Edit tour

Windows Analysis Report
Scvi1cE64H.exe

Overview

General Information

Sample name:	Scvi1cE64H.exe renamed because original name is a hash value
Original sample name:	638a8fcaec15d795231c5267c9649453ba4b85d0ea09a4455b2f20ea12be39a5.exe
Analysis ID:	1561586
MD5:	07c09b14a7719a820968ad2222428b87
SHA1:	c31e61138c6c7f9ae64da86420eb474ca88f734f
SHA256:	638a8fcaec15d795231c5267c9649453ba4b85d0ea09a4455b2f20ea12be39a5
Tags:	exeuser-Chainskilabs
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Scvi1cE64H.exe (PID: 5016 cmdline: "C:\Users\user\Desktop\Scvi1cE64H.exe" MD5: 07C09B14A7719A820968AD2222428B87)

WerFault.exe (PID: 5984 cmdline: C:\Windows\system32\WerFault.exe -u -p 5016 -s 1936 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["81.161.238.249"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Scvi1cE64H.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Scvi1cE64H.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xf524:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xf5c1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xf6d6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xe9da:$cnc4: POST / HTTP/1.1

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\SystemBootComponent.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Local\Temp\SystemBootComponent.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xf524:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xf5c1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xf6d6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xe9da:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2106877000.00000000005E2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.2106877000.00000000005E2000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xf324:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xf3c1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xf4d6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xe7da:$cnc4: POST / HTTP/1.1
00000000.00000002.3018554385.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: Scvi1cE64H.exe PID: 5016	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.Scvi1cE64H.exe.5e0000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.Scvi1cE64H.exe.5e0000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xf524:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xf5c1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xf6d6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xe9da:$cnc4: POST / HTTP/1.1

Sigma Signatures

System Summary

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\Scvi1cE64H.exe, ProcessId: 5016, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemBootComponent.lnk

Suricata Signatures

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T21:02:07.465700+0100	2852870	1	Malware Command and Control Activity Detected	81.161.238.249	7000	192.168.2.6	49707	TCP
2024-11-23T21:02:13.400101+0100	2852870	1	Malware Command and Control Activity Detected	81.161.238.249	7000	192.168.2.6	49707	TCP
2024-11-23T21:02:23.557552+0100	2852870	1	Malware Command and Control Activity Detected	81.161.238.249	7000	192.168.2.6	49707	TCP
2024-11-23T21:02:33.751740+0100	2852870	1	Malware Command and Control Activity Detected	81.161.238.249	7000	192.168.2.6	49707	TCP
2024-11-23T21:02:37.469899+0100	2852870	1	Malware Command and Control Activity Detected	81.161.238.249	7000	192.168.2.6	49707	TCP
2024-11-23T21:02:44.031724+0100	2852870	1	Malware Command and Control Activity Detected	81.161.238.249	7000	192.168.2.6	49707	TCP
2024-11-23T21:02:54.258816+0100	2852870	1	Malware Command and Control Activity Detected	81.161.238.249	7000	192.168.2.6	49707	TCP
2024-11-23T21:03:04.530376+0100	2852870	1	Malware Command and Control Activity Detected	81.161.238.249	7000	192.168.2.6	49707	TCP
2024-11-23T21:03:07.459544+0100	2852870	1	Malware Command and Control Activity Detected	81.161.238.249	7000	192.168.2.6	49707	TCP
2024-11-23T21:03:14.808213+0100	2852870	1	Malware Command and Control Activity Detected	81.161.238.249	7000	192.168.2.6	49707	TCP
2024-11-23T21:03:15.682718+0100	2852870	1	Malware Command and Control Activity Detected	81.161.238.249	7000	192.168.2.6	49707	TCP
2024-11-23T21:03:17.594967+0100	2852870	1	Malware Command and Control Activity Detected	81.161.238.249	7000	192.168.2.6	49707	TCP
2024-11-23T21:03:17.878758+0100	2852870	1	Malware Command and Control Activity Detected	81.161.238.249	7000	192.168.2.6	49707	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T21:02:13.402157+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49707	81.161.238.249	7000	TCP
2024-11-23T21:02:23.559692+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49707	81.161.238.249	7000	TCP
2024-11-23T21:02:33.755268+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49707	81.161.238.249	7000	TCP
2024-11-23T21:02:44.052119+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49707	81.161.238.249	7000	TCP
2024-11-23T21:02:54.261219+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49707	81.161.238.249	7000	TCP
2024-11-23T21:03:04.533275+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49707	81.161.238.249	7000	TCP
2024-11-23T21:03:14.821165+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49707	81.161.238.249	7000	TCP
2024-11-23T21:03:15.684773+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49707	81.161.238.249	7000	TCP
2024-11-23T21:03:17.598172+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49707	81.161.238.249	7000	TCP
2024-11-23T21:03:17.881558+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49707	81.161.238.249	7000	TCP

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T21:02:07.465700+0100	2852874	1	Malware Command and Control Activity Detected	81.161.238.249	7000	192.168.2.6	49707	TCP
2024-11-23T21:02:37.469899+0100	2852874	1	Malware Command and Control Activity Detected	81.161.238.249	7000	192.168.2.6	49707	TCP
2024-11-23T21:03:07.459544+0100	2852874	1	Malware Command and Control Activity Detected	81.161.238.249	7000	192.168.2.6	49707	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T21:02:12.893886+0100	2855924	1	Malware Command and Control Activity Detected	192.168.2.6	49707	81.161.238.249	7000	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Scvi1cE64H.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\SystemBootComponent.exe

Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: Scvi1cE64H.exe

Malware Configuration Extractor: Xworm {"C2 url": ["81.161.238.249"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\SystemBootComponent.exe

ReversingLabs: Detection: 81%

Multi AV Scanner detection for submitted file

Source: Scvi1cE64H.exe

ReversingLabs: Detection: 81%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\SystemBootComponent.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Scvi1cE64H.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: Scvi1cE64H.exe	String decryptor: 81.161.238.249
Source: Scvi1cE64H.exe	String decryptor: 7000
Source: Scvi1cE64H.exe	String decryptor: <123456789>
Source: Scvi1cE64H.exe	String decryptor: <Xwormmm>
Source: Scvi1cE64H.exe	String decryptor: XWorm V5.2
Source: Scvi1cE64H.exe	String decryptor: USB.exe
Source: Scvi1cE64H.exe	String decryptor: %Temp%
Source: Scvi1cE64H.exe	String decryptor: SystemBootComponent.exe

Source: Scvi1cE64H.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Scvi1cE64H.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Scvi1cE64H.exe, 00000000.00000002.3020481994.000000001B732000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: System.Xml.ni.pdb source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb-08 source: Scvi1cE64H.exe, 00000000.00000002.3017551517.0000000000A59000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: .pdbq source: Scvi1cE64H.exe, 00000000.00000002.3021009050.000000001BC48000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.ni.pdb source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.ni.pdb source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Scvi1cE64H.exe, 00000000.00000002.3021009050.000000001BC48000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb.> source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbb source: Scvi1cE64H.exe, 00000000.00000002.3020481994.000000001B732000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.pdb. source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.pdb@ source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.pdb source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdb` source: Scvi1cE64H.exe, 00000000.00000002.3021009050.000000001BC48000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: System.Xml.pdb source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: System.pdb source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: Scvi1cE64H.exe, 00000000.00000002.3021009050.000000001BC48000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdb source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Scvi1cE64H.exe, 00000000.00000002.3021009050.000000001BC48000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbj source: Scvi1cE64H.exe, 00000000.00000002.3020481994.000000001B732000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Scvi1cE64H.exe, 00000000.00000002.3017551517.0000000000A59000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Scvi1cE64H.exe, 00000000.00000002.3020481994.000000001B732000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: Scvi1cE64H.exe, 00000000.00000002.3020481994.000000001B732000.00000004.00000020.00020000.00000000.sdmp, WEREE1A.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdb[ source: Scvi1cE64H.exe, 00000000.00000002.3020481994.000000001B732000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: Scvi1cE64H.exe, 00000000.00000002.3020481994.000000001B732000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\Scvi1cE64H.PDB source: Scvi1cE64H.exe, 00000000.00000002.3020481994.000000001B732000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbMZ@ source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: System.Management.pdb source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.pdb source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: mscorlib.ni.pdb source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: System.Management.ni.pdb source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: Scvi1cE64H.exe, 00000000.00000002.3020481994.000000001B732000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: Scvi1cE64H.exe, 00000000.00000002.3021009050.000000001BC48000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WEREE1A.tmp.dmp.9.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 81.161.238.249:7000 -> 192.168.2.6:49707
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 81.161.238.249:7000 -> 192.168.2.6:49707
Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49707 -> 81.161.238.249:7000
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.6:49707 -> 81.161.238.249:7000

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 81.161.238.249

Source: global traffic

TCP traffic: 192.168.2.6:49707 -> 81.161.238.249:7000

Source: Joe Sandbox View

ASN Name: NETIKOM-ASIT NETIKOM-ASIT

Source: unknown	TCP traffic detected without corresponding DNS query: 81.161.238.249
Source: unknown	TCP traffic detected without corresponding DNS query: 81.161.238.249
Source: unknown	TCP traffic detected without corresponding DNS query: 81.161.238.249
Source: unknown	TCP traffic detected without corresponding DNS query: 81.161.238.249
Source: unknown	TCP traffic detected without corresponding DNS query: 81.161.238.249
Source: unknown	TCP traffic detected without corresponding DNS query: 81.161.238.249
Source: unknown	TCP traffic detected without corresponding DNS query: 81.161.238.249
Source: unknown	TCP traffic detected without corresponding DNS query: 81.161.238.249
Source: unknown	TCP traffic detected without corresponding DNS query: 81.161.238.249
Source: unknown	TCP traffic detected without corresponding DNS query: 81.161.238.249
Source: unknown	TCP traffic detected without corresponding DNS query: 81.161.238.249
Source: unknown	TCP traffic detected without corresponding DNS query: 81.161.238.249
Source: unknown	TCP traffic detected without corresponding DNS query: 81.161.238.249
Source: unknown	TCP traffic detected without corresponding DNS query: 81.161.238.249
Source: unknown	TCP traffic detected without corresponding DNS query: 81.161.238.249
Source: unknown	TCP traffic detected without corresponding DNS query: 81.161.238.249
Source: unknown	TCP traffic detected without corresponding DNS query: 81.161.238.249
Source: unknown	TCP traffic detected without corresponding DNS query: 81.161.238.249
Source: unknown	TCP traffic detected without corresponding DNS query: 81.161.238.249
Source: unknown	TCP traffic detected without corresponding DNS query: 81.161.238.249
Source: unknown	TCP traffic detected without corresponding DNS query: 81.161.238.249
Source: unknown	TCP traffic detected without corresponding DNS query: 81.161.238.249
Source: unknown	TCP traffic detected without corresponding DNS query: 81.161.238.249
Source: unknown	TCP traffic detected without corresponding DNS query: 81.161.238.249
Source: unknown	TCP traffic detected without corresponding DNS query: 81.161.238.249
Source: unknown	TCP traffic detected without corresponding DNS query: 81.161.238.249
Source: unknown	TCP traffic detected without corresponding DNS query: 81.161.238.249

Source: Scvi1cE64H.exe, 00000000.00000002.3018554385.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\Scvi1cE64H.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: Scvi1cE64H.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.Scvi1cE64H.exe.5e0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.2106877000.00000000005E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\SystemBootComponent.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Code function: 0_2_00007FFD348BB892	0_2_00007FFD348BB892
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Code function: 0_2_00007FFD348B1088	0_2_00007FFD348B1088
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Code function: 0_2_00007FFD348B61FB	0_2_00007FFD348B61FB
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Code function: 0_2_00007FFD348BAAE6	0_2_00007FFD348BAAE6
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Code function: 0_2_00007FFD348B2819	0_2_00007FFD348B2819
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Code function: 0_2_00007FFD348BC765	0_2_00007FFD348BC765
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Code function: 0_2_00007FFD348B1080	0_2_00007FFD348B1080
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Code function: 0_2_00007FFD348B10D3	0_2_00007FFD348B10D3
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Code function: 0_2_00007FFD348B321C	0_2_00007FFD348B321C
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Code function: 0_2_00007FFD348B1168	0_2_00007FFD348B1168
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Code function: 0_2_00007FFD348BF16C	0_2_00007FFD348BF16C
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Code function: 0_2_00007FFD348B398A	0_2_00007FFD348B398A
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Code function: 0_2_00007FFD348B6158	0_2_00007FFD348B6158
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Code function: 0_2_00007FFD348B0EE5	0_2_00007FFD348B0EE5
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Code function: 0_2_00007FFD348B0FFA	0_2_00007FFD348B0FFA

Source: C:\Users\user\Desktop\Scvi1cE64H.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5016 -s 1936

Source: Scvi1cE64H.exe, 00000000.00000000.2106894872.00000000005F4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSystemBootComponent.exe4 vs Scvi1cE64H.exe
Source: Scvi1cE64H.exe	Binary or memory string: OriginalFilenameSystemBootComponent.exe4 vs Scvi1cE64H.exe

Source: Scvi1cE64H.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Scvi1cE64H.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.Scvi1cE64H.exe.5e0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.2106877000.00000000005E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\SystemBootComponent.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: Scvi1cE64H.exe, jAL32Rk0A5AWYI1hrBWR3Y1o.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Scvi1cE64H.exe, pFJU8PVl0OMHVTXOMKghPYws.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Scvi1cE64H.exe, pFJU8PVl0OMHVTXOMKghPYws.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: SystemBootComponent.exe.0.dr, jAL32Rk0A5AWYI1hrBWR3Y1o.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: SystemBootComponent.exe.0.dr, pFJU8PVl0OMHVTXOMKghPYws.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: SystemBootComponent.exe.0.dr, pFJU8PVl0OMHVTXOMKghPYws.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: SystemBootComponent.exe.0.dr, 2zpWi5nbN4skGn.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: SystemBootComponent.exe.0.dr, 2zpWi5nbN4skGn.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Scvi1cE64H.exe, 2zpWi5nbN4skGn.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Scvi1cE64H.exe, 2zpWi5nbN4skGn.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/8@0/1

Source: C:\Users\user\Desktop\Scvi1cE64H.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemBootComponent.lnk

Jump to behavior

Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5016
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Mutant created: \Sessions\1\BaseNamedObjects\ZIobbhsTRfU5iXhA

Source: C:\Users\user\Desktop\Scvi1cE64H.exe

File created: C:\Users\user\AppData\Local\Temp\SystemBootComponent.exe

Jump to behavior

Source: Scvi1cE64H.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Scvi1cE64H.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Scvi1cE64H.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Scvi1cE64H.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Scvi1cE64H.exe

ReversingLabs: Detection: 81%

Source: C:\Users\user\Desktop\Scvi1cE64H.exe

File read: C:\Users\user\Desktop\Scvi1cE64H.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Scvi1cE64H.exe "C:\Users\user\Desktop\Scvi1cE64H.exe"
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5016 -s 1936

Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\Scvi1cE64H.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32

Jump to behavior

Source: SystemBootComponent.lnk.0.dr

LNK file: ..\..\..\..\..\..\Local\Temp\SystemBootComponent.exe

Source: C:\Users\user\Desktop\Scvi1cE64H.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Scvi1cE64H.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Scvi1cE64H.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Scvi1cE64H.exe, 00000000.00000002.3020481994.000000001B732000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: System.Xml.ni.pdb source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb-08 source: Scvi1cE64H.exe, 00000000.00000002.3017551517.0000000000A59000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: .pdbq source: Scvi1cE64H.exe, 00000000.00000002.3021009050.000000001BC48000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.ni.pdb source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.ni.pdb source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Scvi1cE64H.exe, 00000000.00000002.3021009050.000000001BC48000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb.> source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbb source: Scvi1cE64H.exe, 00000000.00000002.3020481994.000000001B732000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.pdb. source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.pdb@ source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.pdb source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdb` source: Scvi1cE64H.exe, 00000000.00000002.3021009050.000000001BC48000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: System.Xml.pdb source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: System.pdb source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: Scvi1cE64H.exe, 00000000.00000002.3021009050.000000001BC48000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdb source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Scvi1cE64H.exe, 00000000.00000002.3021009050.000000001BC48000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbj source: Scvi1cE64H.exe, 00000000.00000002.3020481994.000000001B732000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Scvi1cE64H.exe, 00000000.00000002.3017551517.0000000000A59000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Scvi1cE64H.exe, 00000000.00000002.3020481994.000000001B732000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: Scvi1cE64H.exe, 00000000.00000002.3020481994.000000001B732000.00000004.00000020.00020000.00000000.sdmp, WEREE1A.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdb[ source: Scvi1cE64H.exe, 00000000.00000002.3020481994.000000001B732000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: Scvi1cE64H.exe, 00000000.00000002.3020481994.000000001B732000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\Scvi1cE64H.PDB source: Scvi1cE64H.exe, 00000000.00000002.3020481994.000000001B732000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbMZ@ source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: System.Management.pdb source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.pdb source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: mscorlib.ni.pdb source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: System.Management.ni.pdb source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: Scvi1cE64H.exe, 00000000.00000002.3020481994.000000001B732000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: Scvi1cE64H.exe, 00000000.00000002.3021009050.000000001BC48000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WEREE1A.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WEREE1A.tmp.dmp.9.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: Scvi1cE64H.exe, ZOdQlYmq59O21neTylhk7EoGC92YlEK3g7xAHmmlcaE3hjA1lzMOE08xwo0wFz9fMiiWPuuH1sCsDIl.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{TptcJis7agb7YD.zYREBPbbV2qyCc,TptcJis7agb7YD._0q5ZqjAz8nOPYc,TptcJis7agb7YD._3Z8SFQZCdbk40V,TptcJis7agb7YD.ZyvQ6RWMFVefWn,pFJU8PVl0OMHVTXOMKghPYws.PcXZFGhsZtOblrQ23HKrWa7k()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Scvi1cE64H.exe, ZOdQlYmq59O21neTylhk7EoGC92YlEK3g7xAHmmlcaE3hjA1lzMOE08xwo0wFz9fMiiWPuuH1sCsDIl.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{tcU5eQeyxx29kiemMB3W65RWRW8xlZ0nt0wACEarvG2nwAICq1bZiXvvYL5tZOFl4pVwwKnFqSkLYuL0XZFZcrlmpu5omc03[2],pFJU8PVl0OMHVTXOMKghPYws.VaMsrQcyrRkSmHOAChjfXW7E(Convert.FromBase64String(tcU5eQeyxx29kiemMB3W65RWRW8xlZ0nt0wACEarvG2nwAICq1bZiXvvYL5tZOFl4pVwwKnFqSkLYuL0XZFZcrlmpu5omc03[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Scvi1cE64H.exe, ZOdQlYmq59O21neTylhk7EoGC92YlEK3g7xAHmmlcaE3hjA1lzMOE08xwo0wFz9fMiiWPuuH1sCsDIl.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { tcU5eQeyxx29kiemMB3W65RWRW8xlZ0nt0wACEarvG2nwAICq1bZiXvvYL5tZOFl4pVwwKnFqSkLYuL0XZFZcrlmpu5omc03[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: SystemBootComponent.exe.0.dr, ZOdQlYmq59O21neTylhk7EoGC92YlEK3g7xAHmmlcaE3hjA1lzMOE08xwo0wFz9fMiiWPuuH1sCsDIl.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{TptcJis7agb7YD.zYREBPbbV2qyCc,TptcJis7agb7YD._0q5ZqjAz8nOPYc,TptcJis7agb7YD._3Z8SFQZCdbk40V,TptcJis7agb7YD.ZyvQ6RWMFVefWn,pFJU8PVl0OMHVTXOMKghPYws.PcXZFGhsZtOblrQ23HKrWa7k()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: SystemBootComponent.exe.0.dr, ZOdQlYmq59O21neTylhk7EoGC92YlEK3g7xAHmmlcaE3hjA1lzMOE08xwo0wFz9fMiiWPuuH1sCsDIl.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{tcU5eQeyxx29kiemMB3W65RWRW8xlZ0nt0wACEarvG2nwAICq1bZiXvvYL5tZOFl4pVwwKnFqSkLYuL0XZFZcrlmpu5omc03[2],pFJU8PVl0OMHVTXOMKghPYws.VaMsrQcyrRkSmHOAChjfXW7E(Convert.FromBase64String(tcU5eQeyxx29kiemMB3W65RWRW8xlZ0nt0wACEarvG2nwAICq1bZiXvvYL5tZOFl4pVwwKnFqSkLYuL0XZFZcrlmpu5omc03[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: SystemBootComponent.exe.0.dr, ZOdQlYmq59O21neTylhk7EoGC92YlEK3g7xAHmmlcaE3hjA1lzMOE08xwo0wFz9fMiiWPuuH1sCsDIl.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { tcU5eQeyxx29kiemMB3W65RWRW8xlZ0nt0wACEarvG2nwAICq1bZiXvvYL5tZOFl4pVwwKnFqSkLYuL0XZFZcrlmpu5omc03[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: Scvi1cE64H.exe, ZOdQlYmq59O21neTylhk7EoGC92YlEK3g7xAHmmlcaE3hjA1lzMOE08xwo0wFz9fMiiWPuuH1sCsDIl.cs	.Net Code: _7Xfuj2grk5ViS4utjwlw65hmfgOi7J1o1WvwJDHrjlsNtdpJuoAyNZTUgFdakbciAxN0dhY8QDTiVEh System.AppDomain.Load(byte[])
Source: Scvi1cE64H.exe, ZOdQlYmq59O21neTylhk7EoGC92YlEK3g7xAHmmlcaE3hjA1lzMOE08xwo0wFz9fMiiWPuuH1sCsDIl.cs	.Net Code: S2k6YvmdZFg3y7EhcplKH2cyo5rki2hRZ7gAvVjDo60dxszrTHt58s7xk4o6z2tx System.AppDomain.Load(byte[])
Source: Scvi1cE64H.exe, ZOdQlYmq59O21neTylhk7EoGC92YlEK3g7xAHmmlcaE3hjA1lzMOE08xwo0wFz9fMiiWPuuH1sCsDIl.cs	.Net Code: S2k6YvmdZFg3y7EhcplKH2cyo5rki2hRZ7gAvVjDo60dxszrTHt58s7xk4o6z2tx
Source: SystemBootComponent.exe.0.dr, ZOdQlYmq59O21neTylhk7EoGC92YlEK3g7xAHmmlcaE3hjA1lzMOE08xwo0wFz9fMiiWPuuH1sCsDIl.cs	.Net Code: _7Xfuj2grk5ViS4utjwlw65hmfgOi7J1o1WvwJDHrjlsNtdpJuoAyNZTUgFdakbciAxN0dhY8QDTiVEh System.AppDomain.Load(byte[])
Source: SystemBootComponent.exe.0.dr, ZOdQlYmq59O21neTylhk7EoGC92YlEK3g7xAHmmlcaE3hjA1lzMOE08xwo0wFz9fMiiWPuuH1sCsDIl.cs	.Net Code: S2k6YvmdZFg3y7EhcplKH2cyo5rki2hRZ7gAvVjDo60dxszrTHt58s7xk4o6z2tx System.AppDomain.Load(byte[])
Source: SystemBootComponent.exe.0.dr, ZOdQlYmq59O21neTylhk7EoGC92YlEK3g7xAHmmlcaE3hjA1lzMOE08xwo0wFz9fMiiWPuuH1sCsDIl.cs	.Net Code: S2k6YvmdZFg3y7EhcplKH2cyo5rki2hRZ7gAvVjDo60dxszrTHt58s7xk4o6z2tx

Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Code function: 0_2_00007FFD348B5A87 push ebx; retf 5F4Ch		0_2_00007FFD348B5ADA
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Code function: 0_2_00007FFD348B00BD pushad ; iretd		0_2_00007FFD348B00C1

Source: Scvi1cE64H.exe, ZlL3D9KbmHSvkrKnUH4Va1fWZ3p83RkW7l1NAqI3dbAH47AVh0iMWTnd.cs	High entropy of concatenated method names: 'mo5BLVBKsmpMh2rONYS0984TkvIxqr6MQ94KO1XDxdKnGP0IlwX8oB95', 'XQ1Xbhj7R0RDD5Y49fCQ96ILXAuyG4J9UkxeJHAthyhsS58RnyM0a1zi', 'Pz48E8fEpoACFKMzDU3EVSdPSXhkoSLWNV41zgyWhzQGtSJRis5xoWwj', '_8aNzHK2u4ZzdqyiQHFmMhDt4huw5ZJtjjM3I5ws2iahzVWvm1bMkuLApU0QC9o7f43vIvJo2CJhXZ2oSz6k', 'aHRhYay7ZJ5VSmcjpN6kAd4hnWwAaKQWqlBwWsI8XThKrFNYG63xv05sEn9yuPX6mpB4U6eJgOELpGVXm9f', '_8Lz6ogy6PqvIXQoUtoppb5Fakig4ptMSTQco8mqmpfu5JStKh1PgW2SkK8zFpz668f5rUZsINaJBtj131Ak', '_7Lgr4Nc7ft7R1Xspn1K8lRVcExAB18Q9l0SJIW754zl3RDptkZnqgigilZsrb3UXPstAUuv9ARUbvZkV6PB', 'HhbhJmlA3L5rKQPwf5flCy4lOdAmYWxHjTOLTAlqU6h87BkJteYSn1k8vRmf7N3OZNAsOcKWPGCmEAKg42G', 'YtFJcDGZ20M54Sr5BQh0aFwUmbIpgeiNdUs6w8n2oT5HrXzFgeUKtg8kxddBeftm8QPkWjufaDA0PhFwvsV', '_5t2ihwXfAxCGfRmkGWkfrt1mKFWQ47Hq4NTBvprp8sZEF8ZJRYoJsmQ0mmQQiCipf0opI6ChB1l1xtBqkWX'
Source: Scvi1cE64H.exe, JXkizmRngv50etlHAeIOHrbgu8AM0.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Tt5C8HXVlF5d1Kbv', 'V1YbTlMA4HAFBrI7', 'xLwVHbaVcMA4QZrg', 'lcYhqdSpIPPdVJ3Q'
Source: Scvi1cE64H.exe, VpmzBc3f598aquFiwXNhIxTBuX6LJzZNksXSMNQ3LBdweOxeqNii6Hm95bmJF4R6EIPriZQM1vB41ORiCblxI5Wp1MeuHnrv.cs	High entropy of concatenated method names: 'CvR9P5lAIclf2oGb1YdMctJLenwO42L6ZUbjbo4ixPd9Twzv96tYe440LuqMhqkAkBv4ELNDsOlnarjqnfCddzWDj7IEXtGn', 'ZFdvpob5Y2vLfICQbAp', '_8f5fegXfVsd2dCItAWb', 'BdZT9yM28P4Q10wjF7z', 'QOxSw019TQQHFVLco8N'
Source: Scvi1cE64H.exe, iOYSc1YnPaSxZX.cs	High entropy of concatenated method names: 'pgeqosPsoRKuOy', 'S7O9v0Wbys2XuU', 'ks6Ym1jt88jDRl', 'F9jBk8meRXehJh', 'LdKmwi0kPIyb4rlr', 'wcIKSu5e793IJX9R', 'BcOjWVU9EXrDDYf1', '_6BW3hutaedNqdDMe', 'MCbx3ZVtslDC0OoC', 'hZbXDSafbk8DNJeo'
Source: Scvi1cE64H.exe, ZOdQlYmq59O21neTylhk7EoGC92YlEK3g7xAHmmlcaE3hjA1lzMOE08xwo0wFz9fMiiWPuuH1sCsDIl.cs	High entropy of concatenated method names: '_77vZspajKG4MXnstLSkix7k55gIld4cV3fFsLoa25Fv0uxfusVC6i5IMnIZJqY1MERf6dujTqbmiFW4', '_7Xfuj2grk5ViS4utjwlw65hmfgOi7J1o1WvwJDHrjlsNtdpJuoAyNZTUgFdakbciAxN0dhY8QDTiVEh', 'LmARPzCmtdhthclG0qwBlPVYNmN0PpKUAsiFQpY0ncwfJJby3ftBqgOHZSSFahCG', '_4uQFJWi48147Fktt3okMwdxCBlkk9gRKVLIk59g34XLaxRY71ytyd18PBCTeCUyH', 'YH2iCsxPOE14jkcSgJDQD4mMrJobpxpFhDIpr1W3LdwLt3KSBVaiOM1MiLLtZXXx', '_1lFTVul5ygYE7tSuEVJo1vy03xwbC3Tyj7eyIqWbQO7uUUARMEQlZLxKnujRSz38', 'ULnqhtulRJGPqKGrPrQWnI0xBtN1xuVi0KUt4aX7WY08NDRaCNGCrQP4cMGL0SoH', 'XwQu23QjD4y2N2HJmttlFwA0wLnNxaMf5zZdaSOVwDEimbXPyzNM41kPISCQ0qbp', 'aHJQwDQ58gUTWzeLirtXVclOWTvXWQTG3Jf3YbHByBtb7H6C8ARTMJy9KngddhZy', '_396kMFMRAjwTTJH9tmYDOF89sUX27RzXIQiyanyHwMbMpcygx9PZrVySHsSIt4mU'
Source: Scvi1cE64H.exe, pFJU8PVl0OMHVTXOMKghPYws.cs	High entropy of concatenated method names: 'duKd51dyVhRJbCXh5M8wNsTd', '_0rDo9wucrOUIJ9TIYixqtaZl', 'F3qmsInRxwSf494bI0U9fkv4', 'onYpxJeDXBxNGc7PFu91cU5y', 'Ew15iN7ag49yMK6HadKdCEb6', 'V9ZG59lIVH0F5UDTxMarEyZ6', 'Q6o3F9brlMmtc0d3HNdTYlV6', 'ylXVxyBriCeesyZbVDMwkGQi', 'wZrQ3VOvb76xdIVrlklnxYM5', 'fNqMuvpw0E9QTBPBQsT9QmG9'
Source: Scvi1cE64H.exe, UytzpvvfhgdodWuM1KZ7aZTAPVSQEtXSdsOGaz2e9C21jVxQ3nbdZxqQpNN4nQBhEe0PcRdS6U3mwtTdmWxuuTrZVixA3A6L.cs	High entropy of concatenated method names: 'mPoxmxnEaOCFM4FngcgX4ZW5Riw7RaPfsj6BlWekcyyN9bDcWDQKMTuSwosZcXgXqsLYurU8AHNcl6QZrFHaPkFUb2l5ju30', 'YKMP4UTFLhYwMAmh8dqi04tykZJx37SmD4UfPyuLjqZIa0UlzOqKImejHESMgiunqv8Rdk03jbT0eYPj1W', 'XM4nYoTQJzx56ZHfQlTgnP6S6PFzSGaJR59ONBCXLB8c62mZdqwTK1ZS784Aei5EX5MXUNODKS3Vrhi2Ml', 'sjAbjOE0f1n8E7jRSvbKJGangE81gCgoVpGBswvIJbIzAVlsvCvKQ86Sd0newKUQdoTJawvRQmKTEj3Ssb', 'dT0wADgG7q6vvxNwBFMuVZ9brjbZgQ9wNz2Dmde8x77gFpgN2FQad97vlZpZGlBm1Rxv2n6B4lvMFhUBrn', '_6e6kh99vJlznoNBWfUB9AeUiQoSjKrL7pSRHLW9K0ceSBt2mC22PSV4aJIFFH3LROyw0tKj3BB1DGQ0NWO', 'c5ctS7kBTSbR6KmDNp0cVrBvcYL7kceVTc6bNTOrK7sd2dGi41OV5P5J29jYY9njVTHvsX5aW0i3a5nKPJ', 'lZX6C2p0SpEY2HELb4gaPIBcTR0DQJUKQqf345wMgT7eKYr8vcts6rfMqfKxODgg07byJOjQxtHII313hF', '_7y8tbnPvRPICJ0zJNVrU7dPvJhZrKy2MZ8Aj41QbyBiidK3nfw5ybTARxgHasFWEHLohZFdF5Zc9lALMAC', 'bfuvvKGkPfldi9lLEqOR5FtfP2zeSUatWqUb64YarUHJvSlLa07PpLGb2vgQALqLHS1IANEwIXOP9rMblS'
Source: Scvi1cE64H.exe, 4mqXBzlFteZTbYmXywgrmwgY6theYoKVNbvtVSjLucwWfRste8BLoH7qiaUn7z8hTKI0R2sNFUjkhgUgcbU30rPHKVxzg2sY.cs	High entropy of concatenated method names: '_0d7XLkLfb51c0DlKNz4piTLVG0jMCQn6MM568KcAn5uSRhBna6KVBPxdeQloQZhXEIX3qOvEMH7PE6B2PrsOOPnI0r8YrLSE', 'mPXrozmuf0Ep2R91l7igqphUryt0cdOrxOqduna739uCrRYae80zTVx1X1PhFrvTKT10Z0GbOxcyGOr4BbWnfeDNhmYk71W5', 'vBMgtLWrGgaojoCiplOV42qpEWgiTIss56UrETzlZ393wfa7e27rq3ebKeDtA9WXvhocfgcUm5xDDUfNIrP1xMUg2PnvKRtr', 'mD5kAVWHwxX4PvNKxJK', '_6cEKQ1E5GTiVwfzoPCx', 'Ziu8lcgrnG4lBdhS89v', 'byobc78NZzKNJyUh4nU', 'MinIft9cR3e6F44oDnz', 'T3XbsVKbkslmdX4P8Tl', 'drL7bhwkUlqbt6HwSqz'
Source: Scvi1cE64H.exe, l3FDt0SSWoF5yrP2FocxyGUC.cs	High entropy of concatenated method names: 'yhxDH3tHEmGEgAdkClAhRNLr', '_67Lund9yrSYGUCIbivekypOy', '_2rKXAAyov6HwiAHsyLNwAN2M', 'Kw7sZCUuK0vpMwZsMe70c4xE', 'DeNdHVAqrZnNB4O3lvW', 'OBGL9QPHXcAxFmb4on6', 'AYReesvbQZwwVAbVKmp', 'Tdh96rJsN66ngRJC0w6', 'yv4iNm33ZmRTdWV9Di4', 'FbgEfMQhgVWQDmFAH6g'
Source: Scvi1cE64H.exe, 2zpWi5nbN4skGn.cs	High entropy of concatenated method names: 'lIXPxIW7Sa7S0cdlY3bJ1fO64BjDmaazwavFTgV91jIFkZ', 'iWuM6kr6Sb2RoYVv5eTaxPSZPCjvxLCTtVhF5nDwlS31gm', 'O4LbHkrXqGjSRSr7sYtuIIIWFtbcHU7duJt7Nq0jH1iDJc', '_1NhVAqBV8PQ2mstxFrG4wsuRmgOlMLGFU9zc3ryelldbYw', 'FYITLHmzZVVyREUG97e88echKY7YjidaEBsaO68lq3Zp77', 'UenQD4pgQvrmBF8w4FpTd6xJuMmGKFlHUOeA0k1ohjRN0r', 'cv76Wbq1Sojn9quMosvpbHlnRaDI5XjyF89AbirkEaafeo', 'qlvrFjaupdlSBcLdduIzIEGwvJMUQUQ5BaPXuAWJch5dwi', 'ggJMZNJ3E4Ejb9PWkO3su4Qgpwx2RNtKyqijG10XidMkiR', 'OSTx9wrJVu7iMwRofMFMrmKJhGD9O0W2ncmAEDfjz4L58A'
Source: SystemBootComponent.exe.0.dr, ZlL3D9KbmHSvkrKnUH4Va1fWZ3p83RkW7l1NAqI3dbAH47AVh0iMWTnd.cs	High entropy of concatenated method names: 'mo5BLVBKsmpMh2rONYS0984TkvIxqr6MQ94KO1XDxdKnGP0IlwX8oB95', 'XQ1Xbhj7R0RDD5Y49fCQ96ILXAuyG4J9UkxeJHAthyhsS58RnyM0a1zi', 'Pz48E8fEpoACFKMzDU3EVSdPSXhkoSLWNV41zgyWhzQGtSJRis5xoWwj', '_8aNzHK2u4ZzdqyiQHFmMhDt4huw5ZJtjjM3I5ws2iahzVWvm1bMkuLApU0QC9o7f43vIvJo2CJhXZ2oSz6k', 'aHRhYay7ZJ5VSmcjpN6kAd4hnWwAaKQWqlBwWsI8XThKrFNYG63xv05sEn9yuPX6mpB4U6eJgOELpGVXm9f', '_8Lz6ogy6PqvIXQoUtoppb5Fakig4ptMSTQco8mqmpfu5JStKh1PgW2SkK8zFpz668f5rUZsINaJBtj131Ak', '_7Lgr4Nc7ft7R1Xspn1K8lRVcExAB18Q9l0SJIW754zl3RDptkZnqgigilZsrb3UXPstAUuv9ARUbvZkV6PB', 'HhbhJmlA3L5rKQPwf5flCy4lOdAmYWxHjTOLTAlqU6h87BkJteYSn1k8vRmf7N3OZNAsOcKWPGCmEAKg42G', 'YtFJcDGZ20M54Sr5BQh0aFwUmbIpgeiNdUs6w8n2oT5HrXzFgeUKtg8kxddBeftm8QPkWjufaDA0PhFwvsV', '_5t2ihwXfAxCGfRmkGWkfrt1mKFWQ47Hq4NTBvprp8sZEF8ZJRYoJsmQ0mmQQiCipf0opI6ChB1l1xtBqkWX'
Source: SystemBootComponent.exe.0.dr, JXkizmRngv50etlHAeIOHrbgu8AM0.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Tt5C8HXVlF5d1Kbv', 'V1YbTlMA4HAFBrI7', 'xLwVHbaVcMA4QZrg', 'lcYhqdSpIPPdVJ3Q'
Source: SystemBootComponent.exe.0.dr, VpmzBc3f598aquFiwXNhIxTBuX6LJzZNksXSMNQ3LBdweOxeqNii6Hm95bmJF4R6EIPriZQM1vB41ORiCblxI5Wp1MeuHnrv.cs	High entropy of concatenated method names: 'CvR9P5lAIclf2oGb1YdMctJLenwO42L6ZUbjbo4ixPd9Twzv96tYe440LuqMhqkAkBv4ELNDsOlnarjqnfCddzWDj7IEXtGn', 'ZFdvpob5Y2vLfICQbAp', '_8f5fegXfVsd2dCItAWb', 'BdZT9yM28P4Q10wjF7z', 'QOxSw019TQQHFVLco8N'
Source: SystemBootComponent.exe.0.dr, iOYSc1YnPaSxZX.cs	High entropy of concatenated method names: 'pgeqosPsoRKuOy', 'S7O9v0Wbys2XuU', 'ks6Ym1jt88jDRl', 'F9jBk8meRXehJh', 'LdKmwi0kPIyb4rlr', 'wcIKSu5e793IJX9R', 'BcOjWVU9EXrDDYf1', '_6BW3hutaedNqdDMe', 'MCbx3ZVtslDC0OoC', 'hZbXDSafbk8DNJeo'
Source: SystemBootComponent.exe.0.dr, ZOdQlYmq59O21neTylhk7EoGC92YlEK3g7xAHmmlcaE3hjA1lzMOE08xwo0wFz9fMiiWPuuH1sCsDIl.cs	High entropy of concatenated method names: '_77vZspajKG4MXnstLSkix7k55gIld4cV3fFsLoa25Fv0uxfusVC6i5IMnIZJqY1MERf6dujTqbmiFW4', '_7Xfuj2grk5ViS4utjwlw65hmfgOi7J1o1WvwJDHrjlsNtdpJuoAyNZTUgFdakbciAxN0dhY8QDTiVEh', 'LmARPzCmtdhthclG0qwBlPVYNmN0PpKUAsiFQpY0ncwfJJby3ftBqgOHZSSFahCG', '_4uQFJWi48147Fktt3okMwdxCBlkk9gRKVLIk59g34XLaxRY71ytyd18PBCTeCUyH', 'YH2iCsxPOE14jkcSgJDQD4mMrJobpxpFhDIpr1W3LdwLt3KSBVaiOM1MiLLtZXXx', '_1lFTVul5ygYE7tSuEVJo1vy03xwbC3Tyj7eyIqWbQO7uUUARMEQlZLxKnujRSz38', 'ULnqhtulRJGPqKGrPrQWnI0xBtN1xuVi0KUt4aX7WY08NDRaCNGCrQP4cMGL0SoH', 'XwQu23QjD4y2N2HJmttlFwA0wLnNxaMf5zZdaSOVwDEimbXPyzNM41kPISCQ0qbp', 'aHJQwDQ58gUTWzeLirtXVclOWTvXWQTG3Jf3YbHByBtb7H6C8ARTMJy9KngddhZy', '_396kMFMRAjwTTJH9tmYDOF89sUX27RzXIQiyanyHwMbMpcygx9PZrVySHsSIt4mU'
Source: SystemBootComponent.exe.0.dr, pFJU8PVl0OMHVTXOMKghPYws.cs	High entropy of concatenated method names: 'duKd51dyVhRJbCXh5M8wNsTd', '_0rDo9wucrOUIJ9TIYixqtaZl', 'F3qmsInRxwSf494bI0U9fkv4', 'onYpxJeDXBxNGc7PFu91cU5y', 'Ew15iN7ag49yMK6HadKdCEb6', 'V9ZG59lIVH0F5UDTxMarEyZ6', 'Q6o3F9brlMmtc0d3HNdTYlV6', 'ylXVxyBriCeesyZbVDMwkGQi', 'wZrQ3VOvb76xdIVrlklnxYM5', 'fNqMuvpw0E9QTBPBQsT9QmG9'
Source: SystemBootComponent.exe.0.dr, UytzpvvfhgdodWuM1KZ7aZTAPVSQEtXSdsOGaz2e9C21jVxQ3nbdZxqQpNN4nQBhEe0PcRdS6U3mwtTdmWxuuTrZVixA3A6L.cs	High entropy of concatenated method names: 'mPoxmxnEaOCFM4FngcgX4ZW5Riw7RaPfsj6BlWekcyyN9bDcWDQKMTuSwosZcXgXqsLYurU8AHNcl6QZrFHaPkFUb2l5ju30', 'YKMP4UTFLhYwMAmh8dqi04tykZJx37SmD4UfPyuLjqZIa0UlzOqKImejHESMgiunqv8Rdk03jbT0eYPj1W', 'XM4nYoTQJzx56ZHfQlTgnP6S6PFzSGaJR59ONBCXLB8c62mZdqwTK1ZS784Aei5EX5MXUNODKS3Vrhi2Ml', 'sjAbjOE0f1n8E7jRSvbKJGangE81gCgoVpGBswvIJbIzAVlsvCvKQ86Sd0newKUQdoTJawvRQmKTEj3Ssb', 'dT0wADgG7q6vvxNwBFMuVZ9brjbZgQ9wNz2Dmde8x77gFpgN2FQad97vlZpZGlBm1Rxv2n6B4lvMFhUBrn', '_6e6kh99vJlznoNBWfUB9AeUiQoSjKrL7pSRHLW9K0ceSBt2mC22PSV4aJIFFH3LROyw0tKj3BB1DGQ0NWO', 'c5ctS7kBTSbR6KmDNp0cVrBvcYL7kceVTc6bNTOrK7sd2dGi41OV5P5J29jYY9njVTHvsX5aW0i3a5nKPJ', 'lZX6C2p0SpEY2HELb4gaPIBcTR0DQJUKQqf345wMgT7eKYr8vcts6rfMqfKxODgg07byJOjQxtHII313hF', '_7y8tbnPvRPICJ0zJNVrU7dPvJhZrKy2MZ8Aj41QbyBiidK3nfw5ybTARxgHasFWEHLohZFdF5Zc9lALMAC', 'bfuvvKGkPfldi9lLEqOR5FtfP2zeSUatWqUb64YarUHJvSlLa07PpLGb2vgQALqLHS1IANEwIXOP9rMblS'
Source: SystemBootComponent.exe.0.dr, 4mqXBzlFteZTbYmXywgrmwgY6theYoKVNbvtVSjLucwWfRste8BLoH7qiaUn7z8hTKI0R2sNFUjkhgUgcbU30rPHKVxzg2sY.cs	High entropy of concatenated method names: '_0d7XLkLfb51c0DlKNz4piTLVG0jMCQn6MM568KcAn5uSRhBna6KVBPxdeQloQZhXEIX3qOvEMH7PE6B2PrsOOPnI0r8YrLSE', 'mPXrozmuf0Ep2R91l7igqphUryt0cdOrxOqduna739uCrRYae80zTVx1X1PhFrvTKT10Z0GbOxcyGOr4BbWnfeDNhmYk71W5', 'vBMgtLWrGgaojoCiplOV42qpEWgiTIss56UrETzlZ393wfa7e27rq3ebKeDtA9WXvhocfgcUm5xDDUfNIrP1xMUg2PnvKRtr', 'mD5kAVWHwxX4PvNKxJK', '_6cEKQ1E5GTiVwfzoPCx', 'Ziu8lcgrnG4lBdhS89v', 'byobc78NZzKNJyUh4nU', 'MinIft9cR3e6F44oDnz', 'T3XbsVKbkslmdX4P8Tl', 'drL7bhwkUlqbt6HwSqz'
Source: SystemBootComponent.exe.0.dr, l3FDt0SSWoF5yrP2FocxyGUC.cs	High entropy of concatenated method names: 'yhxDH3tHEmGEgAdkClAhRNLr', '_67Lund9yrSYGUCIbivekypOy', '_2rKXAAyov6HwiAHsyLNwAN2M', 'Kw7sZCUuK0vpMwZsMe70c4xE', 'DeNdHVAqrZnNB4O3lvW', 'OBGL9QPHXcAxFmb4on6', 'AYReesvbQZwwVAbVKmp', 'Tdh96rJsN66ngRJC0w6', 'yv4iNm33ZmRTdWV9Di4', 'FbgEfMQhgVWQDmFAH6g'
Source: SystemBootComponent.exe.0.dr, 2zpWi5nbN4skGn.cs	High entropy of concatenated method names: 'lIXPxIW7Sa7S0cdlY3bJ1fO64BjDmaazwavFTgV91jIFkZ', 'iWuM6kr6Sb2RoYVv5eTaxPSZPCjvxLCTtVhF5nDwlS31gm', 'O4LbHkrXqGjSRSr7sYtuIIIWFtbcHU7duJt7Nq0jH1iDJc', '_1NhVAqBV8PQ2mstxFrG4wsuRmgOlMLGFU9zc3ryelldbYw', 'FYITLHmzZVVyREUG97e88echKY7YjidaEBsaO68lq3Zp77', 'UenQD4pgQvrmBF8w4FpTd6xJuMmGKFlHUOeA0k1ohjRN0r', 'cv76Wbq1Sojn9quMosvpbHlnRaDI5XjyF89AbirkEaafeo', 'qlvrFjaupdlSBcLdduIzIEGwvJMUQUQ5BaPXuAWJch5dwi', 'ggJMZNJ3E4Ejb9PWkO3su4Qgpwx2RNtKyqijG10XidMkiR', 'OSTx9wrJVu7iMwRofMFMrmKJhGD9O0W2ncmAEDfjz4L58A'

Source: C:\Users\user\Desktop\Scvi1cE64H.exe

File created: C:\Users\user\AppData\Local\Temp\SystemBootComponent.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Scvi1cE64H.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemBootComponent.lnk

Jump to behavior

Source: C:\Users\user\Desktop\Scvi1cE64H.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemBootComponent.lnk

Jump to behavior

Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Scvi1cE64H.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Memory allocated: 26E0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Memory allocated: 1A8B0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\Scvi1cE64H.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Window / User API: threadDelayed 7768			Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Window / User API: threadDelayed 2089			Jump to behavior

Source: C:\Users\user\Desktop\Scvi1cE64H.exe TID: 2420

Thread sleep time: -1844674407370954s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\Scvi1cE64H.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\Scvi1cE64H.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Scvi1cE64H.exe, 00000000.00000002.3017551517.0000000000A59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWm.%SystemRoot%\system32\mswsock.dll=neutral, PublicKeyToken=b77a5c561934e089
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\Scvi1cE64H.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Scvi1cE64H.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Queries volume information: C:\Users\user\Desktop\Scvi1cE64H.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Scvi1cE64H.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\Scvi1cE64H.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\Scvi1cE64H.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: Scvi1cE64H.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Scvi1cE64H.exe.5e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2106877000.00000000005E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3018554385.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Scvi1cE64H.exe PID: 5016, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\SystemBootComponent.exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: Scvi1cE64H.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Scvi1cE64H.exe.5e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2106877000.00000000005E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3018554385.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Scvi1cE64H.exe PID: 5016, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\SystemBootComponent.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	2 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	OS Credential Dumping	231 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	2 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	141 Virtualization/Sandbox Evasion	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Scvi1cE64H.exe	82%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
Scvi1cE64H.exe	100%	Avira	TR/Spy.Gen
Scvi1cE64H.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\SystemBootComponent.exe	100%	Avira	TR/Spy.Gen
C:\Users\user\AppData\Local\Temp\SystemBootComponent.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\SystemBootComponent.exe	82%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT

Source	Detection	Scanner	Label	Link
81.161.238.249	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
81.161.238.249	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.9.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Scvi1cE64H.exe, 00000000.00000002.3018554385.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
81.161.238.249	unknown	Germany		207146	NETIKOM-ASIT	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561586
Start date and time:	2024-11-23 21:01:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Critical Process Termination
Sample name:	Scvi1cE64H.exe renamed because original name is a hash value
Original Sample Name:	638a8fcaec15d795231c5267c9649453ba4b85d0ea09a4455b2f20ea12be39a5.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/8@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 13 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: Scvi1cE64H.exe

Simulations

Behavior and APIs

Time	Type	Description
15:02:00	API Interceptor	1287596x Sleep call for process: Scvi1cE64H.exe modified
21:02:01	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemBootComponent.lnk

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NETIKOM-ASIT	n5QCsKJ0CP.exe	Get hash	malicious	RedLine	Browse	81.161.238.38
	wyOEIjmWs8.exe	Get hash	malicious	Remcos	Browse	81.161.238.174
	17308799445bb8287de7df48f59c1bda103369e3b3f101fa2921985dedc6b2bd9077b91ee0277.dat-decoded.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	81.161.238.107
	https://81.161.238.66	Get hash	malicious	Xmrig	Browse	81.161.238.66
	KMqGoudziq.elf	Get hash	malicious	Unknown	Browse	81.161.235.176

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Scvi1cE64H.exe_537799a119593c51a7c98839cb49112e54d5a1_25581918_587c2259-09a0-462d-a0b2-15feb988b233\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2897149520801492
Encrypted:	false
SSDEEP:	192:w46pbV3081iHxaWz8iygInlWaPzuiFoZ24lO8/4m:wbpbVE81iRa48iaWKzuiFoY4lO8/5
MD5:	C9A1906F3568A3948DAC9B8D2A4228E9
SHA1:	6939C46D36EB0C202D82612DB3D518C9260E13DE
SHA-256:	5FC70C28720B3001B82F4910A684AC2D249A2BF8DFFBA40254D21C1EDDCF8E59
SHA-512:	9E650BE4170B89EB2DB808D6EC12C8C10C9482D26D52647E46823079E27684FAC57B3CD402CA247705E1B072F8E158EF3C13FFF90711F096BBA91FF03740CA2B
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.r.i.t.i.c.a.l.P.r.o.c.e.s.s.F.a.u.l.t.2.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.8.6.5.8.0.1.4.1.1.2.4.8.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.8.7.c.2.2.5.9.-.0.9.a.0.-.4.6.2.d.-.a.0.b.2.-.1.5.f.e.b.9.8.8.b.2.3.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.2.4.c.3.e.4.0.-.e.d.a.f.-.4.3.7.e.-.a.a.0.1.-.4.4.b.5.2.c.8.1.2.2.d.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.S.c.v.i.1.c.E.6.4.H...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.y.s.t.e.m.B.o.o.t.C.o.m.p.o.n.e.n.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.9.8.-.0.0.0.1.-.0.0.1.5.-.8.f.9.1.-.3.1.8.c.e.2.3.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.d.5.0.8.7.f.c.a.5.9.4.5.1.2.f.b.9.9.a.9.3.4.2.1.4.4.c.d.c.a.2.0.0.0.0.0.0.0.0.!.0.0.0.0.c.3.1.e.6.1.1.3.8.c.6.c.7.f.9.a.e.6.4.d.a.8.6.4.2.0.e.b.4.7.4.c.a.8.8.f.7.3.4.f.!.S.c.v.i.1.c.E.6.4.H...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1./.

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREE1A.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Sat Nov 23 20:03:21 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	626827
Entropy (8bit):	2.972974230942374
Encrypted:	false
SSDEEP:	6144:OJoS8VS0aS+C5QcSqz+3Qi619H6hUXbA0qFnDCScJTT8Dje:G0T4qz+Qv8UXbA9W
MD5:	D233787F955C544D6A1EC9DB24FC3D2B
SHA1:	3928371F4EF778F04D318ACCE419A86F8A0F0338
SHA-256:	E7A9F21F2471FC61C943DF85CB0A4DE715486F3ADED08258E71C67BA29A276FE
SHA-512:	1E771399A51E4E377C2EB07CBEE7F907B3A7AC7A350C48D5BEDB449EDC1E96F7D80F4FD864CEB925FA32BA267D21911992CF70EB7A27C4CEE8323660664B1F11
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........5Bg............$............ ..D.......$...0,..........T,.......E.............l.......8...........T............L...D...........=...........>..............................................................................eJ.......?......Lw......................T............4Bg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF05D.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	9282
Entropy (8bit):	3.701792490287835
Encrypted:	false
SSDEEP:	192:R6l7wVeJBAinM6Y2D3GRPgmfk4j94t8XKprL89beMjPnPPafPKm:R6lXJGp6YaGRPgmfkU4t6egPnPPafT
MD5:	96CA39DCDD24FA115DFC4ADA2A4E20F6
SHA1:	947D5CE71AC74DCA0D4F3BCE5435569A942B53FE
SHA-256:	B4CA98F44CD496075404E2FBBD2618513D673E82B766C23D59F9816BAFFF2C79
SHA-512:	385E58E3821AE2824324CB92906EED3B2DE68B1AC03E1DF5555EB6DB4603C6A1F7102462CD83C5F342DC3A73A1AD33F401E20C0C2516851FC56BD0B7FB0EC51C
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.0.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF09D.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4937
Entropy (8bit):	4.4720668343824
Encrypted:	false
SSDEEP:	48:cvIwWl8zs4Jg771I955kNlWpW8VYoYm8M4JqlOSFtyq8vRCOa1FNAit4d:uIjf+I7qkG7VkJovWQz1FNbt4d
MD5:	9861895A9E904369B63C81D7EDE77FD1
SHA1:	CDF6662FDC6C816DBE368497CCB06886CD2D08BC
SHA-256:	DDB61DC06C0AD7AEF816A6F9FA440B020894763A4B8D95073C582BE3A82E9B03
SHA-512:	29FD4D77D26A3CDC3D38604E589521E8191FB500BF3DB0D65A3D58CB88CF4F928C128345B686BA9A41557CBA6A1478E1442B18FA5547FA499C27F25DE34BF153
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="601146" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\Log.tmp

Download File

Process:	C:\Users\user\Desktop\Scvi1cE64H.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	3.598349098128234
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsra:EFYJKDoWra
MD5:	2C11513C4FAB02AEDEE23EC05A2EB3CC
SHA1:	59177C177B2546FBD8EC7688BAD19D08D32640DE
SHA-256:	BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
SHA-512:	08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	....### explorer ###..[WIN]r

C:\Users\user\AppData\Local\Temp\SystemBootComponent.exe

Download File

Process:	C:\Users\user\Desktop\Scvi1cE64H.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	71680
Entropy (8bit):	6.045020716272887
Encrypted:	false
SSDEEP:	1536:k+pH/PHZR+AcBTug2A4fsifZpbLyV+b9rYCYhd0ijWg9plObRIFnPJ9:pHMPhaJnby+b9NuWaplObREh9
MD5:	07C09B14A7719A820968AD2222428B87
SHA1:	C31E61138C6C7F9AE64DA86420EB474CA88F734F
SHA-256:	638A8FCAEC15D795231C5267C9649453BA4B85D0EA09A4455B2F20EA12BE39A5
SHA-512:	CE0F12A050F97434156D6872E30D722CE7EC72C1133A5581D12561095156E8F0357EAEB3BB622BBEFDB2EA1CBC3DEB81D96EEB1386379996B446D2D9CC53D8C6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\SystemBootComponent.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\SystemBootComponent.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\|.Ag............................^,... ...@....@.. ....................................@..................................,..O....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................@,......H........h..........&.....................................................(.....r...p. .....(.....rU..p. Q.x..s.........s.........s.........s..........rw..p. .(T..r...p. !.+..r...p. .g...r...p. #....r...p. ..e...((....r...p. p{..r9..p. ...."(....+.&(....&+..+5sJ... .... .'..oK...(,...~....-.(D...(6...~....oL...&.-..r...p. .&...r...p.r+..p. ~.H..rM..p. r.d..ro..p. E/................j..................sM..............~........."(F...+.*:.t..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemBootComponent.lnk

Download File

Process:	C:\Users\user\Desktop\Scvi1cE64H.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Nov 23 19:02:00 2024, mtime=Sat Nov 23 19:02:00 2024, atime=Sat Nov 23 19:02:00 2024, length=71680, window=hide
Category:	dropped
Size (bytes):	1117
Entropy (8bit):	4.962962667875026
Encrypted:	false
SSDEEP:	24:8i8cDllX7bX2RPgKJqTUWm8AKa8AW/7Zh+Z2qygm:8i8cDllLbGRQ36/8X/9EZzyg
MD5:	2E062721E18F87596B2E655DD4BA59C3
SHA1:	1071172A6389775265FDB49203DCBF6AF6D221A3
SHA-256:	11E35951EB499CB32E3EC059A796496AE4265F1A0EF66B77FEFD4D2C50E81AAA
SHA-512:	601CA5AE3D3AF988D9213FC701BD6CDC7BC74ADA78EB497D61E397F892E2AC223DA9A849DF6A1AF52E6EB30744AC29A72E47EE920A66A1B25604EAAB717B6ACF
Malicious:	false
Reputation:	low
Preview:	L..................F.... .......=......=......=............................:..DG..Yr?.D..U..k0.&...&.......$..S....(..=..C...=......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2wY;............................^.A.p.p.D.a.t.a...B.P.1.....wY9...Local.<......EW<2wY;.....[.......................[.L.o.c.a.l.....N.1.....wY;...Temp..:......EW<2wY;.....^.....................dke.T.e.m.p.....\|.2.....wYA. .SYSTEM~1.EXE..`......wYA.wYA...........................j...S.y.s.t.e.m.B.o.o.t.C.o.m.p.o.n.e.n.t...e.x.e.......k...............-.......j...........*>x......C:\Users\user\AppData\Local\Temp\SystemBootComponent.exe..4.....\.....\.....\.....\.....\.....\.L.o.c.a.l.\.T.e.m.p.\.S.y.s.t.e.m.B.o.o.t.C.o.m.p.o.n.e.n.t...e.x.e.............:...........\|....I.J.H..K..:...`.......X.......226533...........hT..CrF.f4... .....Jc...-...-$..hT..CrF.f4... .....Jc...-...-$.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.468808504291235
Encrypted:	false
SSDEEP:	6144:fzZfpi6ceLPx9skLmb0f5ZWSP3aJG8nAgeiJRMMhA2zX4WABluuNXjDH5S2:LZHt5ZWOKnMM6bFphj42
MD5:	293F71EA928BA7403723334F3E791BD4
SHA1:	7A921EFAB9288230123FA72B167085E7976F4756
SHA-256:	376E9AB3CD75D8FB897CF20E99A5A80DC3B7116C1CC1DA0B5CAF77D96F888F62
SHA-512:	F56EDCE2E3D48E99B48A5B86B443C90E93B702BED237AA73B22BAE451A8B22BA2C6E53A1EE1973A3B2043AE6EE30274512E8502CC3665C6C1883E8D4459FE3F1
Malicious:	false
Reputation:	low
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....=.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.045020716272887
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Scvi1cE64H.exe
File size:	71'680 bytes
MD5:	07c09b14a7719a820968ad2222428b87
SHA1:	c31e61138c6c7f9ae64da86420eb474ca88f734f
SHA256:	638a8fcaec15d795231c5267c9649453ba4b85d0ea09a4455b2f20ea12be39a5
SHA512:	ce0f12a050f97434156d6872e30d722ce7ec72c1133a5581d12561095156e8f0357eaeb3bb622bbefdb2ea1cbc3deb81d96eeb1386379996b446d2d9cc53d8c6
SSDEEP:	1536:k+pH/PHZR+AcBTug2A4fsifZpbLyV+b9rYCYhd0ijWg9plObRIFnPJ9:pHMPhaJnby+b9NuWaplObREh9
TLSH:	64639DAC77E98515E0FFABB019B67312C779F6235803D36F64D5028B2723A888D506E7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\|.Ag............................^,... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x412c5e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6741ED7C [Sat Nov 23 14:58:04 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x12c0c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14000	0x4fe	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x16000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x10c64	0x10e00	97a0662a4bc4ceb53d437480ba2acc47	False	0.5909143518518518	data	6.121319493977618	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x14000	0x4fe	0x600	babc890730caf3a578b757e481efcb5e	False	0.3821614583333333	data	3.799849732302214	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x16000	0xc	0x200	17523650017922a00ddc8c385bd6d22a	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x140a0	0x274	data			0.4554140127388535
RT_MANIFEST	0x14314	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-23T21:02:07.465700+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	81.161.238.249	7000	192.168.2.6	49707	TCP
2024-11-23T21:02:07.465700+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	81.161.238.249	7000	192.168.2.6	49707	TCP
2024-11-23T21:02:12.893886+0100	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.6	49707	81.161.238.249	7000	TCP
2024-11-23T21:02:13.400101+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	81.161.238.249	7000	192.168.2.6	49707	TCP
2024-11-23T21:02:13.402157+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49707	81.161.238.249	7000	TCP
2024-11-23T21:02:23.557552+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	81.161.238.249	7000	192.168.2.6	49707	TCP
2024-11-23T21:02:23.559692+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49707	81.161.238.249	7000	TCP
2024-11-23T21:02:33.751740+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	81.161.238.249	7000	192.168.2.6	49707	TCP
2024-11-23T21:02:33.755268+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49707	81.161.238.249	7000	TCP
2024-11-23T21:02:37.469899+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	81.161.238.249	7000	192.168.2.6	49707	TCP
2024-11-23T21:02:37.469899+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	81.161.238.249	7000	192.168.2.6	49707	TCP
2024-11-23T21:02:44.031724+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	81.161.238.249	7000	192.168.2.6	49707	TCP
2024-11-23T21:02:44.052119+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49707	81.161.238.249	7000	TCP
2024-11-23T21:02:54.258816+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	81.161.238.249	7000	192.168.2.6	49707	TCP
2024-11-23T21:02:54.261219+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49707	81.161.238.249	7000	TCP
2024-11-23T21:03:04.530376+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	81.161.238.249	7000	192.168.2.6	49707	TCP
2024-11-23T21:03:04.533275+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49707	81.161.238.249	7000	TCP
2024-11-23T21:03:07.459544+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	81.161.238.249	7000	192.168.2.6	49707	TCP
2024-11-23T21:03:07.459544+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	81.161.238.249	7000	192.168.2.6	49707	TCP
2024-11-23T21:03:14.808213+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	81.161.238.249	7000	192.168.2.6	49707	TCP
2024-11-23T21:03:14.821165+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49707	81.161.238.249	7000	TCP
2024-11-23T21:03:15.682718+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	81.161.238.249	7000	192.168.2.6	49707	TCP
2024-11-23T21:03:15.684773+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49707	81.161.238.249	7000	TCP
2024-11-23T21:03:17.594967+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	81.161.238.249	7000	192.168.2.6	49707	TCP
2024-11-23T21:03:17.598172+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49707	81.161.238.249	7000	TCP
2024-11-23T21:03:17.878758+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	81.161.238.249	7000	192.168.2.6	49707	TCP
2024-11-23T21:03:17.881558+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49707	81.161.238.249	7000	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 21:02:02.356544018 CET	49707	7000	192.168.2.6	81.161.238.249
Nov 23, 2024 21:02:02.482356071 CET	7000	49707	81.161.238.249	192.168.2.6
Nov 23, 2024 21:02:02.482443094 CET	49707	7000	192.168.2.6	81.161.238.249
Nov 23, 2024 21:02:02.646759033 CET	49707	7000	192.168.2.6	81.161.238.249
Nov 23, 2024 21:02:02.766391993 CET	7000	49707	81.161.238.249	192.168.2.6
Nov 23, 2024 21:02:07.465699911 CET	7000	49707	81.161.238.249	192.168.2.6
Nov 23, 2024 21:02:07.513564110 CET	49707	7000	192.168.2.6	81.161.238.249
Nov 23, 2024 21:02:12.893886089 CET	49707	7000	192.168.2.6	81.161.238.249
Nov 23, 2024 21:02:13.115262032 CET	7000	49707	81.161.238.249	192.168.2.6
Nov 23, 2024 21:02:13.400100946 CET	7000	49707	81.161.238.249	192.168.2.6
Nov 23, 2024 21:02:13.402157068 CET	49707	7000	192.168.2.6	81.161.238.249
Nov 23, 2024 21:02:13.531665087 CET	7000	49707	81.161.238.249	192.168.2.6
Nov 23, 2024 21:02:23.107894897 CET	49707	7000	192.168.2.6	81.161.238.249
Nov 23, 2024 21:02:23.254400015 CET	7000	49707	81.161.238.249	192.168.2.6
Nov 23, 2024 21:02:23.557552099 CET	7000	49707	81.161.238.249	192.168.2.6
Nov 23, 2024 21:02:23.559691906 CET	49707	7000	192.168.2.6	81.161.238.249
Nov 23, 2024 21:02:23.679270983 CET	7000	49707	81.161.238.249	192.168.2.6
Nov 23, 2024 21:02:33.347804070 CET	49707	7000	192.168.2.6	81.161.238.249
Nov 23, 2024 21:02:33.470540047 CET	7000	49707	81.161.238.249	192.168.2.6
Nov 23, 2024 21:02:33.751739979 CET	7000	49707	81.161.238.249	192.168.2.6
Nov 23, 2024 21:02:33.755268097 CET	49707	7000	192.168.2.6	81.161.238.249
Nov 23, 2024 21:02:33.876441002 CET	7000	49707	81.161.238.249	192.168.2.6
Nov 23, 2024 21:02:37.469898939 CET	7000	49707	81.161.238.249	192.168.2.6
Nov 23, 2024 21:02:37.513649940 CET	49707	7000	192.168.2.6	81.161.238.249
Nov 23, 2024 21:02:43.628516912 CET	49707	7000	192.168.2.6	81.161.238.249
Nov 23, 2024 21:02:43.748806953 CET	7000	49707	81.161.238.249	192.168.2.6
Nov 23, 2024 21:02:44.031723976 CET	7000	49707	81.161.238.249	192.168.2.6
Nov 23, 2024 21:02:44.052119017 CET	49707	7000	192.168.2.6	81.161.238.249
Nov 23, 2024 21:02:44.178438902 CET	7000	49707	81.161.238.249	192.168.2.6
Nov 23, 2024 21:02:53.857846022 CET	49707	7000	192.168.2.6	81.161.238.249
Nov 23, 2024 21:02:53.977392912 CET	7000	49707	81.161.238.249	192.168.2.6
Nov 23, 2024 21:02:54.258816004 CET	7000	49707	81.161.238.249	192.168.2.6
Nov 23, 2024 21:02:54.261219025 CET	49707	7000	192.168.2.6	81.161.238.249
Nov 23, 2024 21:02:54.387671947 CET	7000	49707	81.161.238.249	192.168.2.6
Nov 23, 2024 21:03:04.092130899 CET	49707	7000	192.168.2.6	81.161.238.249
Nov 23, 2024 21:03:04.214582920 CET	7000	49707	81.161.238.249	192.168.2.6
Nov 23, 2024 21:03:04.530375957 CET	7000	49707	81.161.238.249	192.168.2.6
Nov 23, 2024 21:03:04.533274889 CET	49707	7000	192.168.2.6	81.161.238.249
Nov 23, 2024 21:03:04.652961016 CET	7000	49707	81.161.238.249	192.168.2.6
Nov 23, 2024 21:03:07.459543943 CET	7000	49707	81.161.238.249	192.168.2.6
Nov 23, 2024 21:03:07.513756037 CET	49707	7000	192.168.2.6	81.161.238.249
Nov 23, 2024 21:03:14.326922894 CET	49707	7000	192.168.2.6	81.161.238.249
Nov 23, 2024 21:03:14.452683926 CET	7000	49707	81.161.238.249	192.168.2.6
Nov 23, 2024 21:03:14.808212996 CET	7000	49707	81.161.238.249	192.168.2.6
Nov 23, 2024 21:03:14.821165085 CET	49707	7000	192.168.2.6	81.161.238.249
Nov 23, 2024 21:03:14.940881968 CET	7000	49707	81.161.238.249	192.168.2.6
Nov 23, 2024 21:03:15.202112913 CET	49707	7000	192.168.2.6	81.161.238.249
Nov 23, 2024 21:03:15.395648003 CET	7000	49707	81.161.238.249	192.168.2.6
Nov 23, 2024 21:03:15.682718039 CET	7000	49707	81.161.238.249	192.168.2.6
Nov 23, 2024 21:03:15.684772968 CET	49707	7000	192.168.2.6	81.161.238.249
Nov 23, 2024 21:03:15.811028004 CET	7000	49707	81.161.238.249	192.168.2.6
Nov 23, 2024 21:03:17.123946905 CET	49707	7000	192.168.2.6	81.161.238.249
Nov 23, 2024 21:03:17.247952938 CET	7000	49707	81.161.238.249	192.168.2.6
Nov 23, 2024 21:03:17.436378956 CET	49707	7000	192.168.2.6	81.161.238.249
Nov 23, 2024 21:03:17.555944920 CET	7000	49707	81.161.238.249	192.168.2.6
Nov 23, 2024 21:03:17.594966888 CET	7000	49707	81.161.238.249	192.168.2.6
Nov 23, 2024 21:03:17.598171949 CET	49707	7000	192.168.2.6	81.161.238.249
Nov 23, 2024 21:03:17.719238043 CET	7000	49707	81.161.238.249	192.168.2.6
Nov 23, 2024 21:03:17.878757954 CET	7000	49707	81.161.238.249	192.168.2.6
Nov 23, 2024 21:03:17.881557941 CET	49707	7000	192.168.2.6	81.161.238.249
Nov 23, 2024 21:03:18.018441916 CET	7000	49707	81.161.238.249	192.168.2.6
Nov 23, 2024 21:03:28.619045973 CET	49707	7000	192.168.2.6	81.161.238.249

Target ID:	0
Start time:	15:01:56
Start date:	23/11/2024
Path:	C:\Users\user\Desktop\Scvi1cE64H.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Scvi1cE64H.exe"
Imagebase:	0x5e0000
File size:	71'680 bytes
MD5 hash:	07C09B14A7719A820968AD2222428B87
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2106877000.00000000005E2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2106877000.00000000005E2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3018554385.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:03:21
Start date:	23/11/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5016 -s 1936
Imagebase:	0x7ff793110000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	16.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD348B398A Relevance: 4.0, Strings: 3, Instructions: 254
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

B, xrefs: 00007FFD348B39CC
CAM_^, xrefs: 00007FFD348B39F0
>, xrefs: 00007FFD348B398D

Memory Dump Source

Source File: 00000000.00000002.3021829979.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_Scvi1cE64H.jbxd

Similarity

API ID:
String ID: >$B$CAM_^
API String ID: 0-705359111
Opcode ID: a34ca490aa63e77422c3c01f45fd21ff90605106f60cd8cbcf4475ceb1a5b158
Instruction ID: bdd1d91064ae9f67be3b2c1a69c7816c7fd93829f68a675f476f922cb6227c8f
Opcode Fuzzy Hash: a34ca490aa63e77422c3c01f45fd21ff90605106f60cd8cbcf4475ceb1a5b158
Instruction Fuzzy Hash: 4C915470B18A094FE758DB68C4B57A9B7E2FF99304F14417DD40DD32D2DE7868819B41

Function 00007FFD348B2819 Relevance: 3.4, Strings: 2, Instructions: 928
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

B, xrefs: 00007FFD348B39CC
CAM_^, xrefs: 00007FFD348B39F0

Memory Dump Source

Source File: 00000000.00000002.3021829979.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_Scvi1cE64H.jbxd

Similarity

API ID:
String ID: B$CAM_^
API String ID: 0-2030590545
Opcode ID: b0b883a5d46ddf97c3768950734f86ff072ba1f08ad1c8c8963bef71759fd5b1
Instruction ID: 67641243f5658737414e5b2131a3174accc349a5fd8598cba7dc920ce41d2de7
Opcode Fuzzy Hash: b0b883a5d46ddf97c3768950734f86ff072ba1f08ad1c8c8963bef71759fd5b1
Instruction Fuzzy Hash: 9762A070B18A098FEB94EF68C4A57A9B7E2FF99304F14457DD44DD3292DF38A8818B41

Function 00007FFD348B0FFA Relevance: 3.1, Strings: 2, Instructions: 621
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CAM_^, xrefs: 00007FFD348B13F1
4M_^, xrefs: 00007FFD348B1001

Memory Dump Source

Source File: 00000000.00000002.3021829979.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_Scvi1cE64H.jbxd

Similarity

API ID:
String ID: 4M_^$CAM_^
API String ID: 0-707661190
Opcode ID: b4a2b8523e1e42777f1af802a7cb9e1062045e1734c3bb55baba64bd1e54f688
Instruction ID: 1ed3b0ad144babbed5cb3e6db2a95553646a5a6ee3fe0e0894b7c6ac16962619
Opcode Fuzzy Hash: b4a2b8523e1e42777f1af802a7cb9e1062045e1734c3bb55baba64bd1e54f688
Instruction Fuzzy Hash: 2F12E121B1CA460FE7A4B7BC94B52B977D2EF8A350B444179E44EDB2D3DE7C78418281

Function 00007FFD348B10D3 Relevance: 3.1, Strings: 2, Instructions: 555
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

3M_^, xrefs: 00007FFD348B1101
CAM_^, xrefs: 00007FFD348B13F1

Memory Dump Source

Source File: 00000000.00000002.3021829979.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_Scvi1cE64H.jbxd

Similarity

API ID:
String ID: 3M_^$CAM_^
API String ID: 0-1465715678
Opcode ID: 5beed0d7b1f6ac5807b3ae6c433f8e6e29875dfa6b7f57cd77d6e2d92a517f2b
Instruction ID: 19b475498864de4307a4386a196dbee9ad231b056051e20d13c63b36d4a24994
Opcode Fuzzy Hash: 5beed0d7b1f6ac5807b3ae6c433f8e6e29875dfa6b7f57cd77d6e2d92a517f2b
Instruction Fuzzy Hash: 7202D261B18A0A4FE794EB6C84B92B977D2FF8A340F444579E44ED72D3DE7CA8019381

Function 00007FFD348BAAE6 Relevance: 3.0, Strings: 2, Instructions: 477
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

#[lO, xrefs: 00007FFD348BAF7B
#[lO, xrefs: 00007FFD348BAB58

Memory Dump Source

Source File: 00000000.00000002.3021829979.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_Scvi1cE64H.jbxd

Similarity

API ID:
String ID: #[lO$#[lO
API String ID: 0-774237087
Opcode ID: d7c763848fb3091c1a071b4ecc9dca8421726ff1f91bc17fa7928bfe445b2849
Instruction ID: 402dfef21b8028db0af9d63293aabe78373feb4e9ba51ca00305180085c358b8
Opcode Fuzzy Hash: d7c763848fb3091c1a071b4ecc9dca8421726ff1f91bc17fa7928bfe445b2849
Instruction Fuzzy Hash: BBF1A930A08A4D4FEBA9DF28C8657E97BD1FF55310F04426EE84DC7291DF78A9458B81

Function 00007FFD348BB892 Relevance: 3.0, Strings: 2, Instructions: 462
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

#[lO, xrefs: 00007FFD348BBCF7
#[lO, xrefs: 00007FFD348BB908

Memory Dump Source

Source File: 00000000.00000002.3021829979.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_Scvi1cE64H.jbxd

Similarity

API ID:
String ID: #[lO$#[lO
API String ID: 0-774237087
Opcode ID: 1c505f9d3ace189089230383e4d5aa86c8b6116d4a28e8814b85faf07bd1d4e3
Instruction ID: 57abf2784959fb8f0f986282db1f1326f360dc9be3cd7a971f052f976c2ac88c
Opcode Fuzzy Hash: 1c505f9d3ace189089230383e4d5aa86c8b6116d4a28e8814b85faf07bd1d4e3
Instruction Fuzzy Hash: F6E1C430A08A8D8FEBA8DF28C8A57E977D1FF55310F04426ED84DC7695DE78A9448BC1

Function 00007FFD348B1080 Relevance: 1.8, Strings: 1, Instructions: 572
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CAM_^, xrefs: 00007FFD348B13F1

Memory Dump Source

Source File: 00000000.00000002.3021829979.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_Scvi1cE64H.jbxd

Similarity

API ID:
String ID: CAM_^
API String ID: 0-3136481660
Opcode ID: 155f0d125be47f01b6af1edda383951df3ea2f36d6b93d8ae360fba19a0bdbf1
Instruction ID: 13ed14a3872ddde152d62d96612fab8df0404826da9271dd34ca4d32990b65e9
Opcode Fuzzy Hash: 155f0d125be47f01b6af1edda383951df3ea2f36d6b93d8ae360fba19a0bdbf1
Instruction Fuzzy Hash: 2A02D261B18A0A0FE794E7BC84B92B977D2EF8A350F444579E44ED72D3DE7CA8019381

Function 00007FFD348B1168 Relevance: 1.7, Strings: 1, Instructions: 487
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CAM_^, xrefs: 00007FFD348B13F1

Memory Dump Source

Source File: 00000000.00000002.3021829979.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_Scvi1cE64H.jbxd

Similarity

API ID:
String ID: CAM_^
API String ID: 0-3136481660
Opcode ID: 77e0d87b0f52ea5e55e94f79a8189260dce08011402be2b3b6e241a97fad3190
Instruction ID: 62fefcf4339206fb77a586d3c277695cbdb9b50b884579793bc08da088a3e87f
Opcode Fuzzy Hash: 77e0d87b0f52ea5e55e94f79a8189260dce08011402be2b3b6e241a97fad3190
Instruction Fuzzy Hash: 89E1C561B1CA4A0FEB94EB6884B927976D2FF8A340F44457DE44ED72D2DE7CAC019381

Function 00007FFD348B1088 Relevance: .5, Instructions: 532COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3021829979.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_Scvi1cE64H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81f6d899c7f02dfb7ad3cd60214258a08257b3659e8603f089fdf9d1022a3f87
Instruction ID: 2ac850e70aab254430f6851c2b3f1c353f0ef37ef5cf9182468fd95cc6de2494
Opcode Fuzzy Hash: 81f6d899c7f02dfb7ad3cd60214258a08257b3659e8603f089fdf9d1022a3f87
Instruction Fuzzy Hash: 20F1C161B18A094FE794EBB884B92B97BD2FF89350F44057DE44ED72D2DE38A8018781

Function 00007FFD348BC765 Relevance: .4, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3021829979.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_Scvi1cE64H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea34c660e7a2da50e2be26709c57c8e17b4b9920948cd05debc19a91ef2f9162
Instruction ID: b79c0644d62986fd9ad0f289f676962eb4ce6b1fb36c27d78f53178a0d2105d1
Opcode Fuzzy Hash: ea34c660e7a2da50e2be26709c57c8e17b4b9920948cd05debc19a91ef2f9162
Instruction Fuzzy Hash: DDD1E431F1C90A4FF799EB6898A52B9B7E1FF4A311F0405BAD40DC3192DE6CA84697C1

Function 00007FFD348B61FB Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3021829979.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_Scvi1cE64H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e8232e9dee8b392166a224c4251ef09c98b4447ab70d7916ad789632494caf0
Instruction ID: 2000e3dfbd565713c704a18b76fdacf807e479097229302b4c00b994f0216d27
Opcode Fuzzy Hash: 2e8232e9dee8b392166a224c4251ef09c98b4447ab70d7916ad789632494caf0
Instruction Fuzzy Hash: A6B12C12B0DA961EEB216BBC68B61FA3B90DF87331B08017BD64CD60E3DD5C640A52D3

Function 00007FFD348B40E1 Relevance: 1.6, APIs: 1, Instructions: 150
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL ref: 00007FFD348B41C2

Memory Dump Source

Source File: 00000000.00000002.3021829979.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_Scvi1cE64H.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: 0e671ab067cd6af72a50fd34d606cff898905e323c355c08731f5c88cbf0a7c2
Instruction ID: 45ec78b052ee7bc9d8daba759ec82477af70e753be244a4a298642917f32329b
Opcode Fuzzy Hash: 0e671ab067cd6af72a50fd34d606cff898905e323c355c08731f5c88cbf0a7c2
Instruction Fuzzy Hash: 1841133190C6988FDB29DBA888556E9BBF0EF56310F08416FD08AC3592CB2868468B91

Function 00007FFD348B4A38 Relevance: 1.6, APIs: 1, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FFD348B4B01

Memory Dump Source

Source File: 00000000.00000002.3021829979.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_Scvi1cE64H.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 68be66e61b1e0f11dcff833f215826248f1535eb646cc994dd7d2de471af9bf3
Instruction ID: a9e26fa6c9404e9ec6ebb5b9aaf2707c64f1c611695908f9e4d1ae2671846153
Opcode Fuzzy Hash: 68be66e61b1e0f11dcff833f215826248f1535eb646cc994dd7d2de471af9bf3
Instruction Fuzzy Hash: 62410830A1CA4D8FDB18DFACD8566F9BBE5EB59321F00427ED049D3292CE74A81287C1

Non-executed Functions

Function 00007FFD348B6158 Relevance: 3.6, Strings: 2, Instructions: 1079COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD348BECDA
8`z4, xrefs: 00007FFD348BE46A

Memory Dump Source

Source File: 00000000.00000002.3021829979.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_Scvi1cE64H.jbxd

Similarity

API ID:
String ID: $8`z4
API String ID: 0-184767478
Opcode ID: 6fcdd090213989a48b98be7dbcc3d611e6784a114ffc2ff3b1334f4128bce974
Instruction ID: ffbd0ad76cfccc0f78bb80fe3a0732f753b460b8f8088c4e1307db7b36a95c4f
Opcode Fuzzy Hash: 6fcdd090213989a48b98be7dbcc3d611e6784a114ffc2ff3b1334f4128bce974
Instruction Fuzzy Hash: 0D724D30F1891A4FEBA8EB7884E567D73D6EF9A300B544578D50ED32C2DE6CE8529780

Function 00007FFD348B321C Relevance: 2.8, Strings: 2, Instructions: 345COMMON

Download Yara Rule

Strings

%, xrefs: 00007FFD348B3309
/, xrefs: 00007FFD348B3578

Memory Dump Source

Source File: 00000000.00000002.3021829979.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_Scvi1cE64H.jbxd

Similarity

API ID:
String ID: %$/
API String ID: 0-2617147878
Opcode ID: d7ebd3a49d2e72f03bc7884204a0eaac9fecaf83a45d04fdded572d3b421de29
Instruction ID: 4fc780a2ed788623999069450b93f284e3e589bc56d319557a99768da5eb0e66
Opcode Fuzzy Hash: d7ebd3a49d2e72f03bc7884204a0eaac9fecaf83a45d04fdded572d3b421de29
Instruction Fuzzy Hash: 6EC18470B18A094FEB58EF68C8A9769BBE2FF98304F14457DD44DD3291DF78A8818B41

Function 00007FFD348B0EE5 Relevance: 2.7, Strings: 2, Instructions: 165COMMON

Download Yara Rule

Strings

CAM_^, xrefs: 00007FFD348B13F1
5M_^, xrefs: 00007FFD348B0F01

Memory Dump Source

Source File: 00000000.00000002.3021829979.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_Scvi1cE64H.jbxd

Similarity

API ID:
String ID: 5M_^$CAM_^
API String ID: 0-4156085251
Opcode ID: c51c8fc3d2e948562449d012a091e6ebca8484e342648345be309575a8198407
Instruction ID: 8b3ea860cbbf9fed41e3a5b333609b93ae04b8680db3bb14a6259c1ff1d458d3
Opcode Fuzzy Hash: c51c8fc3d2e948562449d012a091e6ebca8484e342648345be309575a8198407
Instruction Fuzzy Hash: 8141D613F0D1A66AD22177FC75751EE7B689F42378B0C52B7D18C9B093ACAC348682D5

Function 00007FFD348BF16C Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3021829979.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_Scvi1cE64H.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51d7eda2f88e897c1a16e16736ca80b0bc9a09a49aab79868a4ab157b49f749c
Instruction ID: 8826b1df2b45bc317c8e88a492932ac6ba0146a77b540c98f8f69ea9dd8a775c
Opcode Fuzzy Hash: 51d7eda2f88e897c1a16e16736ca80b0bc9a09a49aab79868a4ab157b49f749c
Instruction Fuzzy Hash: 3071EA2064F7C54FE743937898A9AE57F91AF83325F0D41FAE188CE4A3DAD95806C742

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Scvi1cE64H.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Scvi1cE64H.exe_537799a119593c51a7c98839cb49112e54d5a1_25581918_587c2259-09a0-462d-a0b2-15feb988b233\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREE1A.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF05D.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF09D.tmp.xml

C:\Users\user\AppData\Local\Temp\Log.tmp

C:\Users\user\AppData\Local\Temp\SystemBootComponent.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemBootComponent.lnk

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
Scvi1cE64H.exe

Function 00007FFD348B398A Relevance: 4.0, Strings: 3, Instructions: 254
COMMON

Function 00007FFD348B2819 Relevance: 3.4, Strings: 2, Instructions: 928
COMMON

Function 00007FFD348B0FFA Relevance: 3.1, Strings: 2, Instructions: 621
COMMON

Function 00007FFD348B10D3 Relevance: 3.1, Strings: 2, Instructions: 555
COMMON

Function 00007FFD348BAAE6 Relevance: 3.0, Strings: 2, Instructions: 477
COMMON

Function 00007FFD348BB892 Relevance: 3.0, Strings: 2, Instructions: 462
COMMON

Function 00007FFD348B1080 Relevance: 1.8, Strings: 1, Instructions: 572
COMMON

Function 00007FFD348B1168 Relevance: 1.7, Strings: 1, Instructions: 487
COMMON

Function 00007FFD348B40E1 Relevance: 1.6, APIs: 1, Instructions: 150
COMMON

Function 00007FFD348B4A38 Relevance: 1.6, APIs: 1, Instructions: 138
COMMON