Windows Analysis Report
enigma_loader.exe

Malicious sample detected (through community Yara rule)

System Summary

Source: enigma_loader.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.enigma_loader.exe.d50000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1652786241.0000000000D52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\enigma_loader.exe	Code function: 0_2_00007FFD9B7F6FE6	0_2_00007FFD9B7F6FE6
Source: C:\Users\user\Desktop\enigma_loader.exe	Code function: 0_2_00007FFD9B7F9E39	0_2_00007FFD9B7F9E39
Source: C:\Users\user\Desktop\enigma_loader.exe	Code function: 0_2_00007FFD9B7F0F6D	0_2_00007FFD9B7F0F6D
Source: C:\Users\user\Desktop\enigma_loader.exe	Code function: 0_2_00007FFD9B7F7D92	0_2_00007FFD9B7F7D92
Source: C:\Users\user\Desktop\enigma_loader.exe	Code function: 0_2_00007FFD9B7F1289	0_2_00007FFD9B7F1289
Source: C:\Users\user\Desktop\enigma_loader.exe	Code function: 0_2_00007FFD9B7F0F70	0_2_00007FFD9B7F0F70
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 1_2_00007FFD9B801289	1_2_00007FFD9B801289
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 3_2_00007FFD9B801289	3_2_00007FFD9B801289

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 440 -p 7268 -ip 7268

Source: enigma_loader.exe, 00000000.00000000.1652799704.0000000000D5C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename' vs enigma_loader.exe
Source: enigma_loader.exe	Binary or memory string: OriginalFilename' vs enigma_loader.exe

Source: enigma_loader.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: enigma_loader.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.enigma_loader.exe.d50000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1652786241.0000000000D52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: enigma_loader.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: enigma_loader.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: enigma_loader.exe, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: svchost.exe.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: svchost.exe.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: svchost.exe.0.dr, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: enigma_loader.exe, Settings.cs	Base64 encoded string: 'ZyutD39pvQ6wkLqkHb6LZMoKuTIox94EhvCZsMR9u0YfgkrgjMK/Dknzqeaaz3fh'
Source: svchost.exe.0.dr, Settings.cs	Base64 encoded string: 'ZyutD39pvQ6wkLqkHb6LZMoKuTIox94EhvCZsMR9u0YfgkrgjMK/Dknzqeaaz3fh'

Source: enigma_loader.exe, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: enigma_loader.exe, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: svchost.exe.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: svchost.exe.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/10@1/1

Source: C:\Users\user\Desktop\enigma_loader.exe

File created: C:\Users\user\AppData\Roaming\svchost.exe

Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\enigma_loader.exe	Mutant created: \Sessions\1\BaseNamedObjects\E59Ydw781RvghOaK
Source: C:\Windows\System32\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:344:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7268

Source: C:\Windows\System32\svchost.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\bc730eb6-9708-4f8d-af68-0c82d8009e43

Source: enigma_loader.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: enigma_loader.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\enigma_loader.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\enigma_loader.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: enigma_loader.exe

ReversingLabs: Detection: 86%

Source: C:\Users\user\Desktop\enigma_loader.exe

File read: C:\Users\user\Desktop\enigma_loader.exe

Source: unknown	Process created: C:\Users\user\Desktop\enigma_loader.exe "C:\Users\user\Desktop\enigma_loader.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 440 -p 7268 -ip 7268
Source: C:\Users\user\Desktop\enigma_loader.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7268 -s 1880
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 440 -p 7268 -ip 7268	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7268 -s 1880	Jump to behavior

Source: C:\Users\user\Desktop\enigma_loader.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior

Source: C:\Users\user\Desktop\enigma_loader.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32

Source: svchost.lnk.0.dr

LNK file: ..\..\..\..\..\svchost.exe

Source: C:\Users\user\Desktop\enigma_loader.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

.NET source code contains method to dynamically call methods (often used by packers)

Source: enigma_loader.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: enigma_loader.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER4E45.tmp.dmp.9.dr
Source:	Binary string: System.Xml.ni.pdb source: WER4E45.tmp.dmp.9.dr
Source:	Binary string: System.ni.pdbRSDS source: WER4E45.tmp.dmp.9.dr
Source:	Binary string: .pdbq source: enigma_loader.exe, 00000000.00000002.3061899008.000000001C0F9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER4E45.tmp.dmp.9.dr
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb? source: enigma_loader.exe, 00000000.00000002.3061511160.000000001BF00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\enigma_loader.PDB source: enigma_loader.exe, 00000000.00000002.3061511160.000000001BF74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdb source: WER4E45.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb5 source: enigma_loader.exe, 00000000.00000002.3061511160.000000001BF00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER4E45.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbv source: enigma_loader.exe, 00000000.00000002.3061511160.000000001BF00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: enigma_loader.exe, 00000000.00000002.3061899008.000000001C0F9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER4E45.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER4E45.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.pdb source: WER4E45.tmp.dmp.9.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdb` source: enigma_loader.exe, 00000000.00000002.3061899008.000000001C0F9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER4E45.tmp.dmp.9.dr
Source:	Binary string: System.Xml.pdb source: WER4E45.tmp.dmp.9.dr
Source:	Binary string: System.pdb source: WER4E45.tmp.dmp.9.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: enigma_loader.exe, 00000000.00000002.3061899008.000000001C0F9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER4E45.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdb source: WER4E45.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER4E45.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbO source: enigma_loader.exe, 00000000.00000002.3061511160.000000001BF74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER4E45.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: enigma_loader.exe, 00000000.00000002.3058768185.00000000012D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: enigma_loader.exe, 00000000.00000002.3058768185.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, enigma_loader.exe, 00000000.00000002.3061511160.000000001BF74000.00000004.00000020.00020000.00000000.sdmp, enigma_loader.exe, 00000000.00000002.3061511160.000000001BF00000.00000004.00000020.00020000.00000000.sdmp, WER4E45.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: enigma_loader.exe, 00000000.00000002.3061511160.000000001BF74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER4E45.tmp.dmp.9.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER4E45.tmp.dmp.9.dr
Source:	Binary string: System.Windows.Forms.pdbp source: WER4E45.tmp.dmp.9.dr
Source:	Binary string: System.Management.pdb source: WER4E45.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.pdb source: WER4E45.tmp.dmp.9.dr
Source:	Binary string: mscorlib.ni.pdb source: WER4E45.tmp.dmp.9.dr
Source:	Binary string: System.Management.ni.pdb source: WER4E45.tmp.dmp.9.dr
Source:	Binary string: System.Xml.pdbSystem.Xml.dll` source: WER4E45.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: enigma_loader.exe, 00000000.00000002.3061511160.000000001BF00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER4E45.tmp.dmp.9.dr
Source:	Binary string: System.pdbenigma_loader.exe source: WER4E45.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER4E45.tmp.dmp.9.dr
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: enigma_loader.exe, 00000000.00000002.3061899008.000000001C0F9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER4E45.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER4E45.tmp.dmp.9.dr

Data Obfuscation

Source: enigma_loader.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: enigma_loader.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: svchost.exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: svchost.exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: enigma_loader.exe, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: enigma_loader.exe, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: enigma_loader.exe, Messages.cs	.Net Code: Memory
Source: svchost.exe.0.dr, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: svchost.exe.0.dr, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: svchost.exe.0.dr, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\enigma_loader.exe	Code function: 0_2_00007FFD9B7F1E9D push ebx; iretd	0_2_00007FFD9B7F1EAA
Source: C:\Users\user\Desktop\enigma_loader.exe	Code function: 0_2_00007FFD9B7F00AD pushad ; iretd	0_2_00007FFD9B7F00C1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 1_2_00007FFD9B8000AD pushad ; iretd	1_2_00007FFD9B8000C1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 3_2_00007FFD9B8000AD pushad ; iretd	3_2_00007FFD9B8000C1

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Users\user\Desktop\enigma_loader.exe

File created: C:\Users\user\AppData\Roaming\svchost.exe

Jump to dropped file

Source: C:\Users\user\Desktop\enigma_loader.exe

File created: C:\Users\user\AppData\Roaming\svchost.exe

Jump to dropped file

Source: C:\Users\user\Desktop\enigma_loader.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

Source: C:\Users\user\Desktop\enigma_loader.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\enigma_loader.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchost			Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchost			Jump to behavior

Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\enigma_loader.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\enigma_loader.exe	Memory allocated: 1590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Memory allocated: 1B040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 2D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 1AD20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 5A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 1A4A0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\enigma_loader.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\enigma_loader.exe	Window / User API: threadDelayed 2905			Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Window / User API: threadDelayed 6935			Jump to behavior

Source: C:\Users\user\Desktop\enigma_loader.exe TID: 7376	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 7488	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 7664	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\enigma_loader.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\enigma_loader.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: enigma_loader.exe, 00000000.00000002.3061511160.000000001BF00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW %SystemRoot%\system32\mswsock.dlllture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\svchost.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\enigma_loader.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\enigma_loader.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\enigma_loader.exe

Memory allocated: page read and write | page guard

Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 440 -p 7268 -ip 7268			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7268 -s 1880			Jump to behavior

Source: C:\Users\user\Desktop\enigma_loader.exe	Queries volume information: C:\Users\user\Desktop\enigma_loader.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\enigma_loader.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\enigma_loader.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: enigma_loader.exe, 00000000.00000002.3061511160.000000001BF74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\enigma_loader.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: enigma_loader.exe, type: SAMPLE
Source: Yara match	File source: 0.0.enigma_loader.exe.d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1652786241.0000000000D52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3059612959.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: enigma_loader.exe PID: 7268, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: enigma_loader.exe, type: SAMPLE
Source: Yara match	File source: 0.0.enigma_loader.exe.d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1652786241.0000000000D52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3059612959.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: enigma_loader.exe PID: 7268, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	21 Registry Run Keys / Startup Folder	11 Process Injection	11 Masquerading	OS Credential Dumping	231 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	21 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	141 Virtualization/Sandbox Evasion	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
enigma_loader.exe	87%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
enigma_loader.exe	100%	Avira	HEUR/AGEN.1305769
enigma_loader.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\svchost.exe	100%	Avira	HEUR/AGEN.1305769
C:\Users\user\AppData\Roaming\svchost.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\svchost.exe	87%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT

Source	Detection	Scanner	Label	Link
selection-wa.gl.at.ply.gg	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
selection-wa.gl.at.ply.gg	147.185.221.23	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
selection-wa.gl.at.ply.gg	true	Avira URL Cloud: malware	unknown
127.0.0.1	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.9.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	enigma_loader.exe, 00000000.00000002.3059612959.0000000003041000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.185.221.23	selection-wa.gl.at.ply.gg	United States		12087	SALSGIVERUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561481
Start date and time:	2024-11-23 14:30:22 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Critical Process Termination
Sample name:	enigma_loader.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/10@1/1
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 21 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target svchost.exe, PID 7464 because it is empty
Execution Graph export aborted for target svchost.exe, PID 7644 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: enigma_loader.exe

Simulations

Behavior and APIs

Time	Type	Description
08:31:16	API Interceptor	5497992x Sleep call for process: enigma_loader.exe modified
13:31:17	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\Users\user\AppData\Roaming\svchost.exe
13:31:25	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\Users\user\AppData\Roaming\svchost.exe
13:31:34	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
147.185.221.23	exe006.exe	Get hash	malicious	SheetRat	Browse
	yF21ypxRB7.exe	Get hash	malicious	XWorm	Browse
	9GlCWW6bXc.exe	Get hash	malicious	XWorm	Browse
	fiPZoO6xvJ.exe	Get hash	malicious	XWorm	Browse
	EternalPredictor.exe	Get hash	malicious	Blank Grabber, Skuld Stealer, XWorm	Browse
	eternal.exe	Get hash	malicious	XWorm	Browse
	svchost.exe	Get hash	malicious	Unknown	Browse
	msedge_visual_render.exe	Get hash	malicious	XWorm	Browse
	exe030.exe	Get hash	malicious	XWorm	Browse
	pQm8Ci3Dov.exe	Get hash	malicious	XWorm	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SALSGIVERUS	exe006.exe	Get hash	malicious	SheetRat	Browse	147.185.221.23
	exe003.exe	Get hash	malicious	XWorm	Browse	147.185.221.22
	yF21ypxRB7.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	OXhiMvksgM.exe	Get hash	malicious	XWorm	Browse	147.185.221.22
	9GlCWW6bXc.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	fiPZoO6xvJ.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	EternalPredictor.exe	Get hash	malicious	Blank Grabber, Skuld Stealer, XWorm	Browse	147.185.221.23
	eternal.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	svchost.exe	Get hash	malicious	Unknown	Browse	147.185.221.23
	msedge_visual_render.exe	Get hash	malicious	XWorm	Browse	147.185.221.23

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_enigma_loader.ex_241c9992af64d28bdcb0b67c166884b89b2d3ebe_e45d3950_fd5bba2a-f600-4b81-a0a7-5975f24b1b5e\Report.wer

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.3255494721995904
Encrypted:	false
SSDEEP:	192:w4t8w6Wuv3081iHxaWz8iyg5lA1t2zuiFKZ24lO8/4y:w69uvE81iRa48idAOzuiFKY4lO8/l
MD5:	4507FE0F54BC5AA52DF00D7EAF221CD0
SHA1:	5EE73D73B6F433C81EDA2ECC228D8F0682CB462B
SHA-256:	BA81004DD3E1F062046B9E493425A5D477C3C56FCB4608ECD1C2A5BE6F463CAF
SHA-512:	D347281726FD4591BFE678DF2A3263020A73B468D8300B2E4BB3DAA724406B678262E8845231729AED89C19D7E65102F8680D5259C6C21EC096A3179806E55B9
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.r.i.t.i.c.a.l.P.r.o.c.e.s.s.F.a.u.l.t.2.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.8.4.2.4.1.1.3.2.2.5.3.7.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.d.5.b.b.a.2.a.-.f.6.0.0.-.4.b.8.1.-.a.0.a.7.-.5.9.7.5.f.2.4.b.1.b.5.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.4.2.7.8.f.f.3.-.e.9.c.7.-.4.c.4.a.-.9.3.8.b.-.b.9.3.1.c.c.8.c.b.b.1.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.e.n.i.g.m.a._.l.o.a.d.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.'...".+. ..... .........".....,...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.6.4.-.0.0.0.1.-.0.0.1.4.-.4.7.e.5.-.6.1.f.6.a.b.3.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.9.8.a.b.c.c.e.1.9.c.f.c.5.2.4.c.5.5.c.1.1.9.a.6.0.c.e.2.8.4.c.0.0.0.0.0.0.0.0.!.0.0.0.0.4.8.8.0.3.b.3.8.e.7.4.3.8.2.8.2.6.a.a.8.b.4.c.a.9.d.3.e.2.0.1.7.6.0.1.3.3.0.e.b.!.e.n.i.g.m.a._.l.o.a.d.e.r...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4E45.tmp.dmp

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Sat Nov 23 13:33:31 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	523859
Entropy (8bit):	3.11843367176594
Encrypted:	false
SSDEEP:	3072:/6lZa9kB3+vu+drTxkbO2ruuy64ObRmFxXH+cS4ygPB1CCqBc2a:/6lGkB3Qu+dpAruuy6vFwmU5qBC
MD5:	5AD865A76F64FE66CACD07207B4AE9A7
SHA1:	80DD1A27EB54A2AE64859C891BDE3C41E0F7AF85
SHA-256:	72269A2A175167D28B7EE6C00E0AB917A3BA6341D5A5C3FA317ACACBAB43B719
SHA-512:	86E54966ED25EF6A29E0B1C0DFBE06163D06451975BF9F07077CABAC1F58732DBD94B9DE9DF31FCC27A5F970A734DF141FF8BE586B4EA5D92230783A7115D0F5
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........Ag.........................#..$.......$...,-......$...P-......d9..............l.......8...........T............I.............t;..........`=..............................................................................eJ.......=......Lw......................T.......d.....Ag....2........................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4FFB.tmp.WERInternalMetadata.xml

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	9340
Entropy (8bit):	3.7013386466840617
Encrypted:	false
SSDEEP:	192:R6l7wVeJ9i96Y9yVV0gmfk4jX4t8Iprr89bXvXwbvrfMW9m:R6lXJ496Y4VWgmfkS4tYXvX0vrf6
MD5:	E6AFB2A930B7B567A322D9E7A0048E5A
SHA1:	D26A2F9068C5C4857296B0DE9FAEE0910362A150
SHA-256:	CDD41B62F6FA41E1946ABCE4AE07978DBA5F2F9C0384761CDF6196EE1AF35220
SHA-512:	1A97BB70107704E09E3193EC75C589D1A05C7C1F57BBDAA60FAE6C213BBF45B8BF43028498435FAF3AF3B7461F6037822EADD618B6437F52FE67AE249830B91A
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.6.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER503B.tmp.xml

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	4963
Entropy (8bit):	4.494688239637227
Encrypted:	false
SSDEEP:	48:cvIwWl8zs+Jg771I9/0WpW8VYQyYm8M4JwSFMy4yq8vR7/4UrSsyd:uIjf0I70t7VpJwNWlxOsyd
MD5:	27A79A8D8BDAC40E3EF324F4D5DADAAE
SHA1:	61513577FA63D2375EF30F7A0D8629DE75C8D7FC
SHA-256:	3D77062AED40F24447B3EACAA82AC73675D0207F1C3E6975B6731237DCF424B7
SHA-512:	829077D3F645B7DCB6A98A3A0764697F9D982F2044574DDBD79B3D07F056E09EB7EA218D8B2FCAB8170A7E97BD045896B7421B752227507478672136A07351F7
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="600756" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER50E5.tmp.csv

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	80988
Entropy (8bit):	3.109606105736042
Encrypted:	false
SSDEEP:	1536:kPj35oN+1+sEzZCOmh+Fe8d55j/FG6XdW9:kPj35oN+1+sEzZCOmh+Fe8d55zFG6Xdy
MD5:	55493B2B910FCC22F826E106146A1186
SHA1:	189C651F06C89B2B38E4B37CBA59BF5320D18EC8
SHA-256:	295FD6E30B414D61CD6DF20489C0187B8C5917C5EF93CE99C35D317E96C0C400
SHA-512:	519F7AB6F24C6C7F15983DA28297943326C9427D834FC7019F9B53292F802950C08A6470EA1D08CCDC9E88FB04C37E3320152F884E4F5F0C34F0E197F59CA1D2
Malicious:	false
Reputation:	low
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER528B.tmp.txt

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.6870056256649826
Encrypted:	false
SSDEEP:	96:TiZYW8zW02YTYKkWBibHxYEZfJtNiEIFDjwJ26QaWOiM+Z4IvwZ3:2ZDpEtuX/EaWOiM+ZfvM3
MD5:	9368DDB17C320932628FD1F050542BE8
SHA1:	53D26C1FFBA39EE1571DBDF1E7D9F24433A79780
SHA-256:	D220D0533C7B5971453696BEB353A3F5CB354DB956066D91252ACA856A7BF582
SHA-512:	77DE3D55C47746B72FA655909B9BE2C935883C2259A0B37030BCAF6A667D5AD8759C3C8B6E420F7702ECC83E654F56BB42871DD0D6B91DC8C34E8FC156147019
Malicious:	false
Reputation:	low
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

Process:	C:\Users\user\AppData\Roaming\svchost.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

Process:	C:\Users\user\Desktop\enigma_loader.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Nov 23 12:31:16 2024, mtime=Sat Nov 23 12:31:16 2024, atime=Sat Nov 23 12:31:16 2024, length=35840, window=hide
Category:	dropped
Size (bytes):	764
Entropy (8bit):	5.035439340804292
Encrypted:	false
SSDEEP:	12:83Uk/7k/n24h8WC0rgdY//UyL2XNvu4jAsjrHkBLBmV:83ChHc+MM2X0cAsjIBLBm
MD5:	EE1A7D3AFFAC12AE4D0001A1B8AF460D
SHA1:	7AEF855D9BE90AA4FEB66DDE991520FC627CD7E3
SHA-256:	A6AF25811C1C488EA6725213ECB7A7739C1F0E41195A9518526BAF9D4232FE16
SHA-512:	16BF0C59E3A10D18A85D4E599BE4994F7B190C29B8286EA51759B71CA4376828C1D849EF43D02C002F67C624CB80B9C2AD57872F7AF9E43F17F6FF6637DE0016
Malicious:	false
Preview:	L..................F.... ....~...=...~...=...~...=..........................v.:..DG..Yr?.D..U..k0.&...&......vk.v....y~i.=.......=......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^wY.k...........................%..A.p.p.D.a.t.a...B.V.1.....wY.k..Roaming.@......CW.^wY.k..........................._.R.o.a.m.i.n.g.....b.2.....wY.k .svchost.exe.H......wY.kwY.k..............................s.v.c.h.o.s.t...e.x.e.......Y...............-.......X..............~.....C:\Users\user\AppData\Roaming\svchost.exe........\.....\.....\.....\.....\.s.v.c.h.o.s.t...e.x.e.`.......X.......284992...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\svchost.exe

Process:	C:\Users\user\Desktop\enigma_loader.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	35840
Entropy (8bit):	5.6012158815462545
Encrypted:	false
SSDEEP:	384:ySBqVEqKykkTwusE+E33Rz3UXmbXLZoWRy7vHsJQcXTSc58pkFyHBLTIZwgG+Vv8:VQDb3QIX/hGcVFy79e6GOjhvy4Bt
MD5:	262215BCD5FBA074E3F2DD216663F727
SHA1:	48803B38E74382826AA8B4CA9D3E2017601330EB
SHA-256:	A0B52D44E5CE4FD05068101A2A7FE64B533BE9BACC774942234CBDD23B12D150
SHA-512:	DABC803AB7BABE6B6FBAE7A9B6E9E192B27C7D9ACB5D55CB990509CA2ED5800821CEB221FFC1A26CE77F21C29B8D7766D19218FCEA4A1F4054397E628E1764E8
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k.@g................................. ........@.. ....................................@....................................K.................................................................................... ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......0S...M............................................................(......(.....s.........s.........s.........s............0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0............(....(.....+......0...........(.....+....0...............(.....+....0...........(.....+....0................-.(...+.+.+...+...0...........................(.....0.. .......~.........-.(...+.....~.....+....(.....0..

C:\Windows\appcompat\Programs\Amcache.hve

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465702123831318
Encrypted:	false
SSDEEP:	6144:xIXfpi67eLPU9skLmb0b44WSPKaJG8nAgejZMMhA2gX4WABl0uN5dwBCswSbZ:SXD944WlLZMM6YFHb+Z
MD5:	81B88D88EB95B75691805BB843F0C468
SHA1:	5C51F988E438ED5A610B625F162E7C45639EC8FF
SHA-256:	2F65D37C3CF3895E291AB4A9486908E40191986EE65EC689331F197E6EF29487
SHA-512:	CA60328A8CB3CE3EEFBD1F4E149DC845C1B73B0EAE9EC174DA6689F7D8AB75AD1664D5E0C27B81C707657178BE354784D06BB5B98C82E508FB1E4933559E3BB6
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..YI.=...............................................................................................................................................................................................................................................................................................................................................zN}........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.6012158815462545
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	enigma_loader.exe
File size:	35'840 bytes
MD5:	262215bcd5fba074e3f2dd216663f727
SHA1:	48803b38e74382826aa8b4ca9d3e2017601330eb
SHA256:	a0b52d44e5ce4fd05068101a2a7fe64b533be9bacc774942234cbdd23b12d150
SHA512:	dabc803ab7babe6b6fbae7a9b6e9e192b27c7d9acb5d55cb990509ca2ed5800821ceb221ffc1a26ce77f21c29b8d7766d19218fcea4a1f4054397e628e1764e8
SSDEEP:	384:ySBqVEqKykkTwusE+E33Rz3UXmbXLZoWRy7vHsJQcXTSc58pkFyHBLTIZwgG+Vv8:VQDb3QIX/hGcVFy79e6GOjhvy4Bt
TLSH:	80F24B08B3900756D6ED6FB56EB3A1420679FA078913EB5E0CD4849B7F337C18A123E6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k.@g................................. ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40a12e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6740E26B [Fri Nov 22 19:58:35 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa0e0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x500	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8134	0x8200	4d5d1fce4af35d602822054fcfb1ead7	False	0.4982872596153846	data	5.735314685854522	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x500	0x600	331abcd5e502089714ca8eff24912c6b	False	0.3893229166666667	data	3.932150987433378	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe000	0xc	0x200	6ec9a61f3ba2211c329706c20b53f907	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xc0a0	0x26c	data			0.47580645161290325
RT_MANIFEST	0xc310	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-23T14:31:26.215138+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:31:26.215138+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:31:32.708522+0100	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.4	49730	147.185.221.23	64769	TCP
2024-11-23T14:31:33.341346+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:31:33.343099+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	147.185.221.23	64769	TCP
2024-11-23T14:31:47.555949+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:31:47.557720+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	147.185.221.23	64769	TCP
2024-11-23T14:31:56.223589+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:31:56.223589+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:32:01.774279+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:32:01.777125+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	147.185.221.23	64769	TCP
2024-11-23T14:32:15.996776+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:32:16.000422+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	147.185.221.23	64769	TCP
2024-11-23T14:32:22.799231+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:32:22.863645+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	147.185.221.23	64769	TCP
2024-11-23T14:32:26.222991+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:32:26.222991+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:32:32.774900+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:32:32.777946+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	147.185.221.23	64769	TCP
2024-11-23T14:32:33.086808+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:32:33.088656+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	147.185.221.23	64769	TCP
2024-11-23T14:32:33.391147+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	147.185.221.23	64769	TCP
2024-11-23T14:32:33.703067+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	147.185.221.23	64769	TCP
2024-11-23T14:32:36.699680+0100	2853193	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.4	49730	147.185.221.23	64769	TCP
2024-11-23T14:32:37.215754+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:32:37.221099+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	147.185.221.23	64769	TCP
2024-11-23T14:32:37.526454+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:32:37.532883+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	147.185.221.23	64769	TCP
2024-11-23T14:32:43.305303+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:32:43.306878+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	147.185.221.23	64769	TCP
2024-11-23T14:32:43.620016+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:32:43.622906+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	147.185.221.23	64769	TCP
2024-11-23T14:32:44.653952+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:32:44.656683+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	147.185.221.23	64769	TCP
2024-11-23T14:32:45.653721+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:32:45.656449+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	147.185.221.23	64769	TCP
2024-11-23T14:32:48.821136+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:32:48.824507+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	147.185.221.23	64769	TCP
2024-11-23T14:32:49.132021+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:32:49.140499+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	147.185.221.23	64769	TCP
2024-11-23T14:32:49.454718+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:32:49.456622+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	147.185.221.23	64769	TCP
2024-11-23T14:32:51.367562+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:32:51.372590+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	147.185.221.23	64769	TCP
2024-11-23T14:32:51.678461+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:32:51.680412+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	147.185.221.23	64769	TCP
2024-11-23T14:32:56.213226+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:32:56.213226+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:32:59.674253+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:32:59.685580+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	147.185.221.23	64769	TCP
2024-11-23T14:32:59.984447+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:32:59.986287+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	147.185.221.23	64769	TCP
2024-11-23T14:33:05.228480+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:33:05.230932+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	147.185.221.23	64769	TCP
2024-11-23T14:33:05.539012+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:33:05.557175+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	147.185.221.23	64769	TCP
2024-11-23T14:33:05.852647+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	147.185.221.23	64769	TCP
2024-11-23T14:33:06.159975+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:33:06.161321+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	147.185.221.23	64769	TCP
2024-11-23T14:33:09.416188+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:33:09.505789+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	147.185.221.23	64769	TCP
2024-11-23T14:33:15.759717+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:33:16.039955+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	147.185.221.23	64769	TCP
2024-11-23T14:33:26.238242+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:33:26.238242+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:33:27.354918+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:33:27.359678+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	147.185.221.23	64769	TCP
2024-11-23T14:33:27.666554+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:33:27.671384+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	147.185.221.23	64769	TCP
2024-11-23T14:33:28.969465+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:33:28.987717+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	147.185.221.23	64769	TCP
2024-11-23T14:33:29.279560+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	147.185.221.23	64769	192.168.2.4	49730	TCP
2024-11-23T14:33:29.287722+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49730	147.185.221.23	64769	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 14:31:18.185638905 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:31:18.306057930 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:31:18.306184053 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:31:18.488655090 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:31:18.609757900 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:31:26.215137959 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:31:26.266459942 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:31:32.708522081 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:31:32.828713894 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:31:33.341346025 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:31:33.343099117 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:31:33.464010954 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:31:46.923078060 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:31:47.043400049 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:31:47.555948973 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:31:47.557719946 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:31:47.677710056 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:31:56.223588943 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:31:56.266558886 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:01.141849041 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:01.261753082 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:01.774279118 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:01.777124882 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:01.896859884 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:15.360831022 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:15.482292891 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:15.996776104 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:16.000422001 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:16.120162010 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:22.063967943 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:22.183727026 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:22.799231052 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:22.844762087 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:22.863645077 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:22.983331919 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:26.222990990 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:26.285902977 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:32.142007113 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:32.261955976 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:32.262013912 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:32.381638050 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:32.381696939 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:32.501449108 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:32.501524925 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:32.621653080 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:32.774899960 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:32.777945995 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:32.897542953 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:33.086807966 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:33.088655949 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:33.208250999 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:33.389233112 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:33.391146898 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:33.511450052 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:33.513679028 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:33.634553909 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:33.699222088 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:33.703067064 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:33.823930025 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:33.824172974 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:33.943820000 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:36.579807043 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:36.699611902 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:36.699680090 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:36.824090958 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:37.215754032 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:37.221098900 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:37.340938091 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:37.526453972 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:37.532882929 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:37.652522087 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:42.673289061 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:42.792861938 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:42.792918921 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:42.912476063 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:43.305303097 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:43.306878090 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:43.426636934 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:43.620016098 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:43.622905970 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:43.742767096 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:43.742882013 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:43.867902994 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:44.653951883 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:44.656682968 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:44.776853085 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:44.860802889 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:44.980566025 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:45.653721094 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:45.656449080 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:45.779002905 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:48.188816071 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:48.308489084 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:48.308553934 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:48.430927038 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:48.821135998 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:48.824506998 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:48.944279909 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:49.132020950 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:49.140499115 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:49.260293007 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:49.454718113 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:49.456621885 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:49.576380014 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:50.735707045 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:50.855493069 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:50.923141003 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:51.045681953 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:51.367562056 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:51.372590065 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:51.492613077 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:51.678461075 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:51.680412054 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:51.800117970 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:56.213226080 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:56.312988997 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:59.032571077 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:59.152441025 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:59.152539968 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:59.272972107 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:59.674252987 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:59.685580015 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:32:59.807502985 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:59.984447002 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:32:59.986287117 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:33:00.105969906 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:33:04.548702002 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:33:04.669701099 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:33:04.669764042 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:33:04.790132046 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:33:04.790199041 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:33:04.909859896 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:33:04.911715031 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:33:05.031779051 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:33:05.228480101 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:33:05.230931997 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:33:05.351522923 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:33:05.539011955 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:33:05.557174921 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:33:05.678400040 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:33:05.850704908 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:33:05.852647066 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:33:05.972240925 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:33:05.972296953 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:33:06.092312098 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:33:06.159975052 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:33:06.161320925 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:33:06.283874035 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:33:08.782706976 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:33:08.903393984 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:33:09.416188002 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:33:09.505789042 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:33:09.625682116 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:33:15.127681971 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:33:15.247559071 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:33:15.759716988 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:33:15.846812010 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:33:16.039954901 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:33:16.159852028 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:33:26.238241911 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:33:26.360532999 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:33:26.720244884 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:33:26.841856003 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:33:26.841912985 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:33:26.962660074 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:33:27.354918003 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:33:27.359678030 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:33:27.479146004 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:33:27.666553974 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:33:27.671384096 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:33:27.790929079 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:33:28.329900026 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:33:28.450639963 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:33:28.450700998 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:33:28.570354939 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:33:28.969465017 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:33:28.987716913 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:33:29.107867956 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:33:29.279560089 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:33:29.287722111 CET	49730	64769	192.168.2.4	147.185.221.23
Nov 23, 2024 14:33:29.408399105 CET	64769	49730	147.185.221.23	192.168.2.4
Nov 23, 2024 14:33:33.844039917 CET	49730	64769	192.168.2.4	147.185.221.23

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 14:31:17.763812065 CET	58330	53	192.168.2.4	1.1.1.1
Nov 23, 2024 14:31:17.999507904 CET	53	58330	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 23, 2024 14:31:17.763812065 CET	192.168.2.4	1.1.1.1	0x332f	Standard query (0)	selection-wa.gl.at.ply.gg	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 23, 2024 14:31:17.999507904 CET	1.1.1.1	192.168.2.4	0x332f	No error (0)	selection-wa.gl.at.ply.gg		147.185.221.23	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	08:31:11
Start date:	23/11/2024
Path:	C:\Users\user\Desktop\enigma_loader.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\enigma_loader.exe"
Imagebase:	0xd50000
File size:	35'840 bytes
MD5 hash:	262215BCD5FBA074E3F2DD216663F727
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1652786241.0000000000D52000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1652786241.0000000000D52000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3059612959.0000000003041000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	1
Start time:	08:31:25
Start date:	23/11/2024
Path:	C:\Users\user\AppData\Roaming\svchost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\svchost.exe"
Imagebase:	0x960000
File size:	35'840 bytes
MD5 hash:	262215BCD5FBA074E3F2DD216663F727
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 87%, ReversingLabs
Reputation:	low
Has exited:	true

Target ID:	3
Start time:	08:31:34
Start date:	23/11/2024
Path:	C:\Users\user\AppData\Roaming\svchost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\svchost.exe"
Imagebase:	0x80000
File size:	35'840 bytes
MD5 hash:	262215BCD5FBA074E3F2DD216663F727
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	7
Start time:	08:33:30
Start date:	23/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	8
Start time:	08:33:31
Start date:	23/11/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -pss -s 440 -p 7268 -ip 7268
Imagebase:	0x7ff75c3d0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	9
Start time:	08:33:31
Start date:	23/11/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7268 -s 1880
Imagebase:	0x7ff75c3d0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true