Windows Analysis Report
5fnrWlGa3H.exe

Overview

General Information

Sample name: 5fnrWlGa3H.exe
renamed because original name is a hash value
Original sample name: 36E570B7964F458F06DC81B29802E947.exe
Analysis ID: 1528937
MD5: 36e570b7964f458f06dc81b29802e947
SHA1: 3d26217dbe9f6c2ab2c78f879e348958f304527c
SHA256: 0522d7e6b3fc2fbd36f0d8145de8b564146188d515099d7661de3b4d82e287f4
Tags: exeXenoRATuser-abuse_ch
Infos:

Detection

XenoRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XenoRAT
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has nameless sections
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 5fnrWlGa3H.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Avira: detection malicious, Label: TR/Dropper.Gen
Found malware configuration
Source: 1.2.5fnrWlGa3H.exe.400000.0.unpack Malware Configuration Extractor: XenoRAT {"C2 url": "87.120.116.119", "Mutex Name": "Xeno_rat_nd8912d", "Install Folder": "appdata"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe ReversingLabs: Detection: 65%
Multi AV Scanner detection for submitted file
Source: 5fnrWlGa3H.exe Virustotal: Detection: 59% Perma Link
Source: 5fnrWlGa3H.exe ReversingLabs: Detection: 65%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 5fnrWlGa3H.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 5fnrWlGa3H.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 5fnrWlGa3H.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: costura.costura.pdb.compressed source: 5fnrWlGa3H.exe, 00000003.00000002.4524503133.0000000002E31000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: $jq&costura.xeno rat client.pdb.compressed4'jq source: 5fnrWlGa3H.exe, 00000003.00000002.4524503133.0000000002E31000.00000004.00000800.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 4x nop then jmp 01AA17B0h 1_2_01AA0B60
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 4x nop then jmp 02C817B0h 3_2_02C80B60
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 3_2_02C8D021
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 3_2_02C8817A
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 4x nop then jmp 051117B0h 10_2_05110B60
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 4x nop then jmp 00EC17B0h 12_2_00EC0B60

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2050110 - Severity 1 - ET MALWARE [ANY.RUN] Xeno-RAT TCP Check-In : 87.120.116.119:1380 -> 192.168.2.5:62185
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 87.120.116.119
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49704 -> 87.120.116.119:1380
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: 15.164.165.52.in-addr.arpa replaycode: Name error (3)
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.116.119
Source: global traffic DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
Source: 5fnrWlGa3H.exe, 0000000C.00000002.2063581045.0000000000CE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://go.microsoft.c
Source: 5fnrWlGa3H.exe, 00000003.00000002.4524503133.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: zoiygpwj.rc5.3.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: zoiygpwj.rc5.3.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: zoiygpwj.rc5.3.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: zoiygpwj.rc5.3.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: zoiygpwj.rc5.3.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: zoiygpwj.rc5.3.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: zoiygpwj.rc5.3.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: zoiygpwj.rc5.3.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: zoiygpwj.rc5.3.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

System Summary
barindex
PE file contains section with special chars
Source: 5fnrWlGa3H.exe Static PE information: section name: !KZr-E>K
Source: 5fnrWlGa3H.exe.1.dr Static PE information: section name: !KZr-E>K
PE file has nameless sections
Source: 5fnrWlGa3H.exe Static PE information: section name:
Source: 5fnrWlGa3H.exe.1.dr Static PE information: section name:
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_055F90D8 NtReadVirtualMemory, 7_2_055F90D8
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_055F94B0 NtWriteVirtualMemory, 7_2_055F94B0
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_055F9608 NtSetContextThread, 7_2_055F9608
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_055F9290 NtResumeThread, 7_2_055F9290
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_055F90D1 NtReadVirtualMemory, 7_2_055F90D1
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_055F94A8 NtWriteVirtualMemory, 7_2_055F94A8
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_055F9600 NtSetContextThread, 7_2_055F9600
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_055F9288 NtResumeThread, 7_2_055F9288
Detected potential crypto function
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 0_2_02EE3CA0 0_2_02EE3CA0
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 0_2_010C2D38 0_2_010C2D38
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 0_2_010C6DD8 0_2_010C6DD8
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 0_2_010CBDD0 0_2_010CBDD0
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 0_2_010C24A0 0_2_010C24A0
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 0_2_010C08F8 0_2_010C08F8
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 0_2_010C3750 0_2_010C3750
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 0_2_010CC638 0_2_010CC638
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 0_2_010C4650 0_2_010C4650
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 0_2_010CC2A0 0_2_010CC2A0
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 0_2_010C6949 0_2_010C6949
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 0_2_010C6958 0_2_010C6958
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 0_2_010C1958 0_2_010C1958
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 0_2_010C4559 0_2_010C4559
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 0_2_010CB198 0_2_010CB198
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 0_2_010C240A 0_2_010C240A
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 0_2_010C7810 0_2_010C7810
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 0_2_010C6069 0_2_010C6069
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 0_2_010C6078 0_2_010C6078
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 0_2_010C54E8 0_2_010C54E8
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 0_2_010C54F8 0_2_010C54F8
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 0_2_010C2770 0_2_010C2770
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 0_2_010C6BC1 0_2_010C6BC1
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 0_2_010C6BD0 0_2_010C6BD0
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 0_2_010C66D8 0_2_010C66D8
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 0_2_010C66E8 0_2_010C66E8
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 1_2_01AA0B60 1_2_01AA0B60
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02C80B60 3_2_02C80B60
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02C87898 3_2_02C87898
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02C8B8A0 3_2_02C8B8A0
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02C8C6D0 3_2_02C8C6D0
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02C82760 3_2_02C82760
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02C8DC80 3_2_02C8DC80
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02C85C7B 3_2_02C85C7B
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02C8E5F0 3_2_02C8E5F0
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02C83D60 3_2_02C83D60
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02C8ED18 3_2_02C8ED18
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02C8AF50 3_2_02C8AF50
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02C82757 3_2_02C82757
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02C8DC73 3_2_02C8DC73
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02D012E8 3_2_02D012E8
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02D00278 3_2_02D00278
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02D0F09A 3_2_02D0F09A
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02D0AAE0 3_2_02D0AAE0
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02D0FB08 3_2_02D0FB08
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02D029F8 3_2_02D029F8
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02D05968 3_2_02D05968
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02D02F39 3_2_02D02F39
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02D04C10 3_2_02D04C10
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02D012DB 3_2_02D012DB
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02D0026B 3_2_02D0026B
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02D0E5D0 3_2_02D0E5D0
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_01602D38 7_2_01602D38
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_0160BDD0 7_2_0160BDD0
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_01606DD8 7_2_01606DD8
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_016008F8 7_2_016008F8
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_016024A0 7_2_016024A0
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_01602770 7_2_01602770
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_01603750 7_2_01603750
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_01604650 7_2_01604650
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_0160C638 7_2_0160C638
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_0160C2A0 7_2_0160C2A0
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_01606949 7_2_01606949
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_01606958 7_2_01606958
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_01601958 7_2_01601958
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_01604559 7_2_01604559
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_0160B198 7_2_0160B198
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_01606069 7_2_01606069
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_01606078 7_2_01606078
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_01602409 7_2_01602409
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_016054E8 7_2_016054E8
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_016054F8 7_2_016054F8
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_01606BC1 7_2_01606BC1
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_01606BD0 7_2_01606BD0
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_016066E8 7_2_016066E8
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_016066D8 7_2_016066D8
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_055FA9D0 7_2_055FA9D0
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_055F8060 7_2_055F8060
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_055FAE70 7_2_055FAE70
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_055F6EC8 7_2_055F6EC8
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_055FA9C0 7_2_055FA9C0
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_055F3C90 7_2_055F3C90
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_055F3CA0 7_2_055F3CA0
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_055F9770 7_2_055F9770
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_055F976F 7_2_055F976F
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_055F7FE2 7_2_055F7FE2
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_055F37B8 7_2_055F37B8
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_055FAE60 7_2_055FAE60
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_055FAE20 7_2_055FAE20
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 7_2_055F6EB8 7_2_055F6EB8
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 10_2_05110B60 10_2_05110B60
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Code function: 12_2_00EC0B60 12_2_00EC0B60
One or more processes crash
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7132 -s 80
PE file contains executable resources (Code or Archives)
Source: 5fnrWlGa3H.exe Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: 5fnrWlGa3H.exe.1.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Sample file is different than original file name gathered from version info
Source: 5fnrWlGa3H.exe, 00000000.00000002.2065305601.00000000030F8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameXeno_manager.exe: vs 5fnrWlGa3H.exe
Source: 5fnrWlGa3H.exe, 00000000.00000002.2065305601.0000000003116000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameXeno_manager.exe: vs 5fnrWlGa3H.exe
Source: 5fnrWlGa3H.exe, 00000000.00000002.2065305601.0000000003107000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameXeno_manager.exe: vs 5fnrWlGa3H.exe
Source: 5fnrWlGa3H.exe, 00000000.00000000.2041304346.0000000000A92000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameserver1.exeD vs 5fnrWlGa3H.exe
Source: 5fnrWlGa3H.exe, 00000000.00000002.2058476458.00000000010DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs 5fnrWlGa3H.exe
Source: 5fnrWlGa3H.exe, 00000000.00000002.2065305601.0000000002F01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameXeno_manager.exe: vs 5fnrWlGa3H.exe
Source: 5fnrWlGa3H.exe, 00000001.00000002.2051574960.00000000015EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameserver1.exeD vs 5fnrWlGa3H.exe
Source: 5fnrWlGa3H.exe, 00000001.00000002.2050162445.000000000040E000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameXeno_manager.exe: vs 5fnrWlGa3H.exe
Source: 5fnrWlGa3H.exe, 00000003.00000002.4524503133.0000000003146000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBouncyCastle.Crypto.dllP vs 5fnrWlGa3H.exe
Source: 5fnrWlGa3H.exe, 00000003.00000002.4531740504.00000000073A0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameBouncyCastle.Crypto.dllP vs 5fnrWlGa3H.exe
Source: 5fnrWlGa3H.exe, 00000007.00000002.2067144840.0000000003387000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameXeno_manager.exe: vs 5fnrWlGa3H.exe
Source: 5fnrWlGa3H.exe, 00000007.00000002.2067144840.0000000003181000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameXeno_manager.exe: vs 5fnrWlGa3H.exe
Source: 5fnrWlGa3H.exe, 00000007.00000002.2064568243.000000000129E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs 5fnrWlGa3H.exe
Source: 5fnrWlGa3H.exe Binary or memory string: OriginalFilenameserver1.exeD vs 5fnrWlGa3H.exe
Source: 5fnrWlGa3H.exe.1.dr Binary or memory string: OriginalFilenameserver1.exeD vs 5fnrWlGa3H.exe
Uses 32bit PE files
Source: 5fnrWlGa3H.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 5fnrWlGa3H.exe Static PE information: Section: !KZr-E>K ZLIB complexity 1.0003727956431536
Source: 5fnrWlGa3H.exe.1.dr Static PE information: Section: !KZr-E>K ZLIB complexity 1.0003727956431536
Source: 0.2.5fnrWlGa3H.exe.2f0a99c.2.raw.unpack, Encryption.cs Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.5fnrWlGa3H.exe.318b08c.0.raw.unpack, Encryption.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@17/13@1/1
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5fnrWlGa3H.exe.log Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7132
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Mutant created: \Sessions\1\BaseNamedObjects\Xeno_rat_nd8912d-admin
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2200
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe File created: C:\Users\user\AppData\Local\Temp\a3mi0qv1.bas Jump to behavior
Source: 5fnrWlGa3H.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 5fnrWlGa3H.exe, 00000003.00000002.4524503133.0000000003212000.00000004.00000800.00020000.00000000.sdmp, 5fnrWlGa3H.exe, 00000003.00000002.4524503133.0000000003292000.00000004.00000800.00020000.00000000.sdmp, 5fnrWlGa3H.exe, 00000003.00000002.4524503133.0000000003202000.00000004.00000800.00020000.00000000.sdmp, 5fnrWlGa3H.exe, 00000003.00000002.4524503133.000000000329E000.00000004.00000800.00020000.00000000.sdmp, 5fnrWlGa3H.exe, 00000003.00000002.4524503133.0000000003220000.00000004.00000800.00020000.00000000.sdmp, 2tif1pqf.0vs.3.dr, a3mi0qv1.bas.3.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 5fnrWlGa3H.exe Virustotal: Detection: 59%
Source: 5fnrWlGa3H.exe ReversingLabs: Detection: 65%
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe File read: C:\Users\user\Desktop\5fnrWlGa3H.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\5fnrWlGa3H.exe "C:\Users\user\Desktop\5fnrWlGa3H.exe"
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process created: C:\Users\user\Desktop\5fnrWlGa3H.exe C:\Users\user\Desktop\5fnrWlGa3H.exe
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process created: C:\Users\user\Desktop\5fnrWlGa3H.exe C:\Users\user\Desktop\5fnrWlGa3H.exe
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process created: C:\Users\user\Desktop\5fnrWlGa3H.exe C:\Users\user\Desktop\5fnrWlGa3H.exe
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process created: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe "C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe"
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7132 -s 80
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process created: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process created: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process created: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 84
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process created: C:\Users\user\Desktop\5fnrWlGa3H.exe C:\Users\user\Desktop\5fnrWlGa3H.exe Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process created: C:\Users\user\Desktop\5fnrWlGa3H.exe C:\Users\user\Desktop\5fnrWlGa3H.exe Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process created: C:\Users\user\Desktop\5fnrWlGa3H.exe C:\Users\user\Desktop\5fnrWlGa3H.exe Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process created: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe "C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process created: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process created: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process created: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: 5fnrWlGa3H.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 5fnrWlGa3H.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: costura.costura.pdb.compressed source: 5fnrWlGa3H.exe, 00000003.00000002.4524503133.0000000002E31000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: $jq&costura.xeno rat client.pdb.compressed4'jq source: 5fnrWlGa3H.exe, 00000003.00000002.4524503133.0000000002E31000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Unpacked PE file: 0.2.5fnrWlGa3H.exe.a70000.0.unpack !KZr-E>K:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
.NET source code contains potential unpacker
Source: 0.2.5fnrWlGa3H.exe.2f0a99c.2.raw.unpack, DllHandler.cs .Net Code: DllNodeHandler System.Reflection.Assembly.Load(byte[])
Source: 0.2.5fnrWlGa3H.exe.2f0a99c.2.raw.unpack, DllHandler.cs .Net Code: DllNodeHandler
Source: 3.2.5fnrWlGa3H.exe.64a0000.1.raw.unpack, AssemblyLoader.cs .Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
Source: 7.2.5fnrWlGa3H.exe.318b08c.0.raw.unpack, DllHandler.cs .Net Code: DllNodeHandler System.Reflection.Assembly.Load(byte[])
Source: 7.2.5fnrWlGa3H.exe.318b08c.0.raw.unpack, DllHandler.cs .Net Code: DllNodeHandler
Yara detected Costura Assembly Loader
Source: Yara match File source: 3.2.5fnrWlGa3H.exe.64a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.5fnrWlGa3H.exe.64a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.4530137278.00000000064A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4524503133.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 5fnrWlGa3H.exe PID: 5492, type: MEMORYSTR
PE file contains sections with non-standard names
Source: 5fnrWlGa3H.exe Static PE information: section name: !KZr-E>K
Source: 5fnrWlGa3H.exe Static PE information: section name:
Source: 5fnrWlGa3H.exe.1.dr Static PE information: section name: !KZr-E>K
Source: 5fnrWlGa3H.exe.1.dr Static PE information: section name:
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02C87248 push esp; retf 3_2_02C8724A
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02C8A384 push 691402CBh; retf 3_2_02C8A38A
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02C86B91 push ecx; retf 3_2_02C86B92
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02C86B29 push ecx; retf 3_2_02C86B2A
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02C86B2B push eax; retf 3_2_02C86B32
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02C8708B push ebx; retf 3_2_02C87092
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02C87087 push ebx; retf 3_2_02C8708A
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02C871B8 push esp; retf 3_2_02C871BA
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02C87173 push esp; retf 3_2_02C8717A
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02C88EFC pushfd ; retf 3_2_02C88EFD
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02C86E98 push ebx; retf 3_2_02C86E9A
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02C87E78 pushad ; retf 3_2_02C87E7A
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02C86E30 push edx; retf 3_2_02C86E32
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02C86E33 push edx; retf 3_2_02C86E3A
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02C89F44 push 686802CBh; retf 3_2_02C89F4A
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02C874EF push esi; retf 3_2_02C874F2
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02C87419 push esi; retf 3_2_02C8741A
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02C8741B push esi; retf 3_2_02C87422
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02C86D40 push edx; retf 3_2_02C86D42
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02C8257B push ds; retf 3_2_02C82582
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02C86D01 push edx; retf 3_2_02C86D02
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02C8752B push edi; retf 3_2_02C87532
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02D0EDB8 pushad ; iretd 3_2_02D0F095
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02D0747F push C3059489h; ret 3_2_02D074B8
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Code function: 3_2_02D0DAD2 pushad ; ret 3_2_02D0DAD9
Source: 5fnrWlGa3H.exe Static PE information: section name: !KZr-E>K entropy: 7.998540652452658
Source: 5fnrWlGa3H.exe.1.dr Static PE information: section name: !KZr-E>K entropy: 7.998540652452658
Drops PE files
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe File created: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Jump to dropped file
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Memory allocated: 10C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Memory allocated: 2F00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Memory allocated: 2D60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Memory allocated: 5440000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Memory allocated: 6440000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Memory allocated: 6570000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Memory allocated: 7570000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Memory allocated: 78C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Memory allocated: 88C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Memory allocated: 17C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Memory allocated: 32D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Memory allocated: 52D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Memory allocated: 2C40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Memory allocated: 2E30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Memory allocated: 4E30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Memory allocated: 15E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Memory allocated: 3180000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Memory allocated: 1720000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Memory allocated: 5830000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Memory allocated: 6830000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Memory allocated: 6960000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Memory allocated: 7960000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Memory allocated: 7CB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Memory allocated: 8CB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Memory allocated: 2BE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Memory allocated: 2C30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Memory allocated: 4C30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Memory allocated: EC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Memory allocated: 2AF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Memory allocated: 1020000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Window / User API: threadDelayed 8698 Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Window / User API: threadDelayed 1135 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe TID: 6008 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe TID: 1900 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe TID: 6596 Thread sleep time: -27670116110564310s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe TID: 2672 Thread sleep count: 8698 > 30 Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe TID: 2672 Thread sleep count: 1135 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe TID: 4672 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe TID: 6220 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe TID: 5948 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: wqr5mayt.mmg.3.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: wqr5mayt.mmg.3.dr Binary or memory string: discord.comVMware20,11696428655f
Source: wqr5mayt.mmg.3.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: wqr5mayt.mmg.3.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: wqr5mayt.mmg.3.dr Binary or memory string: global block list test formVMware20,11696428655
Source: wqr5mayt.mmg.3.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: wqr5mayt.mmg.3.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: wqr5mayt.mmg.3.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: wqr5mayt.mmg.3.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: wqr5mayt.mmg.3.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: wqr5mayt.mmg.3.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: wqr5mayt.mmg.3.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: wqr5mayt.mmg.3.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: wqr5mayt.mmg.3.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: wqr5mayt.mmg.3.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: 5fnrWlGa3H.exe, 00000003.00000002.4523467453.00000000011B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: wqr5mayt.mmg.3.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: wqr5mayt.mmg.3.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: wqr5mayt.mmg.3.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: wqr5mayt.mmg.3.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: wqr5mayt.mmg.3.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: wqr5mayt.mmg.3.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: wqr5mayt.mmg.3.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: wqr5mayt.mmg.3.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: wqr5mayt.mmg.3.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: wqr5mayt.mmg.3.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: wqr5mayt.mmg.3.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: wqr5mayt.mmg.3.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: 5fnrWlGa3H.exe Binary or memory string: hy0ZI63i+QfA4mtukVRrITaMl9cgwO/8MKxwEKCjXLQCy/eh4xfjMbVGFhmK6O57QC3ICgu3+eAUuR7zfjJBR9zPYuJ7f+YphXJfEfvxVAeHNbvL4je7N3K3EGszqye3biSRz+YyawckoaCfbGmlw4D3KRowK4ZxkenxO0np3WQq22cUAV3MnLBn5dQEmU0rubgeo/K5MSI9t8s/FpJHXckcxVbz4kXcMHKI4Z0RkIkYlXIeFflbxjSDlxfjwc+9ZtXA
Source: wqr5mayt.mmg.3.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 5fnrWlGa3H.exe Binary or memory string: pHYzpyIJOq9oTHm99JGwB3Z9PrCF+xLcZmHd6rCqGQorLMi3YrJ4ummlFgNiVT7xcNlQqtQGohZQ59uF9oFhemscUskr6KM8GqhAjrlVmCiTzWFjohYe4Cz74yTcoe9aXdwX2qU39pL8XA6/2Wt1Ib7UbSuH9r6M4/mJYamu5jvsUBEi4AqNR/dEo3++FIo0ZHk3kv0IVNskH0RBZ2Zl5bP4LIpTX2FRTyMuQ+hLu5IhsS5Txp9aM4xWBCD+WRVImvqZ
Source: wqr5mayt.mmg.3.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: wqr5mayt.mmg.3.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: wqr5mayt.mmg.3.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Memory written: C:\Users\user\Desktop\5fnrWlGa3H.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Memory written: C:\Users\user\Desktop\5fnrWlGa3H.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Memory written: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Memory written: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process created: C:\Users\user\Desktop\5fnrWlGa3H.exe C:\Users\user\Desktop\5fnrWlGa3H.exe Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process created: C:\Users\user\Desktop\5fnrWlGa3H.exe C:\Users\user\Desktop\5fnrWlGa3H.exe Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process created: C:\Users\user\Desktop\5fnrWlGa3H.exe C:\Users\user\Desktop\5fnrWlGa3H.exe Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Process created: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe "C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process created: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process created: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Process created: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Queries volume information: C:\Users\user\Desktop\5fnrWlGa3H.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Queries volume information: C:\Users\user\Desktop\5fnrWlGa3H.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Queries volume information: C:\Users\user\Desktop\5fnrWlGa3H.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Queries volume information: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Queries volume information: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe Queries volume information: C:\Users\user\AppData\Roaming\UpdateManager\5fnrWlGa3H.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: 5fnrWlGa3H.exe, 00000003.00000002.4523467453.00000000011B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected XenoRAT
Source: Yara match File source: 7.2.5fnrWlGa3H.exe.318b08c.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5fnrWlGa3H.exe.2f0a99c.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.5fnrWlGa3H.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.5fnrWlGa3H.exe.318b08c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5fnrWlGa3H.exe.2f0a99c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2065305601.00000000030F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2065305601.0000000003107000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2050162445.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2067144840.0000000003387000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2067144840.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2065305601.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2065305601.0000000003116000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 5fnrWlGa3H.exe PID: 4320, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 5fnrWlGa3H.exe PID: 6564, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 5fnrWlGa3H.exe PID: 6640, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\5fnrWlGa3H.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior

Remote Access Functionality
barindex
Yara detected XenoRAT
Source: Yara match File source: 7.2.5fnrWlGa3H.exe.318b08c.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5fnrWlGa3H.exe.2f0a99c.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.5fnrWlGa3H.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.5fnrWlGa3H.exe.318b08c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5fnrWlGa3H.exe.2f0a99c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2065305601.00000000030F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2065305601.0000000003107000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2050162445.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2067144840.0000000003387000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2067144840.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2065305601.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2065305601.0000000003116000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 5fnrWlGa3H.exe PID: 4320, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 5fnrWlGa3H.exe PID: 6564, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 5fnrWlGa3H.exe PID: 6640, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528937 Sample: 5fnrWlGa3H.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 44 15.164.165.52.in-addr.arpa 2->44 48 Suricata IDS alerts for network traffic 2->48 50 Found malware configuration 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 54 9 other signatures 2->54 10 5fnrWlGa3H.exe 1 2->10         started        signatures3 process4 file5 36 C:\Users\user\AppData\...\5fnrWlGa3H.exe.log, ASCII 10->36 dropped 64 Detected unpacking (changes PE section rights) 10->64 66 Injects a PE file into a foreign processes 10->66 14 5fnrWlGa3H.exe 4 10->14         started        17 5fnrWlGa3H.exe 14 10->17         started        21 5fnrWlGa3H.exe 10->21         started        signatures6 process7 dnsIp8 38 C:\Users\user\AppData\...\5fnrWlGa3H.exe, PE32 14->38 dropped 40 C:\Users\...\5fnrWlGa3H.exe:Zone.Identifier, ASCII 14->40 dropped 23 5fnrWlGa3H.exe 14->23         started        42 87.120.116.119, 1380, 49704, 49710 UNACS-AS-BG8000BurgasBG Bulgaria 17->42 46 Tries to harvest and steal browser information (history, passwords, etc) 17->46 26 WerFault.exe 2 21->26         started        file9 signatures10 process11 signatures12 56 Antivirus detection for dropped file 23->56 58 Multi AV Scanner detection for dropped file 23->58 60 Machine Learning detection for dropped file 23->60 62 Injects a PE file into a foreign processes 23->62 28 5fnrWlGa3H.exe 23->28         started        30 5fnrWlGa3H.exe 2 23->30         started        32 5fnrWlGa3H.exe 2 23->32         started        process13 process14 34 WerFault.exe 2 28->34         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
87.120.116.119
 unknown Bulgaria
25206 UNACS-AS-BG8000BurgasBG true

Contacted Domains

Name IP Active
15.164.165.52.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
87.120.116.119 true
    		unknown