Windows Analysis Report
LHA9oUEAwZ.exe

Overview

General Information

Sample name:	LHA9oUEAwZ.exe renamed because original name is a hash value
Original sample name:	3149ac1cd2f798f14c82e4eaa81b1853.exe
Analysis ID:	1416005
MD5:	3149ac1cd2f798f14c82e4eaa81b1853
SHA1:	7939c17fc5433dcf060c2035bc035e5fefd33078
SHA256:	2391648221057ae4454b46e4010db00fa25551df4835c916ad1cf1354077234f
Tags:	32exetrojan
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LHA9oUEAwZ.exe

Avira: detected

Antivirus detection for URL or domain

Source: win-britain.gl.at.ply.gg

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\testnt.exe

Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: LHA9oUEAwZ.exe

Malware Configuration Extractor: Xworm {"C2 url": ["win-britain.gl.at.ply.gg"], "Port": "55238", "Aes key": "<123456789>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\testnt.exe

ReversingLabs: Detection: 86%

Multi AV Scanner detection for submitted file

Source: LHA9oUEAwZ.exe

ReversingLabs: Detection: 86%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\testnt.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: LHA9oUEAwZ.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: LHA9oUEAwZ.exe	String decryptor: win-britain.gl.at.ply.gg
Source: LHA9oUEAwZ.exe	String decryptor: 55238
Source: LHA9oUEAwZ.exe	String decryptor: <123456789>
Source: LHA9oUEAwZ.exe	String decryptor: <Xwormmm>
Source: LHA9oUEAwZ.exe	String decryptor: XWorm V5.2
Source: LHA9oUEAwZ.exe	String decryptor: USB.exe
Source: LHA9oUEAwZ.exe	String decryptor: %AppData%
Source: LHA9oUEAwZ.exe	String decryptor: testnt.exe

Uses 32bit PE files

Source: LHA9oUEAwZ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: LHA9oUEAwZ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: LHA9oUEAwZ.exe, 00000002.00000002.3245574998.000000001BFE3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Xml.ni.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: LHA9oUEAwZ.exe, 00000002.00000002.3245574998.000000001BFE3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: LHA9oUEAwZ.exe, 00000002.00000002.3246366236.000000001C818000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER8909.tmp.dmp.12.dr
Source:	Binary string: mscorlib.pdb0 source: WER8909.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb! source: LHA9oUEAwZ.exe, 00000002.00000002.3245967090.000000001C032000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Configuration.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdb` source: LHA9oUEAwZ.exe, 00000002.00000002.3246366236.000000001C818000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER8909.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Users\user\Desktop\LHA9oUEAwZ.PDBcesV source: LHA9oUEAwZ.exe, 00000002.00000002.3245967090.000000001C032000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: LHA9oUEAwZ.exe, 00000002.00000002.3246366236.000000001C818000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER8909.tmp.dmp.12.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Core.ni.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: LHA9oUEAwZ.exe, 00000002.00000002.3242499109.00000000013D6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdbp source: WER8909.tmp.dmp.12.dr
Source:	Binary string: mscorlib.pdb source: LHA9oUEAwZ.exe, 00000002.00000002.3245967090.000000001C032000.00000004.00000020.00020000.00000000.sdmp, LHA9oUEAwZ.exe, 00000002.00000002.3242499109.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, LHA9oUEAwZ.exe, 00000002.00000002.3245574998.000000001BFE3000.00000004.00000020.00020000.00000000.sdmp, WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Core.pdb; source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Management.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Drawing.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: mscorlib.ni.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Management.ni.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: LHA9oUEAwZ.exe, 00000002.00000002.3245967090.000000001C032000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER8909.tmp.dmp.12.dr
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: LHA9oUEAwZ.exe, 00000002.00000002.3246366236.000000001C818000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: .pdbA source: LHA9oUEAwZ.exe, 00000002.00000002.3246366236.000000001C818000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdbRSDS source: WER8909.tmp.dmp.12.dr

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: win-britain.gl.at.ply.gg

Yara detected Generic Downloader

Source: Yara match	File source: LHA9oUEAwZ.exe, type: SAMPLE
Source: Yara match	File source: 2.0.LHA9oUEAwZ.exe.dc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\testnt.exe, type: DROPPED

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.7:49705 -> 147.185.221.18:55238

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 147.185.221.18 147.185.221.18

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

May check the online IP address of the machine

Source: unknown

DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: ip-api.com

Source: LHA9oUEAwZ.exe, testnt.exe.2.dr	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: LHA9oUEAwZ.exe, 00000002.00000002.3242886490.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.12.dr	String found in binary or memory: http://upx.sf.net

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: LHA9oUEAwZ.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.0.LHA9oUEAwZ.exe.dc0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000000.1324807414.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\testnt.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Detected potential crypto function

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Code function: 2_2_00007FFAAC456B11	2_2_00007FFAAC456B11
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Code function: 2_2_00007FFAAC4510FA	2_2_00007FFAAC4510FA
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Code function: 2_2_00007FFAAC451BA1	2_2_00007FFAAC451BA1
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Code function: 2_2_00007FFAAC455D61	2_2_00007FFAAC455D61

One or more processes crash

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6384 -s 844

Sample file is different than original file name gathered from version info

Source: LHA9oUEAwZ.exe, 00000002.00000000.1324830099.0000000000DD4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs LHA9oUEAwZ.exe
Source: LHA9oUEAwZ.exe	Binary or memory string: OriginalFilenameXClient.exe4 vs LHA9oUEAwZ.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: cscapi.dll	Jump to behavior

Uses 32bit PE files

Source: LHA9oUEAwZ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: LHA9oUEAwZ.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.0.LHA9oUEAwZ.exe.dc0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000000.1324807414.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\testnt.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: LHA9oUEAwZ.exe, WIuR1rCg9OABqm2Ov6Vai2Lg9nFtnB4GBfFpoudo.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: LHA9oUEAwZ.exe, p0YNdbZlrOpuCNRE0edav2KYSP4XGWPn8wRjA9ie.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: LHA9oUEAwZ.exe, p0YNdbZlrOpuCNRE0edav2KYSP4XGWPn8wRjA9ie.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: testnt.exe.2.dr, WIuR1rCg9OABqm2Ov6Vai2Lg9nFtnB4GBfFpoudo.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: testnt.exe.2.dr, p0YNdbZlrOpuCNRE0edav2KYSP4XGWPn8wRjA9ie.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: testnt.exe.2.dr, p0YNdbZlrOpuCNRE0edav2KYSP4XGWPn8wRjA9ie.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: LHA9oUEAwZ.exe, pWFohs8uFmHTfaAhVw9lC9.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: LHA9oUEAwZ.exe, pWFohs8uFmHTfaAhVw9lC9.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: testnt.exe.2.dr, pWFohs8uFmHTfaAhVw9lC9.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: testnt.exe.2.dr, pWFohs8uFmHTfaAhVw9lC9.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/8@2/2

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

File created: C:\Users\user\AppData\Roaming\testnt.exe

Jump to behavior

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6384
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Mutant created: \Sessions\1\BaseNamedObjects\QcWDQBijgyqPrEH9

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Jump to behavior

Source: LHA9oUEAwZ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: LHA9oUEAwZ.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LHA9oUEAwZ.exe

ReversingLabs: Detection: 86%

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

File read: C:\Users\user\Desktop\LHA9oUEAwZ.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\LHA9oUEAwZ.exe "C:\Users\user\Desktop\LHA9oUEAwZ.exe"
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6384 -s 844

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: testnt.lnk.2.dr

LNK file: ..\..\..\..\..\testnt.exe

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: LHA9oUEAwZ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: LHA9oUEAwZ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: LHA9oUEAwZ.exe, 00000002.00000002.3245574998.000000001BFE3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Xml.ni.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: LHA9oUEAwZ.exe, 00000002.00000002.3245574998.000000001BFE3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: LHA9oUEAwZ.exe, 00000002.00000002.3246366236.000000001C818000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER8909.tmp.dmp.12.dr
Source:	Binary string: mscorlib.pdb0 source: WER8909.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb! source: LHA9oUEAwZ.exe, 00000002.00000002.3245967090.000000001C032000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Configuration.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdb` source: LHA9oUEAwZ.exe, 00000002.00000002.3246366236.000000001C818000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER8909.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Users\user\Desktop\LHA9oUEAwZ.PDBcesV source: LHA9oUEAwZ.exe, 00000002.00000002.3245967090.000000001C032000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: LHA9oUEAwZ.exe, 00000002.00000002.3246366236.000000001C818000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER8909.tmp.dmp.12.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Core.ni.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: LHA9oUEAwZ.exe, 00000002.00000002.3242499109.00000000013D6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdbp source: WER8909.tmp.dmp.12.dr
Source:	Binary string: mscorlib.pdb source: LHA9oUEAwZ.exe, 00000002.00000002.3245967090.000000001C032000.00000004.00000020.00020000.00000000.sdmp, LHA9oUEAwZ.exe, 00000002.00000002.3242499109.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, LHA9oUEAwZ.exe, 00000002.00000002.3245574998.000000001BFE3000.00000004.00000020.00020000.00000000.sdmp, WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Core.pdb; source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Management.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Drawing.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: mscorlib.ni.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Management.ni.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: LHA9oUEAwZ.exe, 00000002.00000002.3245967090.000000001C032000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER8909.tmp.dmp.12.dr
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: LHA9oUEAwZ.exe, 00000002.00000002.3246366236.000000001C818000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: .pdbA source: LHA9oUEAwZ.exe, 00000002.00000002.3246366236.000000001C818000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdbRSDS source: WER8909.tmp.dmp.12.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: LHA9oUEAwZ.exe, p1IG6OHEpiNB43wrLsWuNu.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{gHAhN6cuIY6jdHAG5jiXIq._7djAdP40ZQYRLytyg6z4ww,gHAhN6cuIY6jdHAG5jiXIq.vNT9HESZs6wzYpQlnpv9bQ,gHAhN6cuIY6jdHAG5jiXIq.qqnQUu51giIhhiInLWaAZA,gHAhN6cuIY6jdHAG5jiXIq.ZksRuESs0HayxxFeOtjxnI,p0YNdbZlrOpuCNRE0edav2KYSP4XGWPn8wRjA9ie.bAyk0h8Ob84GvPhMEK10FPS3hfAR5zxBzUIzZuA5CHsTB1qcduUBKcsqHkHEdWXmCzAR4RLD()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: LHA9oUEAwZ.exe, p1IG6OHEpiNB43wrLsWuNu.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{MiSCZ88ENHevWMQO4fY1UCcrlo63AM3Btc564hZJhFUBFmH4LxXFlSQ[2],p0YNdbZlrOpuCNRE0edav2KYSP4XGWPn8wRjA9ie._9kcMNmeih7RUdhGKDbWewdtAH4wh5a4IOaa2CiNxlX4mFPxFWP7yfoUe6nikb2uyrC0NZ6N9(Convert.FromBase64String(MiSCZ88ENHevWMQO4fY1UCcrlo63AM3Btc564hZJhFUBFmH4LxXFlSQ[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: LHA9oUEAwZ.exe, p1IG6OHEpiNB43wrLsWuNu.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { MiSCZ88ENHevWMQO4fY1UCcrlo63AM3Btc564hZJhFUBFmH4LxXFlSQ[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: testnt.exe.2.dr, p1IG6OHEpiNB43wrLsWuNu.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{gHAhN6cuIY6jdHAG5jiXIq._7djAdP40ZQYRLytyg6z4ww,gHAhN6cuIY6jdHAG5jiXIq.vNT9HESZs6wzYpQlnpv9bQ,gHAhN6cuIY6jdHAG5jiXIq.qqnQUu51giIhhiInLWaAZA,gHAhN6cuIY6jdHAG5jiXIq.ZksRuESs0HayxxFeOtjxnI,p0YNdbZlrOpuCNRE0edav2KYSP4XGWPn8wRjA9ie.bAyk0h8Ob84GvPhMEK10FPS3hfAR5zxBzUIzZuA5CHsTB1qcduUBKcsqHkHEdWXmCzAR4RLD()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: testnt.exe.2.dr, p1IG6OHEpiNB43wrLsWuNu.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{MiSCZ88ENHevWMQO4fY1UCcrlo63AM3Btc564hZJhFUBFmH4LxXFlSQ[2],p0YNdbZlrOpuCNRE0edav2KYSP4XGWPn8wRjA9ie._9kcMNmeih7RUdhGKDbWewdtAH4wh5a4IOaa2CiNxlX4mFPxFWP7yfoUe6nikb2uyrC0NZ6N9(Convert.FromBase64String(MiSCZ88ENHevWMQO4fY1UCcrlo63AM3Btc564hZJhFUBFmH4LxXFlSQ[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: testnt.exe.2.dr, p1IG6OHEpiNB43wrLsWuNu.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { MiSCZ88ENHevWMQO4fY1UCcrlo63AM3Btc564hZJhFUBFmH4LxXFlSQ[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: LHA9oUEAwZ.exe, p1IG6OHEpiNB43wrLsWuNu.cs	.Net Code: oPAJ4NA3yjtlpSliHpVRHy System.AppDomain.Load(byte[])
Source: LHA9oUEAwZ.exe, p1IG6OHEpiNB43wrLsWuNu.cs	.Net Code: kxqnAuS1ccY111f2wI4F05S8pZdH9vKiathPBYc7BwzDWwWxTsgZfHk System.AppDomain.Load(byte[])
Source: LHA9oUEAwZ.exe, p1IG6OHEpiNB43wrLsWuNu.cs	.Net Code: kxqnAuS1ccY111f2wI4F05S8pZdH9vKiathPBYc7BwzDWwWxTsgZfHk
Source: testnt.exe.2.dr, p1IG6OHEpiNB43wrLsWuNu.cs	.Net Code: oPAJ4NA3yjtlpSliHpVRHy System.AppDomain.Load(byte[])
Source: testnt.exe.2.dr, p1IG6OHEpiNB43wrLsWuNu.cs	.Net Code: kxqnAuS1ccY111f2wI4F05S8pZdH9vKiathPBYc7BwzDWwWxTsgZfHk System.AppDomain.Load(byte[])
Source: testnt.exe.2.dr, p1IG6OHEpiNB43wrLsWuNu.cs	.Net Code: kxqnAuS1ccY111f2wI4F05S8pZdH9vKiathPBYc7BwzDWwWxTsgZfHk

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

Code function: 2_2_00007FFAAC4500BD pushad ; iretd

2_2_00007FFAAC4500C1

Source: LHA9oUEAwZ.exe, wbEY1BBMTLuOQnjFsb4qENNVloKJ7EbGgcClTBhaBFyHCKdc3xNJINRjl6XhJMMERGuEOGTH.cs	High entropy of concatenated method names: 'd4RIEYOE889BObHVS9EZ3BUv0WaONwcdQqrg6M1khN8kyFgethX0kg2YmaNRARXzNc7CCKWi', 'TZtcforiMD8eG0MNVLDDyZ47lIAXs8DV3HfplJR5OmSCEMy3aTAmPgPpKaGUACq9xIkRAzyC', 'DOfcHqAO2tYhZYdneKIDsPUeGoj0vOl3gWSocNDAg9dsX67ImVAyebvif', '_5v8hJph8viLMCz9kmDSRD9SrcH6my6LQvQzx4webg5PANXahB7p971TsgK0Xe9rwGes69yYErKybrM5JiT', 'rVchSt4iuWLnfMB90MmS3WRGWMTSA5xBRzC6FkxLPDYYCKh63Ek80IpP4a0g72rgLjHcWLcQa0OZSpPiGz', 'VH9HoxrmmU2onlovjCwmP4g1cwYZkaJCXGoYJVl9rAZN2VN8faxpqT7QfLqhuPlHWkXKPVzZ128YDtZc8C', 'hag6EjJ8okvTFbLyha99y2fhg1V52cgCMXJVFY2ikzXSDUnIxouEY66Z9S6KBy7hWvXCPILu46TJqHNtCt', 'uxlb5DY1WY63r3pZrUr7XhJ19nmQsTHuut5zlhJuI0yOiEJvSXK4iwZ6wiTbEEuIcnB', '_9JhcsGoKT2OnbqCpMBgkRWF7yFEdfd5SCPMETTpsiyw7Y1PL4xsbyGsOP9YNF6SUEFE', 'xE2cjQPo0nyAYLEV1tTOAi8qMqv7zKtusaNYWkZdNoyeaIG2nylWYikfDJzQg7qJSjw'
Source: LHA9oUEAwZ.exe, gHAhN6cuIY6jdHAG5jiXIq.cs	High entropy of concatenated method names: 'rSjPBjbxGoRHu62t7wtWvK01R7Nt1EckwWbjTDb4AX1eirpkTjBzOLK6pgYcmV9XbUIV5qj6dKsDRcCiU0Eaik2QX5', 'uSOiBOMWi0zufTHPCsbFCNH26LlNhdPJjKiJkhS9nM38X3Er14g15PQFhz8K67aab9U7L3LFjNjQpd6Dd8DRXhGvrE', 'wXAMTbTFKSXrM0fKS4KbfOIIpEQzNOruIDqxrsDRULwrxYmCXiejRCyPQPUNsewGNCgcUjdcy1DAVx0W75DlcGCCGK', '_1gZDAoCisI1KZPD4MNWamT0vSvwkHpwz23cteXIBRDQLojFUoJYUfQ4dxt7EiWvARFAeCHGbyfQ3aXr6aQ0HpQznDk'
Source: LHA9oUEAwZ.exe, caUeBYZfVwmeWecKlXVQ7tW3etHpDGaIrrzwqecG62TTOZYow1TXq8sSeP37gmRTdIXugIj983q5D20v.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'kpBfQwWJ33Pg5WY5cTv1MT8QZJJeOExhDvE2MyW5vHe7htS4JqeBjo07ZEVBDSpneKdS5FUXrdm9AoupxeMVvFP4sj', 'eSf5Ji2J5t01WKHAZbTomxOLs5CfQAJGnHtPykEAdvcOW5M2KcgTe84qNBX8dsrWXgd6Gz8cWZF2tPtzIlJvtgMCuu', 'rhfua03rpysKziOJqCjWbfz0kAeLmL7kBTuHwyONb1KBKWTdmAkFaNyamnydFb1lpDl3a2VkRfG1dO3tImeGSr82oT', '_2cZOmdFrO9vD3sm3X7bn34SUBz1Gc67rNssT6yFyMzwhTb9pRKwzfqcK40inbtC0nrEsVBsBWFdU2LxJxKCs1UQcUR'
Source: LHA9oUEAwZ.exe, bh5AgBmmct9rNksQHppG7G.cs	High entropy of concatenated method names: 'zqn1SQUrFUMgHieXIorpxP', 'c04k38AmW1WWkBG1Xj3wvH', 'ZG8iCN2A0lEn1L6ydnzK42', 'gHmFGh8HlX6Zb4pRCESCiG', 'KHX41dZ3v4ndWAiAX7Ntew', 'gUGVVE4W2wDAXYH2i054eE', 'owXtj5QlhgpYpQdHlm58mq', 'ohfsz38hrN83Rk2XjK4n0u', 'cMTGVh7QlqnpqtS4THFPSH', 'z0AABSExIRPLOFe6d4YQGl'
Source: LHA9oUEAwZ.exe, WIuR1rCg9OABqm2Ov6Vai2Lg9nFtnB4GBfFpoudo.cs	High entropy of concatenated method names: 'FNHzWngLomEA2m0s7IkHnKswZPPuxbx9DqImvxXC', 'ym3amq6ICtFEpNGE25s8jQ096Z0jTdy7wWYGlWGGymDG2Zt3gT', 'zEBPDZSKVOzQ5zlq7Ri0JkZLP0DH0SROGSexfv8P1vtePgTltl', 'iNwVIlJ1tjsdxiCHWDvBpTlhvrvIlYZMw96bx0dsn1cqc8Ejzw', 'rDi3OHpasRrnDFdZG2IPJj5sBAJxI5zZjKMR8eTisj5fRHqyde'
Source: LHA9oUEAwZ.exe, p1IG6OHEpiNB43wrLsWuNu.cs	High entropy of concatenated method names: 'u5yD0BUm2PcSw0iB0GO3cP', 'oPAJ4NA3yjtlpSliHpVRHy', 'mDEbck9Dl7iLQmmmTiw4D5', '_7Z84Hk2AYvRgn54bPqWxxH', 'Mv3s3rXUYJDv1MlRaV5NZxp1lrZYGvPAA0ykgRtUbGEETMn7PiLRJtx', '_77YyemyOEFU7itfJCUsjpOx8gcqGs8FUQuQbA9o8ta3m6IZGpENCEdn', 'sHvtH3qz9BfXf8zkENDR7dEgvIfjGrGSPeJGEtatrfFc06ORCLo5ldj', '_0juZ9cgK4ayrYhpT7hhADZrbXqLW4FBWPOFjBSBSa4ZCUS5BFAoeDEI', 'wMVjv6gIyHStMsg1FglMtkNzcQO4BpY256l7vPnLEsfsR6NLveTsN8R', 'UIfHerstaAUFl4huhLMnguGkk7zmMhlt614liUFezUqNobGa6g6vH3x'
Source: LHA9oUEAwZ.exe, p0YNdbZlrOpuCNRE0edav2KYSP4XGWPn8wRjA9ie.cs	High entropy of concatenated method names: 'Wk5Rb1ThVxurWW4bR1FzYtajBSNZ3f3cYDGvN7KK', 'OE6M0rFV82DhFKGwpEZVAxuiE8p1tK1ipzXidSoY', 'Erk5rdelfOjiuryrno1aRfle7byjXfKUxM1IIYEu', 'uNO52gJl8XiflpctQQdzmbqRKQejB1mbrjnEehsD', 'c9zSsXTzShpzMwYex5arwnBbukAePQnQ4WeJe3Ax', 'zyjJyxkzs2oh0kJZ9Y4EqfRAZDI4Uwi0aea8ZOrX', 'Qavs0kE80dO9dbK005T8Q8cLCd044xtxvwy7y0mZ', 'xSogTl37TYlau03YlfU1eGjgqwst6VUgqvUruZ0E', 'UZRKZV3Dt0DNJZBzWiRF95ZUl55fQaz6d7JbqDRX', '_85FPJGNAtQhSjWYn0FzmTXtkBRhzY9oQUFKTjHdH'
Source: LHA9oUEAwZ.exe, HSv2czNGQ5ZtVacsXcu1DvtdZfn74sbSWa0KpGeNi8UwefY4Ro8oGJD.cs	High entropy of concatenated method names: 'rQ89f38m37zZhF5nfv6r8KS0hp8uP8FGlG9AqgdmUIkjHvZRSEBgNNI', '_3vrFleZlqfNAg5HVW', 'fkj2QBHwu6XlJY3Hj', 'QoIvAOGEAuZz19ONd', 'PabkqXCUaLQLay6wi'
Source: LHA9oUEAwZ.exe, A6KJM5OnMj4l8Zs9YLwXRUrIXz7tx6TKgT2mMjtx.cs	High entropy of concatenated method names: '_6b35A2axSWdonI5on3vsc92D2xbKfFvyKpIExQaY', 'pD752BHE35OB8WiKtQr0p60F3fC0avicmI5yc9k0', 'MIa5PswOlrNKDMMa2MtCLkv8JmGtgOBwVZ0JWBKg', 'WP1FEFB4Q0dzyFiN1WGA2farZLuhgXlcgyS4w0p8', 'aN8VjZcHu2u8Rmtbv', 'TJhDrOu62xHF82TLB', 's57B1kOnf10WLh9Kf', 'U2nIHzR0ooxGpXetJ', '_5uvptiCCabgcq63Ok', 'PCwTgXZAzcLFF2yAy'
Source: LHA9oUEAwZ.exe, pWFohs8uFmHTfaAhVw9lC9.cs	High entropy of concatenated method names: 'sIEUBVVBXhvymuoXBq3b8l', '_3a9P2xLTv2K5DSI1e6EgiN', 'x7AF0fxrGevqKUlbD2cq16', 'RookwFJp4qwU93FcPJHhs9', 'WEmXE5AIt2cD3OBQCaKM4i', 'AX0TTbOTnCbv0dJZkxNakn', '_7mSDokXU63yRJoAkHZffOf', 'xMmJ0OlkoEPrEXhP9GEKCD', 'jHFzismFBt9yWCZ9fGZjnY', '_4Oqr7SZUXA9Ugg6ixxP9AO'
Source: LHA9oUEAwZ.exe, nAqjKWnahmZlgbIrYsgeU9lRcu9NpU73tOyeIJVmtQ5RNbG4wKEHQmh.cs	High entropy of concatenated method names: 'ecISpUVC7UxhPRPd30VapydpSI3nLfDU5zGNeurGECmvF6f80F7gLee', 'QPr3dnXNquZaXW00q8qX0kwzlalzdv5WD40SmZ2LveeYB91exVAJO2I', 'QkVvTmVgSKYKr7VP9tcaLfRxRuOQ8TBP7XFtqGKFjWQWcXbmZXm0XvO', '_8H4z0sovpRkdAbqc3aAZFRhMun7X0O8z3K5AbYLMBgWRNF6nXHQ3gSj', 'JVlMsxOMPrYBrJus3mp3o2MoVofS3QV3NVnZ3QFFRbnZbSryG6RJJNh', 'oDJOt48iSKv0kcDhtOSbYR4rwZBi41caMtJzs2OROH0PF9xcp9uiTXK', 'X5karREfXDJrjLMfdIVTqRy4MGXUKCSlk0lA6BLH', 'O0Z7l9kZro8pyJuwJz6TQCgkkURsYV5irdxZS62c', 'JIwTQcoqzczSqlagZlMQziGeR9WoolecjR0gmTSg', 'E7GV89f8RBAgZqKGmAmkarjRsclTRcq2f5LmflzP'
Source: testnt.exe.2.dr, wbEY1BBMTLuOQnjFsb4qENNVloKJ7EbGgcClTBhaBFyHCKdc3xNJINRjl6XhJMMERGuEOGTH.cs	High entropy of concatenated method names: 'd4RIEYOE889BObHVS9EZ3BUv0WaONwcdQqrg6M1khN8kyFgethX0kg2YmaNRARXzNc7CCKWi', 'TZtcforiMD8eG0MNVLDDyZ47lIAXs8DV3HfplJR5OmSCEMy3aTAmPgPpKaGUACq9xIkRAzyC', 'DOfcHqAO2tYhZYdneKIDsPUeGoj0vOl3gWSocNDAg9dsX67ImVAyebvif', '_5v8hJph8viLMCz9kmDSRD9SrcH6my6LQvQzx4webg5PANXahB7p971TsgK0Xe9rwGes69yYErKybrM5JiT', 'rVchSt4iuWLnfMB90MmS3WRGWMTSA5xBRzC6FkxLPDYYCKh63Ek80IpP4a0g72rgLjHcWLcQa0OZSpPiGz', 'VH9HoxrmmU2onlovjCwmP4g1cwYZkaJCXGoYJVl9rAZN2VN8faxpqT7QfLqhuPlHWkXKPVzZ128YDtZc8C', 'hag6EjJ8okvTFbLyha99y2fhg1V52cgCMXJVFY2ikzXSDUnIxouEY66Z9S6KBy7hWvXCPILu46TJqHNtCt', 'uxlb5DY1WY63r3pZrUr7XhJ19nmQsTHuut5zlhJuI0yOiEJvSXK4iwZ6wiTbEEuIcnB', '_9JhcsGoKT2OnbqCpMBgkRWF7yFEdfd5SCPMETTpsiyw7Y1PL4xsbyGsOP9YNF6SUEFE', 'xE2cjQPo0nyAYLEV1tTOAi8qMqv7zKtusaNYWkZdNoyeaIG2nylWYikfDJzQg7qJSjw'
Source: testnt.exe.2.dr, gHAhN6cuIY6jdHAG5jiXIq.cs	High entropy of concatenated method names: 'rSjPBjbxGoRHu62t7wtWvK01R7Nt1EckwWbjTDb4AX1eirpkTjBzOLK6pgYcmV9XbUIV5qj6dKsDRcCiU0Eaik2QX5', 'uSOiBOMWi0zufTHPCsbFCNH26LlNhdPJjKiJkhS9nM38X3Er14g15PQFhz8K67aab9U7L3LFjNjQpd6Dd8DRXhGvrE', 'wXAMTbTFKSXrM0fKS4KbfOIIpEQzNOruIDqxrsDRULwrxYmCXiejRCyPQPUNsewGNCgcUjdcy1DAVx0W75DlcGCCGK', '_1gZDAoCisI1KZPD4MNWamT0vSvwkHpwz23cteXIBRDQLojFUoJYUfQ4dxt7EiWvARFAeCHGbyfQ3aXr6aQ0HpQznDk'
Source: testnt.exe.2.dr, caUeBYZfVwmeWecKlXVQ7tW3etHpDGaIrrzwqecG62TTOZYow1TXq8sSeP37gmRTdIXugIj983q5D20v.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'kpBfQwWJ33Pg5WY5cTv1MT8QZJJeOExhDvE2MyW5vHe7htS4JqeBjo07ZEVBDSpneKdS5FUXrdm9AoupxeMVvFP4sj', 'eSf5Ji2J5t01WKHAZbTomxOLs5CfQAJGnHtPykEAdvcOW5M2KcgTe84qNBX8dsrWXgd6Gz8cWZF2tPtzIlJvtgMCuu', 'rhfua03rpysKziOJqCjWbfz0kAeLmL7kBTuHwyONb1KBKWTdmAkFaNyamnydFb1lpDl3a2VkRfG1dO3tImeGSr82oT', '_2cZOmdFrO9vD3sm3X7bn34SUBz1Gc67rNssT6yFyMzwhTb9pRKwzfqcK40inbtC0nrEsVBsBWFdU2LxJxKCs1UQcUR'
Source: testnt.exe.2.dr, bh5AgBmmct9rNksQHppG7G.cs	High entropy of concatenated method names: 'zqn1SQUrFUMgHieXIorpxP', 'c04k38AmW1WWkBG1Xj3wvH', 'ZG8iCN2A0lEn1L6ydnzK42', 'gHmFGh8HlX6Zb4pRCESCiG', 'KHX41dZ3v4ndWAiAX7Ntew', 'gUGVVE4W2wDAXYH2i054eE', 'owXtj5QlhgpYpQdHlm58mq', 'ohfsz38hrN83Rk2XjK4n0u', 'cMTGVh7QlqnpqtS4THFPSH', 'z0AABSExIRPLOFe6d4YQGl'
Source: testnt.exe.2.dr, WIuR1rCg9OABqm2Ov6Vai2Lg9nFtnB4GBfFpoudo.cs	High entropy of concatenated method names: 'FNHzWngLomEA2m0s7IkHnKswZPPuxbx9DqImvxXC', 'ym3amq6ICtFEpNGE25s8jQ096Z0jTdy7wWYGlWGGymDG2Zt3gT', 'zEBPDZSKVOzQ5zlq7Ri0JkZLP0DH0SROGSexfv8P1vtePgTltl', 'iNwVIlJ1tjsdxiCHWDvBpTlhvrvIlYZMw96bx0dsn1cqc8Ejzw', 'rDi3OHpasRrnDFdZG2IPJj5sBAJxI5zZjKMR8eTisj5fRHqyde'
Source: testnt.exe.2.dr, p1IG6OHEpiNB43wrLsWuNu.cs	High entropy of concatenated method names: 'u5yD0BUm2PcSw0iB0GO3cP', 'oPAJ4NA3yjtlpSliHpVRHy', 'mDEbck9Dl7iLQmmmTiw4D5', '_7Z84Hk2AYvRgn54bPqWxxH', 'Mv3s3rXUYJDv1MlRaV5NZxp1lrZYGvPAA0ykgRtUbGEETMn7PiLRJtx', '_77YyemyOEFU7itfJCUsjpOx8gcqGs8FUQuQbA9o8ta3m6IZGpENCEdn', 'sHvtH3qz9BfXf8zkENDR7dEgvIfjGrGSPeJGEtatrfFc06ORCLo5ldj', '_0juZ9cgK4ayrYhpT7hhADZrbXqLW4FBWPOFjBSBSa4ZCUS5BFAoeDEI', 'wMVjv6gIyHStMsg1FglMtkNzcQO4BpY256l7vPnLEsfsR6NLveTsN8R', 'UIfHerstaAUFl4huhLMnguGkk7zmMhlt614liUFezUqNobGa6g6vH3x'
Source: testnt.exe.2.dr, p0YNdbZlrOpuCNRE0edav2KYSP4XGWPn8wRjA9ie.cs	High entropy of concatenated method names: 'Wk5Rb1ThVxurWW4bR1FzYtajBSNZ3f3cYDGvN7KK', 'OE6M0rFV82DhFKGwpEZVAxuiE8p1tK1ipzXidSoY', 'Erk5rdelfOjiuryrno1aRfle7byjXfKUxM1IIYEu', 'uNO52gJl8XiflpctQQdzmbqRKQejB1mbrjnEehsD', 'c9zSsXTzShpzMwYex5arwnBbukAePQnQ4WeJe3Ax', 'zyjJyxkzs2oh0kJZ9Y4EqfRAZDI4Uwi0aea8ZOrX', 'Qavs0kE80dO9dbK005T8Q8cLCd044xtxvwy7y0mZ', 'xSogTl37TYlau03YlfU1eGjgqwst6VUgqvUruZ0E', 'UZRKZV3Dt0DNJZBzWiRF95ZUl55fQaz6d7JbqDRX', '_85FPJGNAtQhSjWYn0FzmTXtkBRhzY9oQUFKTjHdH'
Source: testnt.exe.2.dr, HSv2czNGQ5ZtVacsXcu1DvtdZfn74sbSWa0KpGeNi8UwefY4Ro8oGJD.cs	High entropy of concatenated method names: 'rQ89f38m37zZhF5nfv6r8KS0hp8uP8FGlG9AqgdmUIkjHvZRSEBgNNI', '_3vrFleZlqfNAg5HVW', 'fkj2QBHwu6XlJY3Hj', 'QoIvAOGEAuZz19ONd', 'PabkqXCUaLQLay6wi'
Source: testnt.exe.2.dr, A6KJM5OnMj4l8Zs9YLwXRUrIXz7tx6TKgT2mMjtx.cs	High entropy of concatenated method names: '_6b35A2axSWdonI5on3vsc92D2xbKfFvyKpIExQaY', 'pD752BHE35OB8WiKtQr0p60F3fC0avicmI5yc9k0', 'MIa5PswOlrNKDMMa2MtCLkv8JmGtgOBwVZ0JWBKg', 'WP1FEFB4Q0dzyFiN1WGA2farZLuhgXlcgyS4w0p8', 'aN8VjZcHu2u8Rmtbv', 'TJhDrOu62xHF82TLB', 's57B1kOnf10WLh9Kf', 'U2nIHzR0ooxGpXetJ', '_5uvptiCCabgcq63Ok', 'PCwTgXZAzcLFF2yAy'
Source: testnt.exe.2.dr, pWFohs8uFmHTfaAhVw9lC9.cs	High entropy of concatenated method names: 'sIEUBVVBXhvymuoXBq3b8l', '_3a9P2xLTv2K5DSI1e6EgiN', 'x7AF0fxrGevqKUlbD2cq16', 'RookwFJp4qwU93FcPJHhs9', 'WEmXE5AIt2cD3OBQCaKM4i', 'AX0TTbOTnCbv0dJZkxNakn', '_7mSDokXU63yRJoAkHZffOf', 'xMmJ0OlkoEPrEXhP9GEKCD', 'jHFzismFBt9yWCZ9fGZjnY', '_4Oqr7SZUXA9Ugg6ixxP9AO'
Source: testnt.exe.2.dr, nAqjKWnahmZlgbIrYsgeU9lRcu9NpU73tOyeIJVmtQ5RNbG4wKEHQmh.cs	High entropy of concatenated method names: 'ecISpUVC7UxhPRPd30VapydpSI3nLfDU5zGNeurGECmvF6f80F7gLee', 'QPr3dnXNquZaXW00q8qX0kwzlalzdv5WD40SmZ2LveeYB91exVAJO2I', 'QkVvTmVgSKYKr7VP9tcaLfRxRuOQ8TBP7XFtqGKFjWQWcXbmZXm0XvO', '_8H4z0sovpRkdAbqc3aAZFRhMun7X0O8z3K5AbYLMBgWRNF6nXHQ3gSj', 'JVlMsxOMPrYBrJus3mp3o2MoVofS3QV3NVnZ3QFFRbnZbSryG6RJJNh', 'oDJOt48iSKv0kcDhtOSbYR4rwZBi41caMtJzs2OROH0PF9xcp9uiTXK', 'X5karREfXDJrjLMfdIVTqRy4MGXUKCSlk0lA6BLH', 'O0Z7l9kZro8pyJuwJz6TQCgkkURsYV5irdxZS62c', 'JIwTQcoqzczSqlagZlMQziGeR9WoolecjR0gmTSg', 'E7GV89f8RBAgZqKGmAmkarjRsclTRcq2f5LmflzP'

Drops PE files

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

File created: C:\Users\user\AppData\Roaming\testnt.exe

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\testnt.lnk

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\testnt.lnk

Jump to behavior

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: LHA9oUEAwZ.exe, testnt.exe.2.dr

Binary or memory string: SBIEDLL.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Memory allocated: 1710000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Memory allocated: 1B110000 memory reserve \| memory write watch			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

Window / User API: threadDelayed 9705

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe TID: 5532	Thread sleep time: -281000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe TID: 5532	Thread sleep time: -9705000s >= -30000s			Jump to behavior

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: Amcache.hve.12.dr	Binary or memory string: VMware
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.12.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.12.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.12.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.12.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: LHA9oUEAwZ.exe, 00000002.00000002.3245574998.000000001BFE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.12.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin`
Source: testnt.exe.2.dr	Binary or memory string: vmware
Source: Amcache.hve.12.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.12.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.12.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.12.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.12.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.12.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.12.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.12.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.12.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.12.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

Code function: 2_2_00007FFAAC45281A CheckRemoteDebuggerPresent,

2_2_00007FFAAC45281A

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process queried: DebugPort	Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Queries volume information: C:\Users\user\Desktop\LHA9oUEAwZ.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.12.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: LHA9oUEAwZ.exe, type: SAMPLE
Source: Yara match	File source: 2.0.LHA9oUEAwZ.exe.dc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.1324807414.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3242886490.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LHA9oUEAwZ.exe PID: 6384, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\testnt.exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: LHA9oUEAwZ.exe, type: SAMPLE
Source: Yara match	File source: 2.0.LHA9oUEAwZ.exe.dc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.1324807414.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3242886490.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LHA9oUEAwZ.exe PID: 6384, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\testnt.exe, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
147.185.221.18	win-britain.gl.at.ply.gg	United States		12087	SALSGIVERUS	true

Contacted Domains

Name	IP	Active
ip-api.com	208.95.112.1	true
win-britain.gl.at.ply.gg	147.185.221.18	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
win-britain.gl.at.ply.gg	true	Avira URL Cloud: malware	unknown
http://ip-api.com/line/?fields=hosting	false		high

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LHA9oUEAwZ.exe

Avira: detected

Antivirus detection for URL or domain

Source: win-britain.gl.at.ply.gg

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\testnt.exe

Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: LHA9oUEAwZ.exe

Malware Configuration Extractor: Xworm {"C2 url": ["win-britain.gl.at.ply.gg"], "Port": "55238", "Aes key": "<123456789>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\testnt.exe

ReversingLabs: Detection: 86%

Multi AV Scanner detection for submitted file

Source: LHA9oUEAwZ.exe

ReversingLabs: Detection: 86%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\testnt.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: LHA9oUEAwZ.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: LHA9oUEAwZ.exe	String decryptor: win-britain.gl.at.ply.gg
Source: LHA9oUEAwZ.exe	String decryptor: 55238
Source: LHA9oUEAwZ.exe	String decryptor: <123456789>
Source: LHA9oUEAwZ.exe	String decryptor: <Xwormmm>
Source: LHA9oUEAwZ.exe	String decryptor: XWorm V5.2
Source: LHA9oUEAwZ.exe	String decryptor: USB.exe
Source: LHA9oUEAwZ.exe	String decryptor: %AppData%
Source: LHA9oUEAwZ.exe	String decryptor: testnt.exe

Uses 32bit PE files

Source: LHA9oUEAwZ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: LHA9oUEAwZ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: LHA9oUEAwZ.exe, 00000002.00000002.3245574998.000000001BFE3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Xml.ni.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: LHA9oUEAwZ.exe, 00000002.00000002.3245574998.000000001BFE3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: LHA9oUEAwZ.exe, 00000002.00000002.3246366236.000000001C818000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER8909.tmp.dmp.12.dr
Source:	Binary string: mscorlib.pdb0 source: WER8909.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb! source: LHA9oUEAwZ.exe, 00000002.00000002.3245967090.000000001C032000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Configuration.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdb` source: LHA9oUEAwZ.exe, 00000002.00000002.3246366236.000000001C818000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER8909.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Users\user\Desktop\LHA9oUEAwZ.PDBcesV source: LHA9oUEAwZ.exe, 00000002.00000002.3245967090.000000001C032000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: LHA9oUEAwZ.exe, 00000002.00000002.3246366236.000000001C818000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER8909.tmp.dmp.12.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Core.ni.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: LHA9oUEAwZ.exe, 00000002.00000002.3242499109.00000000013D6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdbp source: WER8909.tmp.dmp.12.dr
Source:	Binary string: mscorlib.pdb source: LHA9oUEAwZ.exe, 00000002.00000002.3245967090.000000001C032000.00000004.00000020.00020000.00000000.sdmp, LHA9oUEAwZ.exe, 00000002.00000002.3242499109.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, LHA9oUEAwZ.exe, 00000002.00000002.3245574998.000000001BFE3000.00000004.00000020.00020000.00000000.sdmp, WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Core.pdb; source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Management.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Drawing.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: mscorlib.ni.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Management.ni.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: LHA9oUEAwZ.exe, 00000002.00000002.3245967090.000000001C032000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER8909.tmp.dmp.12.dr
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: LHA9oUEAwZ.exe, 00000002.00000002.3246366236.000000001C818000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: .pdbA source: LHA9oUEAwZ.exe, 00000002.00000002.3246366236.000000001C818000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdbRSDS source: WER8909.tmp.dmp.12.dr

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: win-britain.gl.at.ply.gg

Yara detected Generic Downloader

Source: Yara match	File source: LHA9oUEAwZ.exe, type: SAMPLE
Source: Yara match	File source: 2.0.LHA9oUEAwZ.exe.dc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\testnt.exe, type: DROPPED

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.7:49705 -> 147.185.221.18:55238

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 147.185.221.18 147.185.221.18

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

May check the online IP address of the machine

Source: unknown

DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: ip-api.com

Source: LHA9oUEAwZ.exe, testnt.exe.2.dr	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: LHA9oUEAwZ.exe, 00000002.00000002.3242886490.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.12.dr	String found in binary or memory: http://upx.sf.net

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: LHA9oUEAwZ.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.0.LHA9oUEAwZ.exe.dc0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000000.1324807414.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\testnt.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Detected potential crypto function

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Code function: 2_2_00007FFAAC456B11	2_2_00007FFAAC456B11
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Code function: 2_2_00007FFAAC4510FA	2_2_00007FFAAC4510FA
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Code function: 2_2_00007FFAAC451BA1	2_2_00007FFAAC451BA1
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Code function: 2_2_00007FFAAC455D61	2_2_00007FFAAC455D61

One or more processes crash

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6384 -s 844

Sample file is different than original file name gathered from version info

Source: LHA9oUEAwZ.exe, 00000002.00000000.1324830099.0000000000DD4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs LHA9oUEAwZ.exe
Source: LHA9oUEAwZ.exe	Binary or memory string: OriginalFilenameXClient.exe4 vs LHA9oUEAwZ.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Section loaded: cscapi.dll	Jump to behavior

Uses 32bit PE files

Source: LHA9oUEAwZ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: LHA9oUEAwZ.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.0.LHA9oUEAwZ.exe.dc0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000000.1324807414.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\testnt.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: LHA9oUEAwZ.exe, WIuR1rCg9OABqm2Ov6Vai2Lg9nFtnB4GBfFpoudo.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: LHA9oUEAwZ.exe, p0YNdbZlrOpuCNRE0edav2KYSP4XGWPn8wRjA9ie.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: LHA9oUEAwZ.exe, p0YNdbZlrOpuCNRE0edav2KYSP4XGWPn8wRjA9ie.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: testnt.exe.2.dr, WIuR1rCg9OABqm2Ov6Vai2Lg9nFtnB4GBfFpoudo.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: testnt.exe.2.dr, p0YNdbZlrOpuCNRE0edav2KYSP4XGWPn8wRjA9ie.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: testnt.exe.2.dr, p0YNdbZlrOpuCNRE0edav2KYSP4XGWPn8wRjA9ie.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: LHA9oUEAwZ.exe, pWFohs8uFmHTfaAhVw9lC9.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: LHA9oUEAwZ.exe, pWFohs8uFmHTfaAhVw9lC9.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: testnt.exe.2.dr, pWFohs8uFmHTfaAhVw9lC9.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: testnt.exe.2.dr, pWFohs8uFmHTfaAhVw9lC9.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/8@2/2

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

File created: C:\Users\user\AppData\Roaming\testnt.exe

Jump to behavior

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6384
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Mutant created: \Sessions\1\BaseNamedObjects\QcWDQBijgyqPrEH9

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Jump to behavior

Source: LHA9oUEAwZ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: LHA9oUEAwZ.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LHA9oUEAwZ.exe

ReversingLabs: Detection: 86%

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

File read: C:\Users\user\Desktop\LHA9oUEAwZ.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\LHA9oUEAwZ.exe "C:\Users\user\Desktop\LHA9oUEAwZ.exe"
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6384 -s 844

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: testnt.lnk.2.dr

LNK file: ..\..\..\..\..\testnt.exe

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: LHA9oUEAwZ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: LHA9oUEAwZ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: LHA9oUEAwZ.exe, 00000002.00000002.3245574998.000000001BFE3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Xml.ni.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: LHA9oUEAwZ.exe, 00000002.00000002.3245574998.000000001BFE3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: LHA9oUEAwZ.exe, 00000002.00000002.3246366236.000000001C818000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER8909.tmp.dmp.12.dr
Source:	Binary string: mscorlib.pdb0 source: WER8909.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb! source: LHA9oUEAwZ.exe, 00000002.00000002.3245967090.000000001C032000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Configuration.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdb` source: LHA9oUEAwZ.exe, 00000002.00000002.3246366236.000000001C818000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER8909.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Users\user\Desktop\LHA9oUEAwZ.PDBcesV source: LHA9oUEAwZ.exe, 00000002.00000002.3245967090.000000001C032000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: LHA9oUEAwZ.exe, 00000002.00000002.3246366236.000000001C818000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER8909.tmp.dmp.12.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Core.ni.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: LHA9oUEAwZ.exe, 00000002.00000002.3242499109.00000000013D6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdbp source: WER8909.tmp.dmp.12.dr
Source:	Binary string: mscorlib.pdb source: LHA9oUEAwZ.exe, 00000002.00000002.3245967090.000000001C032000.00000004.00000020.00020000.00000000.sdmp, LHA9oUEAwZ.exe, 00000002.00000002.3242499109.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, LHA9oUEAwZ.exe, 00000002.00000002.3245574998.000000001BFE3000.00000004.00000020.00020000.00000000.sdmp, WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Core.pdb; source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Management.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Drawing.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: mscorlib.ni.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Management.ni.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: LHA9oUEAwZ.exe, 00000002.00000002.3245967090.000000001C032000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER8909.tmp.dmp.12.dr
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: LHA9oUEAwZ.exe, 00000002.00000002.3246366236.000000001C818000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER8909.tmp.dmp.12.dr
Source:	Binary string: .pdbA source: LHA9oUEAwZ.exe, 00000002.00000002.3246366236.000000001C818000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdbRSDS source: WER8909.tmp.dmp.12.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: LHA9oUEAwZ.exe, p1IG6OHEpiNB43wrLsWuNu.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{gHAhN6cuIY6jdHAG5jiXIq._7djAdP40ZQYRLytyg6z4ww,gHAhN6cuIY6jdHAG5jiXIq.vNT9HESZs6wzYpQlnpv9bQ,gHAhN6cuIY6jdHAG5jiXIq.qqnQUu51giIhhiInLWaAZA,gHAhN6cuIY6jdHAG5jiXIq.ZksRuESs0HayxxFeOtjxnI,p0YNdbZlrOpuCNRE0edav2KYSP4XGWPn8wRjA9ie.bAyk0h8Ob84GvPhMEK10FPS3hfAR5zxBzUIzZuA5CHsTB1qcduUBKcsqHkHEdWXmCzAR4RLD()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: LHA9oUEAwZ.exe, p1IG6OHEpiNB43wrLsWuNu.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{MiSCZ88ENHevWMQO4fY1UCcrlo63AM3Btc564hZJhFUBFmH4LxXFlSQ[2],p0YNdbZlrOpuCNRE0edav2KYSP4XGWPn8wRjA9ie._9kcMNmeih7RUdhGKDbWewdtAH4wh5a4IOaa2CiNxlX4mFPxFWP7yfoUe6nikb2uyrC0NZ6N9(Convert.FromBase64String(MiSCZ88ENHevWMQO4fY1UCcrlo63AM3Btc564hZJhFUBFmH4LxXFlSQ[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: LHA9oUEAwZ.exe, p1IG6OHEpiNB43wrLsWuNu.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { MiSCZ88ENHevWMQO4fY1UCcrlo63AM3Btc564hZJhFUBFmH4LxXFlSQ[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: testnt.exe.2.dr, p1IG6OHEpiNB43wrLsWuNu.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{gHAhN6cuIY6jdHAG5jiXIq._7djAdP40ZQYRLytyg6z4ww,gHAhN6cuIY6jdHAG5jiXIq.vNT9HESZs6wzYpQlnpv9bQ,gHAhN6cuIY6jdHAG5jiXIq.qqnQUu51giIhhiInLWaAZA,gHAhN6cuIY6jdHAG5jiXIq.ZksRuESs0HayxxFeOtjxnI,p0YNdbZlrOpuCNRE0edav2KYSP4XGWPn8wRjA9ie.bAyk0h8Ob84GvPhMEK10FPS3hfAR5zxBzUIzZuA5CHsTB1qcduUBKcsqHkHEdWXmCzAR4RLD()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: testnt.exe.2.dr, p1IG6OHEpiNB43wrLsWuNu.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{MiSCZ88ENHevWMQO4fY1UCcrlo63AM3Btc564hZJhFUBFmH4LxXFlSQ[2],p0YNdbZlrOpuCNRE0edav2KYSP4XGWPn8wRjA9ie._9kcMNmeih7RUdhGKDbWewdtAH4wh5a4IOaa2CiNxlX4mFPxFWP7yfoUe6nikb2uyrC0NZ6N9(Convert.FromBase64String(MiSCZ88ENHevWMQO4fY1UCcrlo63AM3Btc564hZJhFUBFmH4LxXFlSQ[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: testnt.exe.2.dr, p1IG6OHEpiNB43wrLsWuNu.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { MiSCZ88ENHevWMQO4fY1UCcrlo63AM3Btc564hZJhFUBFmH4LxXFlSQ[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: LHA9oUEAwZ.exe, p1IG6OHEpiNB43wrLsWuNu.cs	.Net Code: oPAJ4NA3yjtlpSliHpVRHy System.AppDomain.Load(byte[])
Source: LHA9oUEAwZ.exe, p1IG6OHEpiNB43wrLsWuNu.cs	.Net Code: kxqnAuS1ccY111f2wI4F05S8pZdH9vKiathPBYc7BwzDWwWxTsgZfHk System.AppDomain.Load(byte[])
Source: LHA9oUEAwZ.exe, p1IG6OHEpiNB43wrLsWuNu.cs	.Net Code: kxqnAuS1ccY111f2wI4F05S8pZdH9vKiathPBYc7BwzDWwWxTsgZfHk
Source: testnt.exe.2.dr, p1IG6OHEpiNB43wrLsWuNu.cs	.Net Code: oPAJ4NA3yjtlpSliHpVRHy System.AppDomain.Load(byte[])
Source: testnt.exe.2.dr, p1IG6OHEpiNB43wrLsWuNu.cs	.Net Code: kxqnAuS1ccY111f2wI4F05S8pZdH9vKiathPBYc7BwzDWwWxTsgZfHk System.AppDomain.Load(byte[])
Source: testnt.exe.2.dr, p1IG6OHEpiNB43wrLsWuNu.cs	.Net Code: kxqnAuS1ccY111f2wI4F05S8pZdH9vKiathPBYc7BwzDWwWxTsgZfHk

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

Code function: 2_2_00007FFAAC4500BD pushad ; iretd

2_2_00007FFAAC4500C1

Source: LHA9oUEAwZ.exe, wbEY1BBMTLuOQnjFsb4qENNVloKJ7EbGgcClTBhaBFyHCKdc3xNJINRjl6XhJMMERGuEOGTH.cs	High entropy of concatenated method names: 'd4RIEYOE889BObHVS9EZ3BUv0WaONwcdQqrg6M1khN8kyFgethX0kg2YmaNRARXzNc7CCKWi', 'TZtcforiMD8eG0MNVLDDyZ47lIAXs8DV3HfplJR5OmSCEMy3aTAmPgPpKaGUACq9xIkRAzyC', 'DOfcHqAO2tYhZYdneKIDsPUeGoj0vOl3gWSocNDAg9dsX67ImVAyebvif', '_5v8hJph8viLMCz9kmDSRD9SrcH6my6LQvQzx4webg5PANXahB7p971TsgK0Xe9rwGes69yYErKybrM5JiT', 'rVchSt4iuWLnfMB90MmS3WRGWMTSA5xBRzC6FkxLPDYYCKh63Ek80IpP4a0g72rgLjHcWLcQa0OZSpPiGz', 'VH9HoxrmmU2onlovjCwmP4g1cwYZkaJCXGoYJVl9rAZN2VN8faxpqT7QfLqhuPlHWkXKPVzZ128YDtZc8C', 'hag6EjJ8okvTFbLyha99y2fhg1V52cgCMXJVFY2ikzXSDUnIxouEY66Z9S6KBy7hWvXCPILu46TJqHNtCt', 'uxlb5DY1WY63r3pZrUr7XhJ19nmQsTHuut5zlhJuI0yOiEJvSXK4iwZ6wiTbEEuIcnB', '_9JhcsGoKT2OnbqCpMBgkRWF7yFEdfd5SCPMETTpsiyw7Y1PL4xsbyGsOP9YNF6SUEFE', 'xE2cjQPo0nyAYLEV1tTOAi8qMqv7zKtusaNYWkZdNoyeaIG2nylWYikfDJzQg7qJSjw'
Source: LHA9oUEAwZ.exe, gHAhN6cuIY6jdHAG5jiXIq.cs	High entropy of concatenated method names: 'rSjPBjbxGoRHu62t7wtWvK01R7Nt1EckwWbjTDb4AX1eirpkTjBzOLK6pgYcmV9XbUIV5qj6dKsDRcCiU0Eaik2QX5', 'uSOiBOMWi0zufTHPCsbFCNH26LlNhdPJjKiJkhS9nM38X3Er14g15PQFhz8K67aab9U7L3LFjNjQpd6Dd8DRXhGvrE', 'wXAMTbTFKSXrM0fKS4KbfOIIpEQzNOruIDqxrsDRULwrxYmCXiejRCyPQPUNsewGNCgcUjdcy1DAVx0W75DlcGCCGK', '_1gZDAoCisI1KZPD4MNWamT0vSvwkHpwz23cteXIBRDQLojFUoJYUfQ4dxt7EiWvARFAeCHGbyfQ3aXr6aQ0HpQznDk'
Source: LHA9oUEAwZ.exe, caUeBYZfVwmeWecKlXVQ7tW3etHpDGaIrrzwqecG62TTOZYow1TXq8sSeP37gmRTdIXugIj983q5D20v.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'kpBfQwWJ33Pg5WY5cTv1MT8QZJJeOExhDvE2MyW5vHe7htS4JqeBjo07ZEVBDSpneKdS5FUXrdm9AoupxeMVvFP4sj', 'eSf5Ji2J5t01WKHAZbTomxOLs5CfQAJGnHtPykEAdvcOW5M2KcgTe84qNBX8dsrWXgd6Gz8cWZF2tPtzIlJvtgMCuu', 'rhfua03rpysKziOJqCjWbfz0kAeLmL7kBTuHwyONb1KBKWTdmAkFaNyamnydFb1lpDl3a2VkRfG1dO3tImeGSr82oT', '_2cZOmdFrO9vD3sm3X7bn34SUBz1Gc67rNssT6yFyMzwhTb9pRKwzfqcK40inbtC0nrEsVBsBWFdU2LxJxKCs1UQcUR'
Source: LHA9oUEAwZ.exe, bh5AgBmmct9rNksQHppG7G.cs	High entropy of concatenated method names: 'zqn1SQUrFUMgHieXIorpxP', 'c04k38AmW1WWkBG1Xj3wvH', 'ZG8iCN2A0lEn1L6ydnzK42', 'gHmFGh8HlX6Zb4pRCESCiG', 'KHX41dZ3v4ndWAiAX7Ntew', 'gUGVVE4W2wDAXYH2i054eE', 'owXtj5QlhgpYpQdHlm58mq', 'ohfsz38hrN83Rk2XjK4n0u', 'cMTGVh7QlqnpqtS4THFPSH', 'z0AABSExIRPLOFe6d4YQGl'
Source: LHA9oUEAwZ.exe, WIuR1rCg9OABqm2Ov6Vai2Lg9nFtnB4GBfFpoudo.cs	High entropy of concatenated method names: 'FNHzWngLomEA2m0s7IkHnKswZPPuxbx9DqImvxXC', 'ym3amq6ICtFEpNGE25s8jQ096Z0jTdy7wWYGlWGGymDG2Zt3gT', 'zEBPDZSKVOzQ5zlq7Ri0JkZLP0DH0SROGSexfv8P1vtePgTltl', 'iNwVIlJ1tjsdxiCHWDvBpTlhvrvIlYZMw96bx0dsn1cqc8Ejzw', 'rDi3OHpasRrnDFdZG2IPJj5sBAJxI5zZjKMR8eTisj5fRHqyde'
Source: LHA9oUEAwZ.exe, p1IG6OHEpiNB43wrLsWuNu.cs	High entropy of concatenated method names: 'u5yD0BUm2PcSw0iB0GO3cP', 'oPAJ4NA3yjtlpSliHpVRHy', 'mDEbck9Dl7iLQmmmTiw4D5', '_7Z84Hk2AYvRgn54bPqWxxH', 'Mv3s3rXUYJDv1MlRaV5NZxp1lrZYGvPAA0ykgRtUbGEETMn7PiLRJtx', '_77YyemyOEFU7itfJCUsjpOx8gcqGs8FUQuQbA9o8ta3m6IZGpENCEdn', 'sHvtH3qz9BfXf8zkENDR7dEgvIfjGrGSPeJGEtatrfFc06ORCLo5ldj', '_0juZ9cgK4ayrYhpT7hhADZrbXqLW4FBWPOFjBSBSa4ZCUS5BFAoeDEI', 'wMVjv6gIyHStMsg1FglMtkNzcQO4BpY256l7vPnLEsfsR6NLveTsN8R', 'UIfHerstaAUFl4huhLMnguGkk7zmMhlt614liUFezUqNobGa6g6vH3x'
Source: LHA9oUEAwZ.exe, p0YNdbZlrOpuCNRE0edav2KYSP4XGWPn8wRjA9ie.cs	High entropy of concatenated method names: 'Wk5Rb1ThVxurWW4bR1FzYtajBSNZ3f3cYDGvN7KK', 'OE6M0rFV82DhFKGwpEZVAxuiE8p1tK1ipzXidSoY', 'Erk5rdelfOjiuryrno1aRfle7byjXfKUxM1IIYEu', 'uNO52gJl8XiflpctQQdzmbqRKQejB1mbrjnEehsD', 'c9zSsXTzShpzMwYex5arwnBbukAePQnQ4WeJe3Ax', 'zyjJyxkzs2oh0kJZ9Y4EqfRAZDI4Uwi0aea8ZOrX', 'Qavs0kE80dO9dbK005T8Q8cLCd044xtxvwy7y0mZ', 'xSogTl37TYlau03YlfU1eGjgqwst6VUgqvUruZ0E', 'UZRKZV3Dt0DNJZBzWiRF95ZUl55fQaz6d7JbqDRX', '_85FPJGNAtQhSjWYn0FzmTXtkBRhzY9oQUFKTjHdH'
Source: LHA9oUEAwZ.exe, HSv2czNGQ5ZtVacsXcu1DvtdZfn74sbSWa0KpGeNi8UwefY4Ro8oGJD.cs	High entropy of concatenated method names: 'rQ89f38m37zZhF5nfv6r8KS0hp8uP8FGlG9AqgdmUIkjHvZRSEBgNNI', '_3vrFleZlqfNAg5HVW', 'fkj2QBHwu6XlJY3Hj', 'QoIvAOGEAuZz19ONd', 'PabkqXCUaLQLay6wi'
Source: LHA9oUEAwZ.exe, A6KJM5OnMj4l8Zs9YLwXRUrIXz7tx6TKgT2mMjtx.cs	High entropy of concatenated method names: '_6b35A2axSWdonI5on3vsc92D2xbKfFvyKpIExQaY', 'pD752BHE35OB8WiKtQr0p60F3fC0avicmI5yc9k0', 'MIa5PswOlrNKDMMa2MtCLkv8JmGtgOBwVZ0JWBKg', 'WP1FEFB4Q0dzyFiN1WGA2farZLuhgXlcgyS4w0p8', 'aN8VjZcHu2u8Rmtbv', 'TJhDrOu62xHF82TLB', 's57B1kOnf10WLh9Kf', 'U2nIHzR0ooxGpXetJ', '_5uvptiCCabgcq63Ok', 'PCwTgXZAzcLFF2yAy'
Source: LHA9oUEAwZ.exe, pWFohs8uFmHTfaAhVw9lC9.cs	High entropy of concatenated method names: 'sIEUBVVBXhvymuoXBq3b8l', '_3a9P2xLTv2K5DSI1e6EgiN', 'x7AF0fxrGevqKUlbD2cq16', 'RookwFJp4qwU93FcPJHhs9', 'WEmXE5AIt2cD3OBQCaKM4i', 'AX0TTbOTnCbv0dJZkxNakn', '_7mSDokXU63yRJoAkHZffOf', 'xMmJ0OlkoEPrEXhP9GEKCD', 'jHFzismFBt9yWCZ9fGZjnY', '_4Oqr7SZUXA9Ugg6ixxP9AO'
Source: LHA9oUEAwZ.exe, nAqjKWnahmZlgbIrYsgeU9lRcu9NpU73tOyeIJVmtQ5RNbG4wKEHQmh.cs	High entropy of concatenated method names: 'ecISpUVC7UxhPRPd30VapydpSI3nLfDU5zGNeurGECmvF6f80F7gLee', 'QPr3dnXNquZaXW00q8qX0kwzlalzdv5WD40SmZ2LveeYB91exVAJO2I', 'QkVvTmVgSKYKr7VP9tcaLfRxRuOQ8TBP7XFtqGKFjWQWcXbmZXm0XvO', '_8H4z0sovpRkdAbqc3aAZFRhMun7X0O8z3K5AbYLMBgWRNF6nXHQ3gSj', 'JVlMsxOMPrYBrJus3mp3o2MoVofS3QV3NVnZ3QFFRbnZbSryG6RJJNh', 'oDJOt48iSKv0kcDhtOSbYR4rwZBi41caMtJzs2OROH0PF9xcp9uiTXK', 'X5karREfXDJrjLMfdIVTqRy4MGXUKCSlk0lA6BLH', 'O0Z7l9kZro8pyJuwJz6TQCgkkURsYV5irdxZS62c', 'JIwTQcoqzczSqlagZlMQziGeR9WoolecjR0gmTSg', 'E7GV89f8RBAgZqKGmAmkarjRsclTRcq2f5LmflzP'
Source: testnt.exe.2.dr, wbEY1BBMTLuOQnjFsb4qENNVloKJ7EbGgcClTBhaBFyHCKdc3xNJINRjl6XhJMMERGuEOGTH.cs	High entropy of concatenated method names: 'd4RIEYOE889BObHVS9EZ3BUv0WaONwcdQqrg6M1khN8kyFgethX0kg2YmaNRARXzNc7CCKWi', 'TZtcforiMD8eG0MNVLDDyZ47lIAXs8DV3HfplJR5OmSCEMy3aTAmPgPpKaGUACq9xIkRAzyC', 'DOfcHqAO2tYhZYdneKIDsPUeGoj0vOl3gWSocNDAg9dsX67ImVAyebvif', '_5v8hJph8viLMCz9kmDSRD9SrcH6my6LQvQzx4webg5PANXahB7p971TsgK0Xe9rwGes69yYErKybrM5JiT', 'rVchSt4iuWLnfMB90MmS3WRGWMTSA5xBRzC6FkxLPDYYCKh63Ek80IpP4a0g72rgLjHcWLcQa0OZSpPiGz', 'VH9HoxrmmU2onlovjCwmP4g1cwYZkaJCXGoYJVl9rAZN2VN8faxpqT7QfLqhuPlHWkXKPVzZ128YDtZc8C', 'hag6EjJ8okvTFbLyha99y2fhg1V52cgCMXJVFY2ikzXSDUnIxouEY66Z9S6KBy7hWvXCPILu46TJqHNtCt', 'uxlb5DY1WY63r3pZrUr7XhJ19nmQsTHuut5zlhJuI0yOiEJvSXK4iwZ6wiTbEEuIcnB', '_9JhcsGoKT2OnbqCpMBgkRWF7yFEdfd5SCPMETTpsiyw7Y1PL4xsbyGsOP9YNF6SUEFE', 'xE2cjQPo0nyAYLEV1tTOAi8qMqv7zKtusaNYWkZdNoyeaIG2nylWYikfDJzQg7qJSjw'
Source: testnt.exe.2.dr, gHAhN6cuIY6jdHAG5jiXIq.cs	High entropy of concatenated method names: 'rSjPBjbxGoRHu62t7wtWvK01R7Nt1EckwWbjTDb4AX1eirpkTjBzOLK6pgYcmV9XbUIV5qj6dKsDRcCiU0Eaik2QX5', 'uSOiBOMWi0zufTHPCsbFCNH26LlNhdPJjKiJkhS9nM38X3Er14g15PQFhz8K67aab9U7L3LFjNjQpd6Dd8DRXhGvrE', 'wXAMTbTFKSXrM0fKS4KbfOIIpEQzNOruIDqxrsDRULwrxYmCXiejRCyPQPUNsewGNCgcUjdcy1DAVx0W75DlcGCCGK', '_1gZDAoCisI1KZPD4MNWamT0vSvwkHpwz23cteXIBRDQLojFUoJYUfQ4dxt7EiWvARFAeCHGbyfQ3aXr6aQ0HpQznDk'
Source: testnt.exe.2.dr, caUeBYZfVwmeWecKlXVQ7tW3etHpDGaIrrzwqecG62TTOZYow1TXq8sSeP37gmRTdIXugIj983q5D20v.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'kpBfQwWJ33Pg5WY5cTv1MT8QZJJeOExhDvE2MyW5vHe7htS4JqeBjo07ZEVBDSpneKdS5FUXrdm9AoupxeMVvFP4sj', 'eSf5Ji2J5t01WKHAZbTomxOLs5CfQAJGnHtPykEAdvcOW5M2KcgTe84qNBX8dsrWXgd6Gz8cWZF2tPtzIlJvtgMCuu', 'rhfua03rpysKziOJqCjWbfz0kAeLmL7kBTuHwyONb1KBKWTdmAkFaNyamnydFb1lpDl3a2VkRfG1dO3tImeGSr82oT', '_2cZOmdFrO9vD3sm3X7bn34SUBz1Gc67rNssT6yFyMzwhTb9pRKwzfqcK40inbtC0nrEsVBsBWFdU2LxJxKCs1UQcUR'
Source: testnt.exe.2.dr, bh5AgBmmct9rNksQHppG7G.cs	High entropy of concatenated method names: 'zqn1SQUrFUMgHieXIorpxP', 'c04k38AmW1WWkBG1Xj3wvH', 'ZG8iCN2A0lEn1L6ydnzK42', 'gHmFGh8HlX6Zb4pRCESCiG', 'KHX41dZ3v4ndWAiAX7Ntew', 'gUGVVE4W2wDAXYH2i054eE', 'owXtj5QlhgpYpQdHlm58mq', 'ohfsz38hrN83Rk2XjK4n0u', 'cMTGVh7QlqnpqtS4THFPSH', 'z0AABSExIRPLOFe6d4YQGl'
Source: testnt.exe.2.dr, WIuR1rCg9OABqm2Ov6Vai2Lg9nFtnB4GBfFpoudo.cs	High entropy of concatenated method names: 'FNHzWngLomEA2m0s7IkHnKswZPPuxbx9DqImvxXC', 'ym3amq6ICtFEpNGE25s8jQ096Z0jTdy7wWYGlWGGymDG2Zt3gT', 'zEBPDZSKVOzQ5zlq7Ri0JkZLP0DH0SROGSexfv8P1vtePgTltl', 'iNwVIlJ1tjsdxiCHWDvBpTlhvrvIlYZMw96bx0dsn1cqc8Ejzw', 'rDi3OHpasRrnDFdZG2IPJj5sBAJxI5zZjKMR8eTisj5fRHqyde'
Source: testnt.exe.2.dr, p1IG6OHEpiNB43wrLsWuNu.cs	High entropy of concatenated method names: 'u5yD0BUm2PcSw0iB0GO3cP', 'oPAJ4NA3yjtlpSliHpVRHy', 'mDEbck9Dl7iLQmmmTiw4D5', '_7Z84Hk2AYvRgn54bPqWxxH', 'Mv3s3rXUYJDv1MlRaV5NZxp1lrZYGvPAA0ykgRtUbGEETMn7PiLRJtx', '_77YyemyOEFU7itfJCUsjpOx8gcqGs8FUQuQbA9o8ta3m6IZGpENCEdn', 'sHvtH3qz9BfXf8zkENDR7dEgvIfjGrGSPeJGEtatrfFc06ORCLo5ldj', '_0juZ9cgK4ayrYhpT7hhADZrbXqLW4FBWPOFjBSBSa4ZCUS5BFAoeDEI', 'wMVjv6gIyHStMsg1FglMtkNzcQO4BpY256l7vPnLEsfsR6NLveTsN8R', 'UIfHerstaAUFl4huhLMnguGkk7zmMhlt614liUFezUqNobGa6g6vH3x'
Source: testnt.exe.2.dr, p0YNdbZlrOpuCNRE0edav2KYSP4XGWPn8wRjA9ie.cs	High entropy of concatenated method names: 'Wk5Rb1ThVxurWW4bR1FzYtajBSNZ3f3cYDGvN7KK', 'OE6M0rFV82DhFKGwpEZVAxuiE8p1tK1ipzXidSoY', 'Erk5rdelfOjiuryrno1aRfle7byjXfKUxM1IIYEu', 'uNO52gJl8XiflpctQQdzmbqRKQejB1mbrjnEehsD', 'c9zSsXTzShpzMwYex5arwnBbukAePQnQ4WeJe3Ax', 'zyjJyxkzs2oh0kJZ9Y4EqfRAZDI4Uwi0aea8ZOrX', 'Qavs0kE80dO9dbK005T8Q8cLCd044xtxvwy7y0mZ', 'xSogTl37TYlau03YlfU1eGjgqwst6VUgqvUruZ0E', 'UZRKZV3Dt0DNJZBzWiRF95ZUl55fQaz6d7JbqDRX', '_85FPJGNAtQhSjWYn0FzmTXtkBRhzY9oQUFKTjHdH'
Source: testnt.exe.2.dr, HSv2czNGQ5ZtVacsXcu1DvtdZfn74sbSWa0KpGeNi8UwefY4Ro8oGJD.cs	High entropy of concatenated method names: 'rQ89f38m37zZhF5nfv6r8KS0hp8uP8FGlG9AqgdmUIkjHvZRSEBgNNI', '_3vrFleZlqfNAg5HVW', 'fkj2QBHwu6XlJY3Hj', 'QoIvAOGEAuZz19ONd', 'PabkqXCUaLQLay6wi'
Source: testnt.exe.2.dr, A6KJM5OnMj4l8Zs9YLwXRUrIXz7tx6TKgT2mMjtx.cs	High entropy of concatenated method names: '_6b35A2axSWdonI5on3vsc92D2xbKfFvyKpIExQaY', 'pD752BHE35OB8WiKtQr0p60F3fC0avicmI5yc9k0', 'MIa5PswOlrNKDMMa2MtCLkv8JmGtgOBwVZ0JWBKg', 'WP1FEFB4Q0dzyFiN1WGA2farZLuhgXlcgyS4w0p8', 'aN8VjZcHu2u8Rmtbv', 'TJhDrOu62xHF82TLB', 's57B1kOnf10WLh9Kf', 'U2nIHzR0ooxGpXetJ', '_5uvptiCCabgcq63Ok', 'PCwTgXZAzcLFF2yAy'
Source: testnt.exe.2.dr, pWFohs8uFmHTfaAhVw9lC9.cs	High entropy of concatenated method names: 'sIEUBVVBXhvymuoXBq3b8l', '_3a9P2xLTv2K5DSI1e6EgiN', 'x7AF0fxrGevqKUlbD2cq16', 'RookwFJp4qwU93FcPJHhs9', 'WEmXE5AIt2cD3OBQCaKM4i', 'AX0TTbOTnCbv0dJZkxNakn', '_7mSDokXU63yRJoAkHZffOf', 'xMmJ0OlkoEPrEXhP9GEKCD', 'jHFzismFBt9yWCZ9fGZjnY', '_4Oqr7SZUXA9Ugg6ixxP9AO'
Source: testnt.exe.2.dr, nAqjKWnahmZlgbIrYsgeU9lRcu9NpU73tOyeIJVmtQ5RNbG4wKEHQmh.cs	High entropy of concatenated method names: 'ecISpUVC7UxhPRPd30VapydpSI3nLfDU5zGNeurGECmvF6f80F7gLee', 'QPr3dnXNquZaXW00q8qX0kwzlalzdv5WD40SmZ2LveeYB91exVAJO2I', 'QkVvTmVgSKYKr7VP9tcaLfRxRuOQ8TBP7XFtqGKFjWQWcXbmZXm0XvO', '_8H4z0sovpRkdAbqc3aAZFRhMun7X0O8z3K5AbYLMBgWRNF6nXHQ3gSj', 'JVlMsxOMPrYBrJus3mp3o2MoVofS3QV3NVnZ3QFFRbnZbSryG6RJJNh', 'oDJOt48iSKv0kcDhtOSbYR4rwZBi41caMtJzs2OROH0PF9xcp9uiTXK', 'X5karREfXDJrjLMfdIVTqRy4MGXUKCSlk0lA6BLH', 'O0Z7l9kZro8pyJuwJz6TQCgkkURsYV5irdxZS62c', 'JIwTQcoqzczSqlagZlMQziGeR9WoolecjR0gmTSg', 'E7GV89f8RBAgZqKGmAmkarjRsclTRcq2f5LmflzP'

Drops PE files

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

File created: C:\Users\user\AppData\Roaming\testnt.exe

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\testnt.lnk

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\testnt.lnk

Jump to behavior

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: LHA9oUEAwZ.exe, testnt.exe.2.dr

Binary or memory string: SBIEDLL.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Memory allocated: 1710000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Memory allocated: 1B110000 memory reserve \| memory write watch			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

Window / User API: threadDelayed 9705

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe TID: 5532	Thread sleep time: -281000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe TID: 5532	Thread sleep time: -9705000s >= -30000s			Jump to behavior

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: Amcache.hve.12.dr	Binary or memory string: VMware
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.12.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.12.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.12.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.12.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: LHA9oUEAwZ.exe, 00000002.00000002.3245574998.000000001BFE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.12.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin`
Source: testnt.exe.2.dr	Binary or memory string: vmware
Source: Amcache.hve.12.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.12.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.12.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.12.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.12.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.12.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.12.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.12.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.12.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.12.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

Code function: 2_2_00007FFAAC45281A CheckRemoteDebuggerPresent,

2_2_00007FFAAC45281A

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process queried: DebugPort	Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Queries volume information: C:\Users\user\Desktop\LHA9oUEAwZ.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\LHA9oUEAwZ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.12.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: LHA9oUEAwZ.exe, type: SAMPLE
Source: Yara match	File source: 2.0.LHA9oUEAwZ.exe.dc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.1324807414.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3242886490.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LHA9oUEAwZ.exe PID: 6384, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\testnt.exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: LHA9oUEAwZ.exe, type: SAMPLE
Source: Yara match	File source: 2.0.LHA9oUEAwZ.exe.dc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.1324807414.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3242886490.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LHA9oUEAwZ.exe PID: 6384, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\testnt.exe, type: DROPPED

ID:	1416005
Product:	CloudBasic
Start time:	18:22:10
Start date:	26.03.2024
Sample:	LHA9oUEAwZ.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	3149ac1cd2f798f14c82e4eaa81b1853
SHA1:	7939c17fc5433dcf060c2035bc035e5fefd33078
SHA256:	2391648221057ae4454b46e4010db00fa25551df4835c916ad1cf1354077234f
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_LHA9oUEAwZ.exe_7062d95b25b19cadb9259966c0d1ce298fffcd9_694179a5_37dded76-bd19-4478-840b-4d209993f4c2\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	373379D6B79C98C05CF7B5D950D963C5	8B4623603AB24176541CEFF03C34869581166BFE	D671EC01CAEA238FD63CDF48A532E7030BB5E52F95F6539E384CBA9A95C5F048
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8909.tmp.dmp	Mini DuMP crash report, 16 streams, Tue Mar 26 19:08:39 2024, 0x1205a4 type	3D5B9ED7682C3E1EB7424A3B15B5D32B	51792C7FA4E5E50737A181CA68D0E0EBACE399D1	8BABB0CDB8FC062F775ACD7C3CE29DED9FFEBE9E6B1E51F16C2B2F72A590C6F1
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8B7B.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	4ABDF6B0CDE1054F47ECF1B4A77F3434	698B6AA63C10A8117541962E09843443A5B8CE95	99BE7056A2A69346A9B142FD26554C06511BDB7BCF90A4BD65732AA2B236357B
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8BAB.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	2C379E985A75AA86CB18E0BF384DB47D	31657F179A3D7F42472CA169594A66F155336805	00A873CD1339322B37F865F4092BF253D66BD29B5280F875B95D3B8FDBB32512
C:\Users\user\AppData\Local\Temp\Log.tmp	ASCII text, with CRLF line terminators	2C11513C4FAB02AEDEE23EC05A2EB3CC	59177C177B2546FBD8EC7688BAD19D08D32640DE	BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\testnt.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 26 16:23:18 2024, mtime=Tue Mar 26 16:23:18 2024, atime=Tue Mar 26 16:23:18 2024, length=72192, window=hide	8F1554F8816C81CA1861C478FDC0AEC0	2CABA262CBC465BC8E46DDCFE3AECB1238B316B4	EE7B27818D00A68911894131DB9E17FE757D4A118AF4803349805F5312C7789A
C:\Users\user\AppData\Roaming\testnt.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	3149AC1CD2F798F14C82E4EAA81B1853	7939C17FC5433DCF060C2035BC035E5FEFD33078	2391648221057AE4454B46E4010DB00FA25551DF4835C916AD1CF1354077234F
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	4008740CC78E00B2B60B935EAE163BAA	672181CD82ADB1B176A7F94B193A15BCD9BCB4EB	805BF5661AC8547CACCE5071D9EF2EDFB47379BE599AEC2927351F52783323E4

Windows Analysis Report
LHA9oUEAwZ.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Networking

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report LHA9oUEAwZ.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
LHA9oUEAwZ.exe

Malware Threat Intel
Provided by