Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO#83298373729383838392387373873PDF.exe

Overview

General Information

Sample name:PO#83298373729383838392387373873PDF.exe
Analysis ID:1560406
MD5:cfba70c85197dbf3794d29ec1a028e41
SHA1:553ace7a4399cf320f99781e6aa01de7387beb3c
SHA256:8f936683a4a1f0ea60bcfafa320c4669b85d8cba070203a5f539b4cd7bd078a0
Tags:exeuser-lowmal3
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AntiVM3
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Drops VBS files to the startup folder
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PO#83298373729383838392387373873PDF.exe (PID: 5456 cmdline: "C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe" MD5: CFBA70C85197DBF3794D29EC1A028E41)
    • InstallUtil.exe (PID: 3160 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
      • WerFault.exe (PID: 5248 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 904 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["nwamama.ydns.eu"], "Port": 3791, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.3268454958.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000002.00000002.3268454958.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x7786:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x7823:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x7938:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x7434:$cnc4: POST / HTTP/1.1
    00000000.00000002.2051601524.00000000058A0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000000.00000002.2030391675.0000000002984000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000002.2030391675.0000000002984000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x1e66e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x1e70b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x1e820:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x1e31c:$cnc4: POST / HTTP/1.1
        Click to see the 7 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.InstallUtil.exe.400000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
          2.2.InstallUtil.exe.400000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x7986:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x7a23:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x7b38:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x7634:$cnc4: POST / HTTP/1.1
          0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x5b86:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x5c23:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x5d38:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x5834:$cnc4: POST / HTTP/1.1
            0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
              Click to see the 2 entries

              Sigma Signatures

              Data Obfuscation

              barindex
              Sigma detected: Drops script at startup location
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe, ProcessId: 5456, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Name.vbs

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: nwamama.ydns.euAvira URL Cloud: Label: malware
              Found malware configuration
              Source: 00000000.00000002.2030391675.0000000002984000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["nwamama.ydns.eu"], "Port": 3791, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\Name.exeReversingLabs: Detection: 55%
              Multi AV Scanner detection for submitted file
              Source: PO#83298373729383838392387373873PDF.exeReversingLabs: Detection: 55%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Roaming\Name.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: PO#83298373729383838392387373873PDF.exeJoe Sandbox ML: detected
              Sample uses string decryption to hide its real strings
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpackString decryptor: nwamama.ydns.eu
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpackString decryptor: 3791
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpackString decryptor: <123456789>
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpackString decryptor: <Xwormmm>
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpackString decryptor: XWorm V5.6
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpackString decryptor: USB.exe
              Source: PO#83298373729383838392387373873PDF.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: PO#83298373729383838392387373873PDF.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: nC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb@ source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: n.pdb source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2052051724.0000000005990000.00000004.08000000.00040000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000037C3000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: ((.pdb source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: C:\Windows\symbols\exe\InstallUtil.pdb1 source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2052051724.0000000005990000.00000004.08000000.00040000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000037C3000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: protobuf-net.pdbSHA256}Lq source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: protobuf-net.pdb source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\System.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDBl source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: n8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdbu E#k source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb:\G# source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D43000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D43000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: |symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: nwamama.ydns.eu
              Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2030391675.0000000002713000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
              Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
              Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
              Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
              Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2030391675.0000000002713000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
              Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to log keystrokes (.Net Source)
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, XLogger.cs.Net Code: KeyboardLayout

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000002.00000002.3268454958.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000000.00000002.2030391675.0000000002984000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000000.00000002.2030391675.0000000002713000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Initial sample is a PE file and has a suspicious name
              Source: initial sampleStatic PE information: Filename: PO#83298373729383838392387373873PDF.exe
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeCode function: 0_2_061900070_2_06190007
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeCode function: 0_2_061900400_2_06190040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_00F90EC02_2_00F90EC0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 904
              Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2052051724.0000000005990000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs PO#83298373729383838392387373873PDF.exe
              Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000000.2020816892.0000000000252000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAvijyymd.exe2 vs PO#83298373729383838392387373873PDF.exe
              Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2030391675.0000000002A13000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamenew new file.exe4 vs PO#83298373729383838392387373873PDF.exe
              Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2030391675.00000000026B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs PO#83298373729383838392387373873PDF.exe
              Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs PO#83298373729383838392387373873PDF.exe
              Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2030391675.0000000002713000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamenew new file.exe4 vs PO#83298373729383838392387373873PDF.exe
              Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs PO#83298373729383838392387373873PDF.exe
              Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs PO#83298373729383838392387373873PDF.exe
              Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs PO#83298373729383838392387373873PDF.exe
              Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2050414859.0000000005220000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameHvgtipgb.dll" vs PO#83298373729383838392387373873PDF.exe
              Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000037C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs PO#83298373729383838392387373873PDF.exe
              Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051358330.00000000057C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAvijyymd.exe2 vs PO#83298373729383838392387373873PDF.exe
              Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2029680955.00000000009DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO#83298373729383838392387373873PDF.exe
              Source: PO#83298373729383838392387373873PDF.exeBinary or memory string: OriginalFilenameAvijyymd.exe2 vs PO#83298373729383838392387373873PDF.exe
              Source: PO#83298373729383838392387373873PDF.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000002.00000002.3268454958.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000000.00000002.2030391675.0000000002984000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000000.00000002.2030391675.0000000002713000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: PO#83298373729383838392387373873PDF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: Name.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.5990000.10.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.5990000.10.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.5990000.10.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.5990000.10.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.5990000.10.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.5990000.10.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.5990000.10.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.5990000.10.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
              Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@4/3@0/0
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Name.vbsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: NULL
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5248:64:WilError_03
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: \Sessions\1\BaseNamedObjects\xfLucCIETglxMGYM
              Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\98c053a2-c728-4a66-80a3-1c67fdb675c5Jump to behavior
              Source: PO#83298373729383838392387373873PDF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: PO#83298373729383838392387373873PDF.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: PO#83298373729383838392387373873PDF.exeReversingLabs: Detection: 55%
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeFile read: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe "C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe"
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 904
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wtsapi32.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winsta.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: PO#83298373729383838392387373873PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: PO#83298373729383838392387373873PDF.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: nC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb@ source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: n.pdb source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2052051724.0000000005990000.00000004.08000000.00040000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000037C3000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: ((.pdb source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: C:\Windows\symbols\exe\InstallUtil.pdb1 source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2052051724.0000000005990000.00000004.08000000.00040000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000037C3000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: protobuf-net.pdbSHA256}Lq source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: protobuf-net.pdb source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\System.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDBl source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: n8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdbu E#k source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb:\G# source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D43000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D43000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: |symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              .NET source code contains potential unpacker
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, Messages.cs.Net Code: Memory
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.3705590.2.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.3705590.2.raw.unpack, ListDecorator.cs.Net Code: Read
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.3705590.2.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.3705590.2.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.3705590.2.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.5990000.10.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.5990000.10.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.5990000.10.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
              Yara detected Costura Assembly Loader
              Source: Yara matchFile source: 0.2.PO#83298373729383838392387373873PDF.exe.58a0000.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.2051601524.00000000058A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2030391675.0000000002713000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PO#83298373729383838392387373873PDF.exe PID: 5456, type: MEMORYSTR
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeCode function: 0_2_061970ED pushad ; ret 0_2_061970FD
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeCode function: 0_2_06196907 push ecx; retf 0_2_0619690C
              Source: PO#83298373729383838392387373873PDF.exeStatic PE information: section name: .text entropy: 7.718517547006481
              Source: Name.exe.0.drStatic PE information: section name: .text entropy: 7.718517547006481
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeFile created: C:\Users\user\AppData\Roaming\Name.exeJump to dropped file

              Boot Survival

              barindex
              Drops VBS files to the startup folder
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Name.vbsJump to dropped file
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Name.vbsJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Name.vbsJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: PO#83298373729383838392387373873PDF.exe PID: 5456, type: MEMORYSTR
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2030391675.0000000002713000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeMemory allocated: CB0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeMemory allocated: 26B0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeMemory allocated: 24F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: F90000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2910000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 4910000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe TID: 616Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe TID: 6464Thread sleep count: 191 > 30Jump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe TID: 6464Thread sleep count: 99 > 30Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2030391675.0000000002713000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
              Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2030391675.0000000002713000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              .NET source code references suspicious native API functions
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, NativeMethods.csReference to suspicious API methods: OpenProcessToken(hProcess, desiredAccess, out var TokenHandle)
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, ResourceReferenceValue.csReference to suspicious API methods: NativeMethods.LoadLibrary(ResourceFilePath)
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, Messages.csReference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
              Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, XLogger.csReference to suspicious API methods: MapVirtualKey(vkCode, 0u)
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeQueries volume information: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.3268454958.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2030391675.0000000002984000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2030391675.0000000002713000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PO#83298373729383838392387373873PDF.exe PID: 5456, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 3160, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.3268454958.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2030391675.0000000002984000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2030391675.0000000002713000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PO#83298373729383838392387373873PDF.exe PID: 5456, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 3160, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information1
              Scripting              		Valid Accounts1
              Scheduled Task/Job              		1
              Scripting              		11
              Process Injection              		1
              Masquerading              		1
              Input Capture              		211
              Security Software Discovery              		Remote Services1
              Input Capture              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Native API              		1
              Scheduled Task/Job              		1
              Scheduled Task/Job              		1
              Disable or Modify Tools              		LSASS Memory1
              Process Discovery              		Remote Desktop Protocol11
              Archive Collected Data              		1
              Application Layer Protocol              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAt2
              Registry Run Keys / Startup Folder              		2
              Registry Run Keys / Startup Folder              		41
              Virtualization/Sandbox Evasion              		Security Account Manager41
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCron1
              DLL Side-Loading              		1
              DLL Side-Loading              		11
              Process Injection              		NTDS13
              System Information Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
              Obfuscated Files or Information              		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
              Software Packing              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              PO#83298373729383838392387373873PDF.exe55%ReversingLabsByteCode-MSIL.Packed.Generic
              PO#83298373729383838392387373873PDF.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\Name.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\Name.exe55%ReversingLabsByteCode-MSIL.Packed.Generic

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              nwamama.ydns.eu100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              nwamama.ydns.eutrue
              • Avira URL Cloud: malware
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://github.com/mgravell/protobuf-netPO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmpfalse
                		high
                https://github.com/mgravell/protobuf-netiPO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmpfalse
                  		high
                  https://stackoverflow.com/q/14436606/23354PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2030391675.0000000002713000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmpfalse
                    		high
                    https://github.com/mgravell/protobuf-netJPO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePO#83298373729383838392387373873PDF.exe, 00000000.00000002.2030391675.0000000002713000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://stackoverflow.com/q/11564914/23354;PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmpfalse
                          		high
                          https://stackoverflow.com/q/2152978/23354PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmpfalse
                            		high

                            World Map of Contacted IPs

                            No contacted IP infos

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1560406
                            Start date and time:2024-11-21 19:07:06 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 5m 35s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:8
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:PO#83298373729383838392387373873PDF.exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.expl.evad.winEXE@4/3@0/0
                            EGA Information:Failed
                            HCA Information:
                            • Successful, ratio: 81%
                            • Number of executed functions: 30
                            • Number of non-executed functions: 2
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Execution Graph export aborted for target InstallUtil.exe, PID 3160 because it is empty
                            • Execution Graph export aborted for target PO#83298373729383838392387373873PDF.exe, PID 5456 because it is empty
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • VT rate limit hit for: PO#83298373729383838392387373873PDF.exe

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            19:07:58AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Name.vbs

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            No context

                            ASNs

                            No context

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Name.vbs

                            Download File
                            Process:C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):80
                            Entropy (8bit):4.751318838740553
                            Encrypted:false
                            SSDEEP:3:FER/n0eFHHoUkh4EaKC5QIAL4iHHn:FER/lFHI9aZ5Q9kin
                            MD5:E911046B9052A2A4D4AEB71346ABBAE8
                            SHA1:6006DBBA483B638C155F3552AEAF76E7E1A549E5
                            SHA-256:81B4A6973D7B7DF892242943C7F86E97282D8ED6BAADF22F8E651CE8430E399C
                            SHA-512:EEAAAED18E4B3486E5ABE775EF65F50D966D0D094DBC81EA625BE4BF0020F81CD3019E0E5801C19C5385FD9A42EC0D78F1159764B8487965221EC6700ABBC634
                            Malicious:true
                            Reputation:low
                            Preview:CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\Name.exe"""

                            C:\Users\user\AppData\Roaming\Name.exe

                            Download File
                            Process:C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):1017344
                            Entropy (8bit):7.714880062427019
                            Encrypted:false
                            SSDEEP:24576:9Y2YACYOYGYAAYAtY0YHYAkYAtYJYAAYoYA2YnYAqYDYAHtFyrqiu0XIQPD4c2b3:lpzAIiDJ2bsM8+fWu3P/f33
                            MD5:CFBA70C85197DBF3794D29EC1A028E41
                            SHA1:553ACE7A4399CF320F99781E6AA01DE7387BEB3C
                            SHA-256:8F936683A4A1F0EA60BCFAFA320C4669B85D8CBA070203A5F539B4CD7BD078A0
                            SHA-512:2483EBE8CF15C57527907E7E9E2E1ED34F7F390A1A96C8FC4D7C6C2C5CEC4D2FAB05A4C2A84BC376063C1438F837D4AB5E1977AEA5F6CE89EDF38B4239F13BBE
                            Malicious:true
                            Antivirus:
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 55%
                            Reputation:low
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R.?g.................|............... ........@.. ....................................`.................................p...K.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H............................F..........................................?.C.:....g|........>~.g?..!.....t}....]...W........>6#S....>.....`T?.(.>_'.>.......&!?.V!......>&..^..f.....O.n?T.>b,.>.......xcm?>.........7.._...h".......{..7?..&.......w..9..8f........f?.Q.>........+.d?Y.............<.'....?......r?a.G..`}>....*..>..N.G......r6a?.?.>.Y.>....z..?AH2?...>....-'....|..Yk.....g....8..7.O?.........:u>..A.....,J.>..I...n.....q.Z...a..l......PY?6..>+l.....H...../.

                            C:\Users\user\AppData\Roaming\Name.exe:Zone.Identifier

                            Download File
                            Process:C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:modified
                            Size (bytes):26
                            Entropy (8bit):3.95006375643621
                            Encrypted:false
                            SSDEEP:3:ggPYV:rPYV
                            MD5:187F488E27DB4AF347237FE461A079AD
                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                            Malicious:true
                            Reputation:high, very likely benign file
                            Preview:[ZoneTransfer]....ZoneId=0

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):7.714880062427019
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                            • Win32 Executable (generic) a (10002005/4) 49.78%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            • DOS Executable Generic (2002/1) 0.01%
                            File name:PO#83298373729383838392387373873PDF.exe
                            File size:1'017'344 bytes
                            MD5:cfba70c85197dbf3794d29ec1a028e41
                            SHA1:553ace7a4399cf320f99781e6aa01de7387beb3c
                            SHA256:8f936683a4a1f0ea60bcfafa320c4669b85d8cba070203a5f539b4cd7bd078a0
                            SHA512:2483ebe8cf15c57527907e7e9e2e1ed34f7f390a1a96c8fc4d7c6c2c5cec4d2fab05a4c2a84bc376063c1438f837d4ab5e1977aea5f6ce89edf38b4239f13bbe
                            SSDEEP:24576:9Y2YACYOYGYAAYAtY0YHYAkYAtYJYAAYoYA2YnYAqYDYAHtFyrqiu0XIQPD4c2b3:lpzAIiDJ2bsM8+fWu3P/f33
                            TLSH:7D25F1615AC785BFF8798DF475C26C31932087EB2652C6C82DF3EC79853935A60A234E
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R.?g.................|............... ........@.. ....................................`................................

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0x4f9abe
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0x673F1C52 [Thu Nov 21 11:41:06 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [00402000h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0xf9a700x4b.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xfa0000x5a6.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xfc0000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000xf7ac40xf7c003527485cd6aaa46f5b18d423394b3fafFalse0.807066331357215data7.718517547006481IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rsrc0xfa0000x5a60x6007def883489529aef6d3b7a664125b0e5False0.41796875data4.084978737422397IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0xfc0000xc0x2004068aa901a37283adf470c4c9952ea0cFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_VERSION0xfa0a00x31cdata0.4296482412060301
                            RT_MANIFEST0xfa3bc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Network Behavior

                            No network behavior found

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:13:07:53
                            Start date:21/11/2024
                            Path:C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe"
                            Imagebase:0x250000
                            File size:1'017'344 bytes
                            MD5 hash:CFBA70C85197DBF3794D29EC1A028E41
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2051601524.00000000058A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2030391675.0000000002984000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2030391675.0000000002984000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2030391675.0000000002713000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2030391675.0000000002713000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2030391675.0000000002713000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:2
                            Start time:13:07:54
                            Start date:21/11/2024
                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                            Imagebase:0x630000
                            File size:42'064 bytes
                            MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000002.3268454958.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000002.3268454958.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                            Reputation:moderate
                            Has exited:false

                            General

                            Target ID:5
                            Start time:13:07:58
                            Start date:21/11/2024
                            Path:C:\Windows\SysWOW64\WerFault.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 904
                            Imagebase:0x8c0000
                            File size:483'680 bytes
                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Disassembly

                            Reset < >

                              Executed Functions

                              Function 06194B0C Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2052359124.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6190000_PO#83298373729383838392387373873PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID: Y
                              • API String ID: 0-3233089245
                              • Opcode ID: 49567740ffc24a25da9da49640512a70b728da289d846ae1584cbbc845b9dbc4
                              • Instruction ID: c02bebdfb697438426b2b41451a5d42ec31c32683fb20c8b34988e74b72be8ac
                              • Opcode Fuzzy Hash: 49567740ffc24a25da9da49640512a70b728da289d846ae1584cbbc845b9dbc4
                              • Instruction Fuzzy Hash: F8211874E01229CFDFA8DF68D859BA9B6B1EB4A305F0044E9C90AA3640DB344AC4DF21
                              Function 06191A2B Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2052359124.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6190000_PO#83298373729383838392387373873PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID: 3
                              • API String ID: 0-1842515611
                              • Opcode ID: 44f10d586b2089e96871f52b48a2fb8b8385764191bdb73e392f18c198132d3d
                              • Instruction ID: 43e78fd779f0a4856069531f8903bd6790c7587ec4b34e7d4dfbffa9e89d1d4f
                              • Opcode Fuzzy Hash: 44f10d586b2089e96871f52b48a2fb8b8385764191bdb73e392f18c198132d3d
                              • Instruction Fuzzy Hash: AF112670A00219CFDFA5EF54D989B9AB7B5FB49305F0040EA9509A7284DB349EC4DF21
                              Function 061920C3 Relevance: 1.3, Strings: 1, Instructions: 43COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2052359124.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6190000_PO#83298373729383838392387373873PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID: Y
                              • API String ID: 0-3233089245
                              • Opcode ID: 0689f55fadb1679ae8b1b1a00a6775cf9a3aeba379139eee557470332a7216b4
                              • Instruction ID: cc50a4fc782bf81b5c89f07fb89ef6a95f59f7335f73e029044fb7777c5c5dbf
                              • Opcode Fuzzy Hash: 0689f55fadb1679ae8b1b1a00a6775cf9a3aeba379139eee557470332a7216b4
                              • Instruction Fuzzy Hash: 6B116730A00228CBEB64DF68D958BD9B7B5EB49304F0005E9D90AA3380DB305EC4DF51
                              Function 06196423 Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2052359124.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6190000_PO#83298373729383838392387373873PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID: Y
                              • API String ID: 0-3233089245
                              • Opcode ID: 810c835f6232c4aa8bb308355a8d8dfce2266b58ba5f2296f7de93b367b64a93
                              • Instruction ID: ddb9c2f48f2b2c984ff08fd6e59448958fba1363096963f13a619db3b52dfb52
                              • Opcode Fuzzy Hash: 810c835f6232c4aa8bb308355a8d8dfce2266b58ba5f2296f7de93b367b64a93
                              • Instruction Fuzzy Hash: 71017C30A00228CFDB64DF68D848B9D7BB1EB4A305F0005E9D90AA7681CB704EC5DF62
                              Function 00C1D048 Relevance: .1, Instructions: 74COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2030005380.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c1d000_PO#83298373729383838392387373873PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0e30e30dda15f7779ea95bf55443dda04a96a23e39219b1a4f67046046a1907d
                              • Instruction ID: df53d274f404eefa315baa49164b3d60e1f423ffa174b73788cb64291c89d5c2
                              • Opcode Fuzzy Hash: 0e30e30dda15f7779ea95bf55443dda04a96a23e39219b1a4f67046046a1907d
                              • Instruction Fuzzy Hash: 9A213771504204EFCB15DF14D9C0B6ABF65FB89310F30C569E90A0B245C33AD986E7B2
                              Function 00C1D043 Relevance: .1, Instructions: 55COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2030005380.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c1d000_PO#83298373729383838392387373873PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 523fabb44b02fcaa1064eae8d9a10a48e2cd5a800d24befd30ec8c8c27650fb1
                              • Instruction ID: 3d5927e2525b7ac457fa019de736ca218c11645fb9ba14c775f4b719fe5bfed8
                              • Opcode Fuzzy Hash: 523fabb44b02fcaa1064eae8d9a10a48e2cd5a800d24befd30ec8c8c27650fb1
                              • Instruction Fuzzy Hash: E1110376504240DFCB02CF10D9C4B5ABF71FB89320F24C2A9D80A4B256C33AD95ADBA2
                              Function 061AF130 Relevance: .0, Instructions: 46COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2052359124.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6190000_PO#83298373729383838392387373873PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bfe3aad02b7672ad0d421f348be31bc7ad07ac5dcc10560337f9674cca926c0d
                              • Instruction ID: fc635b756a87aecba6e9af684a9fba95e0348597fd43c4b008208c4d6c9ed1b0
                              • Opcode Fuzzy Hash: bfe3aad02b7672ad0d421f348be31bc7ad07ac5dcc10560337f9674cca926c0d
                              • Instruction Fuzzy Hash: ED11B3B4E002099FCB48DFA9C9457BFBBF5FF88300F10856A9518A7395DB349A41DB91
                              Function 00C0D005 Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2029971389.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c0d000_PO#83298373729383838392387373873PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6877fb1aabaa4fb7e8ceeb8641ae3ad3c423f8083df377eac2d9e3358552258e
                              • Instruction ID: 41358b0b7673569d5ca4252f1388c5e0b3d50aba9694d581bc93bf2d8fc91687
                              • Opcode Fuzzy Hash: 6877fb1aabaa4fb7e8ceeb8641ae3ad3c423f8083df377eac2d9e3358552258e
                              • Instruction Fuzzy Hash: 01014C7140E3C09FD7128B258894A52BFB4EF53224F1D80DBD9998F2E7C2699949C772
                              Function 00C0D01D Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2029971389.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_c0d000_PO#83298373729383838392387373873PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c8746226defe9a056908d556ed699961c5c5bbe47fd3bb23c9a15279d7c0a02e
                              • Instruction ID: 61986f1dbf9a3cdc9b96c3fc8ec0334e746940162587759a2c1a975d698fd1bb
                              • Opcode Fuzzy Hash: c8746226defe9a056908d556ed699961c5c5bbe47fd3bb23c9a15279d7c0a02e
                              • Instruction Fuzzy Hash: D0012B714043009AE7208A56CC84B67BF9CEF45368F18C429ED5E0B2C6C2799941CAB5
                              Function 06192755 Relevance: .0, Instructions: 28COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2052359124.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6190000_PO#83298373729383838392387373873PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b2b4c5cd7757e3969d9a7c5cd65c646deec4f83e4e60a032bb0bbba3953d12be
                              • Instruction ID: 75f4044523be03524efd03d912b0dbb0c7a0ec20191ff313321cb6bf19986502
                              • Opcode Fuzzy Hash: b2b4c5cd7757e3969d9a7c5cd65c646deec4f83e4e60a032bb0bbba3953d12be
                              • Instruction Fuzzy Hash: 55016970A04219CFDB64DF54D849F9AB7B5EB49304F0040E9E108A7784DB744EC5DF60
                              Function 06191CC0 Relevance: .0, Instructions: 27COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2052359124.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6190000_PO#83298373729383838392387373873PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: edb252868f6ef54f30f951d28b0865905a733a9fd80fef376d5c06e27ade8645
                              • Instruction ID: c523c4fb936a8d65d83bce4b1d422ce0d1cc97624f1a79b12f554618ab794328
                              • Opcode Fuzzy Hash: edb252868f6ef54f30f951d28b0865905a733a9fd80fef376d5c06e27ade8645
                              • Instruction Fuzzy Hash: 47F06D70A041158FDB64DF14CC58BA9B7B4FB4A306F0014E5D6099B352CB346E8ADF50
                              Function 061ABA58 Relevance: .0, Instructions: 23COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2052359124.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6190000_PO#83298373729383838392387373873PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 110a5ae636818e16b297fa6beb356503c5712d8e058c1a1b630d541d9691801b
                              • Instruction ID: d514ffede18321567dd8cbc7a93211ea2c5d498a3238b4ac7cfd26b1918f2d48
                              • Opcode Fuzzy Hash: 110a5ae636818e16b297fa6beb356503c5712d8e058c1a1b630d541d9691801b
                              • Instruction Fuzzy Hash: E0E0C974D08208EFCB84DFA8D4406ACBBF5FB48310F10C5A9984993351D7319A51DF80
                              Function 061ABEF0 Relevance: .0, Instructions: 23COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2052359124.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6190000_PO#83298373729383838392387373873PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 110a5ae636818e16b297fa6beb356503c5712d8e058c1a1b630d541d9691801b
                              • Instruction ID: b0d12d2c17ebe917138fc47c593c57dd64a6e46a188e65e08e8ec08e2f34f511
                              • Opcode Fuzzy Hash: 110a5ae636818e16b297fa6beb356503c5712d8e058c1a1b630d541d9691801b
                              • Instruction Fuzzy Hash: E8E0ED78D08208EFCB84DFA8D54069CFBF4FB49310F14C5A9981893351D7319A51DF80
                              Function 061AA430 Relevance: .0, Instructions: 23COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2052359124.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6190000_PO#83298373729383838392387373873PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 110a5ae636818e16b297fa6beb356503c5712d8e058c1a1b630d541d9691801b
                              • Instruction ID: dff5a5affdf91aacdd72da70e3c77d29cf1ac9732be041c66e386f31679ce499
                              • Opcode Fuzzy Hash: 110a5ae636818e16b297fa6beb356503c5712d8e058c1a1b630d541d9691801b
                              • Instruction Fuzzy Hash: B1E0C974D04208EFCB84DFA8D44569CBBF4FB48310F14C5AAA85893351D7319E51DF81
                              Function 061A5CD8 Relevance: .0, Instructions: 23COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2052359124.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6190000_PO#83298373729383838392387373873PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 110a5ae636818e16b297fa6beb356503c5712d8e058c1a1b630d541d9691801b
                              • Instruction ID: eb5c7b84f882e2ec66bf86bb382929b0f36d248a5754244b807258eea88c3d29
                              • Opcode Fuzzy Hash: 110a5ae636818e16b297fa6beb356503c5712d8e058c1a1b630d541d9691801b
                              • Instruction Fuzzy Hash: 46E0A574D04208AFCB84DFA8D94069CBBF5AB48310F10C5AA980993355D7329A55DF80
                              Function 061AD580 Relevance: .0, Instructions: 23COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2052359124.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6190000_PO#83298373729383838392387373873PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 110a5ae636818e16b297fa6beb356503c5712d8e058c1a1b630d541d9691801b
                              • Instruction ID: ca2eee4838b5bb85c675bb2068551e7ca7b28a417b6aeebb3cd62d3acf989314
                              • Opcode Fuzzy Hash: 110a5ae636818e16b297fa6beb356503c5712d8e058c1a1b630d541d9691801b
                              • Instruction Fuzzy Hash: B5E0C978D04208EFCB84DFA8D84569CBBF4FB49314F10C5A9981893351D7319A51DF81
                              Function 061AEC50 Relevance: .0, Instructions: 22COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2052359124.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6190000_PO#83298373729383838392387373873PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 04a72c112fcbb9c4cf154c0c602574b81839e3108cf7823f09aab0ae1665b779
                              • Instruction ID: a5c73674c720024fcbdc7861eee35549d1f5810203e6b3abb820d12dcfc9b7a3
                              • Opcode Fuzzy Hash: 04a72c112fcbb9c4cf154c0c602574b81839e3108cf7823f09aab0ae1665b779
                              • Instruction Fuzzy Hash: 72E01A749492089FCB94EBB8940579DBAF9AB05301F1041A9984893395DB305A44D792
                              Function 061A8870 Relevance: .0, Instructions: 20COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2052359124.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6190000_PO#83298373729383838392387373873PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 120577dba67df9d4319bc810d9b4487aa11fb55679317ed6a3440ed336bcf59d
                              • Instruction ID: 19912060567ef2894fba2803acfd289af6784830d319de5ceb2d92046d843a35
                              • Opcode Fuzzy Hash: 120577dba67df9d4319bc810d9b4487aa11fb55679317ed6a3440ed336bcf59d
                              • Instruction Fuzzy Hash: 62E01A34D04208EFC789DF98D4406ACBBF4AB49200F14C1A9985853381CB319A02DB81
                              Function 061AE020 Relevance: .0, Instructions: 19COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2052359124.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6190000_PO#83298373729383838392387373873PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5e46b3cb62a7e594ecca0d724311b2738feae3622382ef7fcb1126b6f41a4585
                              • Instruction ID: 696ccd694b5159e0a194b1021a5573dee55584389577ccad2b9cc8fa667c9052
                              • Opcode Fuzzy Hash: 5e46b3cb62a7e594ecca0d724311b2738feae3622382ef7fcb1126b6f41a4585
                              • Instruction Fuzzy Hash: 41E0C238A08208DFC704DF94D9406ADBBB4FB46304F10C199C80853341CB329E03DB80
                              Function 061AE408 Relevance: .0, Instructions: 12COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2052359124.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6190000_PO#83298373729383838392387373873PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ebf9044259a8e9843038a30afb806a262b0ca94b5067b0d2f13e79ed560228fd
                              • Instruction ID: 6525047708c2e2a6a12f2414db3367415d412c1664866149a208941c81361f0f
                              • Opcode Fuzzy Hash: ebf9044259a8e9843038a30afb806a262b0ca94b5067b0d2f13e79ed560228fd
                              • Instruction Fuzzy Hash: E6C02B3004F304CEEB482348680C3B432DCF303306F489C31D14C42861C761C850D290

                              Non-executed Functions

                              Function 06190040 Relevance: .1, Instructions: 83COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2052359124.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6190000_PO#83298373729383838392387373873PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2e892d26e9668ada52668caa7a1953a079082edeb4592e0536b95349ff8f73ec
                              • Instruction ID: c80b4d074910719ff9b084b9952526e2dacc3f74d83ce7ef2a31ba07d246d293
                              • Opcode Fuzzy Hash: 2e892d26e9668ada52668caa7a1953a079082edeb4592e0536b95349ff8f73ec
                              • Instruction Fuzzy Hash: 6E411E70E052298FEB28CF2ACD487D9BAF6BF89300F00C4FA950CA7654DB744A859F51
                              Function 06190007 Relevance: .1, Instructions: 81COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2052359124.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6190000_PO#83298373729383838392387373873PDF.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2e067c9451d648a7cd27d66921270451bbc538697b3891fa79b9395eb9f7ebd3
                              • Instruction ID: c0d4692fe38bc69983a2695602ede8255c259c2d49afdfee90eb6b56d078cedd
                              • Opcode Fuzzy Hash: 2e067c9451d648a7cd27d66921270451bbc538697b3891fa79b9395eb9f7ebd3
                              • Instruction Fuzzy Hash: 20316D70D057558FEB29CF2ACC5429ABBF2AF8A300F04C0FAD448AB166D7740A86DF51

                              Executed Functions

                              Function 00F90EC0 Relevance: 2.8, Strings: 2, Instructions: 328COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.3269406002.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_f90000_InstallUtil.jbxd
                              Similarity
                              • API ID:
                              • String ID: Xaq$$]q
                              • API String ID: 0-1280934391
                              • Opcode ID: fd55606d52d147d3f9a5f18d73a10bc4af78fd2d17ef1a1c00d180820aa21cf0
                              • Instruction ID: 50c161828e6639f70d08a460f852912168369226184446b22ba8f9f64438e53d
                              • Opcode Fuzzy Hash: fd55606d52d147d3f9a5f18d73a10bc4af78fd2d17ef1a1c00d180820aa21cf0
                              • Instruction Fuzzy Hash: 45B19D35B00219AFDF489F78985476E7BB7BFC8710B158869E506EB394CE348C42AB91
                              Function 00F90901 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.3269406002.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_f90000_InstallUtil.jbxd
                              Similarity
                              • API ID:
                              • String ID: Haq
                              • API String ID: 0-725504367
                              • Opcode ID: 54dd1cfff0c32c40dfa16c3719f795f1d008fdf482332b7f3335eeb19dad2ccf
                              • Instruction ID: 71552aa41d7d7b254ace1cd1ac262aeca756bd8e36f81a73a64eda5a5e0fb2d4
                              • Opcode Fuzzy Hash: 54dd1cfff0c32c40dfa16c3719f795f1d008fdf482332b7f3335eeb19dad2ccf
                              • Instruction Fuzzy Hash: 3B21A930A092489FDB54EFB8D4547AEBFE1AF85300F1084A9D449AB386DF308E05CB91
                              Function 00F912D1 Relevance: .5, Instructions: 523COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.3269406002.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_f90000_InstallUtil.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 884195f947f4a1ed0ee6a0de91e08b0e70bd5454f3fc59d81d4ff6818ce2033d
                              • Instruction ID: 39e8971e636229994c60e43696315ad2f4596aa68c9f0a79361998ace998ec06
                              • Opcode Fuzzy Hash: 884195f947f4a1ed0ee6a0de91e08b0e70bd5454f3fc59d81d4ff6818ce2033d
                              • Instruction Fuzzy Hash: FF31E074D04349DFCB05EFB8E984AADBBB6FF84300F1049A9D009AB369EB345A45CB51
                              Function 00F90BD8 Relevance: .2, Instructions: 208COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.3269406002.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_f90000_InstallUtil.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: be1d684d0d83b112482e4cc254a270e183cdcaaf36a7e4473637ad2aff04f66c
                              • Instruction ID: 14d16a9224aae405b5ff6e1302d77b13cb7412f5edfc964906cfd81ca91969a9
                              • Opcode Fuzzy Hash: be1d684d0d83b112482e4cc254a270e183cdcaaf36a7e4473637ad2aff04f66c
                              • Instruction Fuzzy Hash: C67180307002059FDB49EF78E958A6E7BB6FF88700B104968D10ADB3A9DF34AD05CB91
                              Function 00F90BC8 Relevance: .1, Instructions: 122COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.3269406002.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_f90000_InstallUtil.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 34477874c8e9ab974d0117ee11fe2a9b2c1908449df7f134bf8d0530841f1604
                              • Instruction ID: 290764510a28cc07d04b46076df834f5494ddf7c9455ce8a69e65a8cffac01b8
                              • Opcode Fuzzy Hash: 34477874c8e9ab974d0117ee11fe2a9b2c1908449df7f134bf8d0530841f1604
                              • Instruction Fuzzy Hash: C8414E316047058FCB49AB79E998A6D7BB6FF857007004A2CD00EDB3A9DF34AD09CB91
                              Function 00F91771 Relevance: .1, Instructions: 77COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.3269406002.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_f90000_InstallUtil.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c72c9446b5f53518a86e1b01c81f95ca68703db12b67dbccb41ed9ead940dfdd
                              • Instruction ID: 1dda3be7b51a3ab4644ef436aa22e77bec8967f638e394789af4a7ce15e818c4
                              • Opcode Fuzzy Hash: c72c9446b5f53518a86e1b01c81f95ca68703db12b67dbccb41ed9ead940dfdd
                              • Instruction Fuzzy Hash: A921A4B1F002495FCB44AFBE58547AEBEEAEFC5340B14482ED54AD7396DE388C0587A1
                              Function 00F91660 Relevance: .1, Instructions: 70COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.3269406002.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_f90000_InstallUtil.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6b6d100d16ed27e4962cd369424645179a1bbae04fba940a130e1a6fcdb7b558
                              • Instruction ID: d855409a05aca66409a566ff0456867a64922eebf45c24210d59e32a48c75098
                              • Opcode Fuzzy Hash: 6b6d100d16ed27e4962cd369424645179a1bbae04fba940a130e1a6fcdb7b558
                              • Instruction Fuzzy Hash: A9218274900309DFDB05FFB8E944AADBBBAFF84700F104569D005AB359EB349A45CB51
                              Function 00F90CC2 Relevance: .1, Instructions: 69COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.3269406002.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_f90000_InstallUtil.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ce3cd8d5d93ca2e7761fbfea02573496ff1d1cec34fc6490e517ed0719d93fb4
                              • Instruction ID: 78040cb9acf2fe3793a53f3976bfa730310c8c1cf10b9fc20e5421d4c6d6829b
                              • Opcode Fuzzy Hash: ce3cd8d5d93ca2e7761fbfea02573496ff1d1cec34fc6490e517ed0719d93fb4
                              • Instruction Fuzzy Hash: EC219F32700B454FCA59AB79845857E7AE6BFC42543008E3DC06ACB7A4DF35ED0A8B92
                              Function 00F90838 Relevance: .0, Instructions: 44COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.3269406002.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_f90000_InstallUtil.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 90a6b81955d15b1f9b0792bdb5fc15ae023ad00541102d64e1fc6470609b6f9c
                              • Instruction ID: 2d6b7f158d2912770db49e85f95ae7e729fe1c42ecbd65c1587bd86769ca07ac
                              • Opcode Fuzzy Hash: 90a6b81955d15b1f9b0792bdb5fc15ae023ad00541102d64e1fc6470609b6f9c
                              • Instruction Fuzzy Hash: 3C11FE341592459FCB06FF28F980E557BBAFB45B04B048AA4D048AF23ED774AD0ACF80
                              Function 00F90848 Relevance: .0, Instructions: 38COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.3269406002.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_f90000_InstallUtil.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 95542b9fac202d6af039f004f8c41bf1b129e907f31a2ee37d3e346cb68c4a85
                              • Instruction ID: 4979b01355aab97539424f12993af145ce5325b4d23f8cfa7556d1d819c85828
                              • Opcode Fuzzy Hash: 95542b9fac202d6af039f004f8c41bf1b129e907f31a2ee37d3e346cb68c4a85
                              • Instruction Fuzzy Hash: C2019B345592059FCB06FF18F980E557BBDFB44B04B009A649048AF22DD774AA0ACF80