task.exe" Jump to behavior
Source: WindowsApp.exe, 00000007.00000002.2427816962.000000000254A000.00000004.00000800.00020000.00000000.sdmp, WindowsApp.exe, 00000007.00000002.2427816962.00000000027FA000.00000004.00000800.00020000.00000000.sdmp, WindowsApp.exe, 00000007.00000002.2427816962.0000000002894000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: WindowsApp.exe, 00000007.00000002.2427816962.0000000002537000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>1864657
Source: WindowsApp.exe, 00000007.00000002.2427816962.000000000254A000.00000004.00000800.00020000.00000000.sdmp, WindowsApp.exe, 00000007.00000002.2427816962.0000000002517000.00000004.00000800.00020000.00000000.sdmp, WindowsApp.exe, 00000007.00000002.2427816962.0000000002537000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: WindowsApp.exe, 00000007.00000002.2427816962.0000000002512000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: -PING!<Xwormmm>Program Manager<Xwormmm>2052191
Source: WindowsApp.exe, 00000007.00000002.2427816962.000000000254A000.00000004.00000800.00020000.00000000.sdmp, WindowsApp.exe, 00000007.00000002.2427816962.00000000027FA000.00000004.00000800.00020000.00000000.sdmp, WindowsApp.exe, 00000007.00000002.2427816962.0000000002894000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: WindowsApp.exe, 00000007.00000002.2427816962.0000000002537000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: -PING!<Xwormmm>Program Manager<Xwormmm>1864657@
Source: WindowsApp.exe, 00000007.00000002.2427816962.0000000002517000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: -PING!<Xwormmm>Program Manager<Xwormmm>2055746@
Source: WindowsApp.exe, 00000007.00000002.2427816962.0000000002512000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: -PING!<Xwormmm>Program Manager<Xwormmm>2052191@
Source: WindowsApp.exe, 00000007.00000002.2427816962.0000000002512000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>2052191
Source: WindowsApp.exe, 00000007.00000002.2427816962.000000000254A000.00000004.00000800.00020000.00000000.sdmp, WindowsApp.exe, 00000007.00000002.2427816962.00000000027FA000.00000004.00000800.00020000.00000000.sdmp, WindowsApp.exe, 00000007.00000002.2427816962.0000000002894000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
Source: WindowsApp.exe, 00000007.00000002.2427816962.0000000002537000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ,PING!<Xwormmm>Program Manager<Xwormmm>184695@
Source: WindowsApp.exe, 00000007.00000002.2427816962.0000000002537000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ,PING!<Xwormmm>Program Manager<Xwormmm>184695
Source: WindowsApp.exe, 00000007.00000002.2427816962.000000000254A000.00000004.00000800.00020000.00000000.sdmp, WindowsApp.exe, 00000007.00000002.2427816962.0000000002517000.00000004.00000800.00020000.00000000.sdmp, WindowsApp.exe, 00000007.00000002.2427816962.0000000002537000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager2
Source: WindowsApp.exe, 00000007.00000002.2427816962.0000000002517000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: -PING!<Xwormmm>Program Manager<Xwormmm>2055746
Source: WindowsApp.exe, 00000007.00000002.2427816962.0000000002537000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>184695
Source: WindowsApp.exe, 00000007.00000002.2427816962.0000000002537000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: -PING!<Xwormmm>Program Manager<Xwormmm>1864657
Source: WindowsApp.exe, 00000007.00000002.2427816962.0000000002517000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>2055746
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Queries volume information: C:\Users\user\AppData\Local\Temp\WindowsApp.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Queries volume information: C:\Users\user\AppData\Roaming\task.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Queries volume information: C:\Users\user\AppData\Roaming\task.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Queries volume information: C:\Users\user\AppData\Roaming\task.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Queries volume information: C:\Users\user\AppData\Roaming\task.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe Queries volume information: C:\Users\user\AppData\Roaming\task.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: WindowsApp.exe, 00000007.00000002.2431833922.000000001B450000.00000004.00000020.00020000.00000000.sdmp, WindowsApp.exe, 00000007.00000002.2431833922.000000001B516000.00000004.00000020.00020000.00000000.sdmp, WindowsApp.exe, 00000007.00000002.2432794842.000000001C17D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected Telegram RAT
Source: Yara match File source: 0000000C.00000002.1401173350.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1554860101.000000000231E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1470803241.000000000313A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.1517385326.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2187461763.000000000324C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2427816962.0000000002481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsApp.exe PID: 1204, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: task.exe PID: 7172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: task.exe PID: 7352, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: task.exe PID: 7480, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: task.exe PID: 7532, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: task.exe PID: 7912, type: MEMORYSTR
Yara detected XWorm
Source: Yara match File source: 0000000C.00000002.1401173350.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1554860101.000000000231E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1470803241.000000000313A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.1517385326.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2187461763.000000000324C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2427816962.0000000002481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsApp.exe PID: 1204, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: task.exe PID: 7172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: task.exe PID: 7352, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: task.exe PID: 7480, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: task.exe PID: 7532, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: task.exe PID: 7912, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP

Remote Access Functionality
barindex
Yara detected Telegram RAT
Source: Yara match File source: 0000000C.00000002.1401173350.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1554860101.000000000231E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1470803241.000000000313A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.1517385326.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2187461763.000000000324C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2427816962.0000000002481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsApp.exe PID: 1204, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: task.exe PID: 7172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: task.exe PID: 7352, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: task.exe PID: 7480, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: task.exe PID: 7532, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: task.exe PID: 7912, type: MEMORYSTR
Yara detected XWorm
Source: Yara match File source: 0000000C.00000002.1401173350.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1554860101.000000000231E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1470803241.000000000313A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.1517385326.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2187461763.000000000324C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2427816962.0000000002481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsApp.exe PID: 1204, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: task.exe PID: 7172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: task.exe PID: 7352, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: task.exe PID: 7480, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: task.exe PID: 7532, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: task.exe PID: 7912, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1526836 Sample: SOA-injazfe-10424.vbs Startdate: 06/10/2024 Architecture: WINDOWS Score: 100 34 isika.ddns.net 2->34 36 api.telegram.org 2->36 38 3 other IPs or domains 2->38 46 Suricata IDS alerts for network traffic 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 56 12 other signatures 2->56 9 wscript.exe 2 2->9         started        13 task.exe 3 2->13         started        15 task.exe 2 2->15         started        17 3 other processes 2->17 signatures3 52 Uses dynamic DNS services 34->52 54 Uses the Telegram API (likely for C&C communication) 36->54 process4 file5 32 C:\Users\user\AppData\...\WindowsApp.exe, PE32 9->32 dropped 66 Benign windows process drops PE files 9->66 68 VBScript performs obfuscated calls to suspicious functions 9->68 70 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->70 19 WindowsApp.exe 15 6 9->19         started        72 Antivirus detection for dropped file 13->72 74 Machine Learning detection for dropped file 13->74 signatures6 process7 dnsIp8 40 ip-api.com 208.95.112.1, 49699, 80 TUT-ASUS United States 19->40 42 api.telegram.org 149.154.167.220, 443, 49701 TELEGRAMRU United Kingdom 19->42 44 isika.ddns.net 45.88.91.147, 49494, 49620, 49621 LVLT-10753US Bulgaria 19->44 30 C:\Users\user\AppData\Roaming\task.exe, PE32 19->30 dropped 58 Antivirus detection for dropped file 19->58 60 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->60 62 Machine Learning detection for dropped file 19->62 64 3 other signatures 19->64 24 schtasks.exe 1 19->24         started        26 WerFault.exe 19->26         started        file9 signatures10 process11 process12 28 conhost.exe 24->28         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS true
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU true
45.88.91.147
 isika.ddns.net Bulgaria
10753 LVLT-10753US true

Contacted Domains

Name IP Active
isika.ddns.net 45.88.91.147 true
ip-api.com 208.95.112.1 true
api.telegram.org 149.154.167.220 true
198.187.3.20.in-addr.arpa unknown unknown
50.23.12.20.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
isika.ddns.net true
    		unknown
    https://api.telegram.org/bot7048705146:AAEWMpbRl0e1tLVdgRabv3lMkCrjbYtiS70/sendMessage?chat_id=7062075018&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A662C920EC437F040F44A%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%201YPBEL4ES%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.2 true
      		unknown
      http://ip-api.com/line/?fields=hosting false
      • URL Reputation: safe
      		 unknown