Source: xmo4WvZPV3Q0.exe |
Malware Configuration Extractor: AsyncRAT {"Ports": ["7095"], "Server": ["procesoexitos1.duckdns.org"], "Mutex": "ESPECIALES777", "Certificate": "MIICMDCCAZmgAwIBAgIVAMaBeR9P3Ul+SdXWCbf4dEVfPoRFMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIzMDIwNDE1MDcxN1oXDTMzMTExMzE1MDcxN1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKc8o3jPsEuo8oWGV/dKkjetOpEe003VLgZvyH72e4hhVOKpVhCoXfNzypj62QwbJzZNiJEjKbHcMIBTj6FXTcN0crxDt9y9Zkqcv5bHQt7qEhSGlQDWusiPiFi/ZUm5aABL1L3ZDlEq0EomTSE+zogqLxeR4JBAsV0AR4buL7SRAgMBAAGjMjAwMB0GA1UdDgQWBBQmwIernSRvdh/MqJJVki/p4G9lwDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAIQGk5vP6qdN4EaKNY/YrbRS91Tu9QPKlufTNOzSlJxuxr062vtdFPTQylkVTc+MeL3xUB8gBMAixsOc/vHhhjk6N+XsPz/AvA0eRze9Tje1kzVx/fH+uv1/dBFR0/I8hyBB6C1MxQ5E4tNT4z0yGxYsRw0P9j2sVHbmQKMh1R2n", "Server Signature": "lwh/qdaHbWIu6f8uSxAHSISPHNRHAzgruRhQNWqQRlu7lJl8nxyAs2H16BDfUOVvTNX4EnwLAmj0LZ++/DIk6hY7dnjRVpVjHkX6Y7J+dQuB6Kygp66xDLX85/NLq+ar+ROOpnzkgl2aUJchTybHgtbnAZSqlZBmwx2BkLQKD3I="} |
Source: 77EC63BDA74BD0D0E0426DC8F80085060.1.dr |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: xmo4WvZPV3Q0.exe, 00000001.00000002.2576145165.00000000009CC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab%d |
Source: xmo4WvZPV3Q0.exe, 00000001.00000002.2578546588.000000001B39E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabB |
Source: xmo4WvZPV3Q0.exe, 00000001.00000002.2576145165.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/ens |
Source: xmo4WvZPV3Q0.exe, 00000001.00000002.2576593809.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, xmo4WvZPV3Q0.exe, 00000001.00000002.2576593809.0000000002A83000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: Yara match |
File source: xmo4WvZPV3Q0.exe, type: SAMPLE |
Source: Yara match |
File source: 1.0.xmo4WvZPV3Q0.exe.450000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000001.00000000.1328895348.0000000000452000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: xmo4WvZPV3Q0.exe PID: 6964, type: MEMORYSTR |
Source: xmo4WvZPV3Q0.exe, type: SAMPLE |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: xmo4WvZPV3Q0.exe, type: SAMPLE |
Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen |
Source: xmo4WvZPV3Q0.exe, type: SAMPLE |
Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen |
Source: xmo4WvZPV3Q0.exe, type: SAMPLE |
Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen |
Source: dump.pcap, type: PCAP |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 1.0.xmo4WvZPV3Q0.exe.450000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 1.0.xmo4WvZPV3Q0.exe.450000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen |
Source: 1.0.xmo4WvZPV3Q0.exe.450000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen |
Source: 1.0.xmo4WvZPV3Q0.exe.450000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen |
Source: 00000001.00000002.2578546588.000000001B39E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000001.00000000.1328895348.0000000000452000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000001.00000002.2576593809.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000001.00000002.2576145165.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000001.00000002.2576593809.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000001.00000002.2576593809.0000000002A83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: Process Memory Space: xmo4WvZPV3Q0.exe PID: 6964, type: MEMORYSTR |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: xmo4WvZPV3Q0.exe, 00000001.00000000.1328913578.000000000045E000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameClient.exe" vs xmo4WvZPV3Q0.exe |
Source: xmo4WvZPV3Q0.exe |
Binary or memory string: OriginalFilenameClient.exe" vs xmo4WvZPV3Q0.exe |
Source: xmo4WvZPV3Q0.exe, type: SAMPLE |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: xmo4WvZPV3Q0.exe, type: SAMPLE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. |
Source: xmo4WvZPV3Q0.exe, type: SAMPLE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI |
Source: xmo4WvZPV3Q0.exe, type: SAMPLE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy |
Source: dump.pcap, type: PCAP |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 1.0.xmo4WvZPV3Q0.exe.450000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 1.0.xmo4WvZPV3Q0.exe.450000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. |
Source: 1.0.xmo4WvZPV3Q0.exe.450000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI |
Source: 1.0.xmo4WvZPV3Q0.exe.450000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy |
Source: 00000001.00000002.2578546588.000000001B39E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000001.00000000.1328895348.0000000000452000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000001.00000002.2576593809.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000001.00000002.2576145165.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000001.00000002.2576593809.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000001.00000002.2576593809.0000000002A83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: Process Memory Space: xmo4WvZPV3Q0.exe PID: 6964, type: MEMORYSTR |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: xmo4WvZPV3Q0.exe, Settings.cs |
Base64 encoded string: 'S6oK3ETgwOyjnyuvY19lfXR8Ux/STQPOoaj+2t3BW3TJJXjgyrppgAAbKaWPefCcVQoR76o7aYcpEa8Afor9YQ==', 'zm6I1nWjcqcwpJ+fvYkxrcIHvOpNI9sufIBXOD9KK8Z2aJhBqNr+RgpAFkcP3BbEZSBzPAFNqshs8d8AuP27j12TxCk2A88m6WeynoAZUMU=', 'YlhnB889aeoBkz1xd6q9+OYB3j+ENt+jeiRrt7tI4jLeERvB1XN2bjhgPD+l5zouFW/EEuZ2iYY3wsZrbyoaZQ==', 'i2+5ahEBqWDq9/jZYwWM+shEPInt5YI1zuu86vK4vO/MMU4TdG/gjhDREv72reunjz0p9CYuhM14G/vi3mZzmA==', 'HP3JZeQ8Vzf5MH+OxFJnVhF6hjJpdVzPQkPLy7DfSU99mMMgFrIgXemY84JiMbpM660OX44C35/+VCYlLKXV8NEKKO8LJPfHuQVgG9GHDWHIigsewx3f1pz7/H/G07WmT09SXnDmkddHAhtCzcRK/HCGfPPft5UWACZC6lY5qrlXnD2srSvF5x2EKZPcTAGSD75jl76Iwh7v7ldISth04Bgfra0d0trG2Fd+z9O9QFbKwQ94ScFA4tbf9F+ha2XHxh9DYUGZYE36V1dY3pmXJJVpBbDWaRd+XLyXaL4hBAPXmfZF2X+UshnDO8186C6Nefm8/stbiugNwJIAp3APnQpbxUfVK9f63Riuyooatw6zh4d+BS29sYI+bjX54rGpKz0YjyHDFNjgdq+3h8wDJm3+jCNT3Ie9nmREmHmFidiJGQN5iA2zfq7LaG8wg3CYwIggMjbbH8L5Fe16RS5c22RSkEyfPKKNyYAu0RhVapOq3M99lMxUFVjXOSqJY8ewtqZAtAavNuHTMHEw8TpUW/EDIaRAjQmdeKa6bKFuzfm15W/BpqWGHuANx2fVmPsFrhLOjQB9pd/BMXJsFWGywf5wzN3RFcN98bnlIdumN5WP5IQWbXsMA4RCPxzLY9UWVU7ulaKTuZOGZu0MkLrpws6XqrF75x0Q+THFNIg9h/KmjFVq+BdpoQa496zTWMOuV7wii1ZJ3kJMf2Lq3RWjv409WKAnIi8hOzY5rG+xD4XwNL+T7OQGte+z2ATl2thFy5aGRLqq03J+SxaHUhMgad+Ak76iJpQTmBf6t3LRmpmcbpa2hPMKQZHIG2cROhY9zp7tymprkOwTE+tyl0n8HJ5VSKwnsxgoUeg1tfho4fsEUvgqPMTmaJ7yMNDws4BD2YjKYiJeMrgxvH09lNKEoP7l8a1k9sQazsX4kDKMqMERj+EzGiyiRcRMSCzj5nZeuOPA03Ws51q+YDryHscrnJOv9jJASzWqkUQRh0M8BOUpxHfOuOBmooFnB4W66FOU/IEZ8Hz+GNDDX/nAUXdoPXsYeRao5HVvHddu1xDxh/2+oKEktmIynuIiM+VclSKm', 'jHtx8ij/qb8PDY1XAwRXvByVt6pTkVMBj8mKnk0Zub8LJ1pFZlWzWRmETnCvenzOLLONTzpeCF816H7dDEgVAUV4cy898Z1876FMWqLav3hNA3UfY+8/krDI93UxO7XqNsxyDHavHMI2vfomC/VldKlcxFBHn6CQJCcqB18YTujxOt9H7GwWLRXxxEp0bp1bp/vpScQqAcUvfEovJ+ElLNzHfYKn6QqkTaTWaFhYCQf6n3//6O3WcnJNXC51jULvmPTh1Iv+4bTnIWctbvnKzt7TGokZXjZop7HLsHCBfAg=', 'HpQydJmuV+6q45SvJESTODdH/pXmdgGqPUx9ZRLHtzVwvZ9/mD2RitjKFGh3Teqc/WrbZBsj8r6y8Kj57JeLUA==', 'tFQwiHTprwFpHfXsSkammmcXJq4P8ekJTalvUG64VOuWZeg0slV5MCRvzmORJM/KCkyR2rHeYJ0am5a0EKxSgQ==' |
Source: xmo4WvZPV3Q0.exe, NormalStartup.cs |
Base64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==' |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Mutant created: NULL |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Mutant created: \Sessions\1\BaseNamedObjects\DcRatMutex_qwqdanchun |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: secur32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: schannel.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: mskeyprotect.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: ncryptsslp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: cryptnet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: dhcpcsvc6.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: dhcpcsvc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: webio.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: cabinet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: sxs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: devenum.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: devobj.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Section loaded: msdmo.dll |
Jump to behavior |
Source: Yara match |
File source: xmo4WvZPV3Q0.exe, type: SAMPLE |
Source: Yara match |
File source: 1.0.xmo4WvZPV3Q0.exe.450000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000001.00000000.1328895348.0000000000452000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: xmo4WvZPV3Q0.exe PID: 6964, type: MEMORYSTR |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: Yara match |
File source: xmo4WvZPV3Q0.exe, type: SAMPLE |
Source: Yara match |
File source: 1.0.xmo4WvZPV3Q0.exe.450000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000001.00000000.1328895348.0000000000452000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: xmo4WvZPV3Q0.exe PID: 6964, type: MEMORYSTR |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe TID: 6348 |
Thread sleep time: -30000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe TID: 6452 |
Thread sleep time: -8301034833169293s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe TID: 5940 |
Thread sleep count: 9449 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe TID: 5940 |
Thread sleep count: 419 > 30 |
Jump to behavior |
Source: xmo4WvZPV3Q0.exe, 00000001.00000002.2578479760.000000001B24A000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: xmo4WvZPV3Q0.exe, 00000001.00000002.2578546588.000000001B393000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW` |
Source: xmo4WvZPV3Q0.exe, 00000001.00000002.2578479760.000000001B24A000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW@ |
Source: xmo4WvZPV3Q0.exe, AntiProcess.cs |
Reference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId) |
Source: xmo4WvZPV3Q0.exe, Win32.cs |
Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)) |
Source: xmo4WvZPV3Q0.exe, Win32.cs |
Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)) |
Source: xmo4WvZPV3Q0.exe, Amsi.cs |
Reference to suspicious API methods: Win32.VirtualAllocEx(procAddress, (UIntPtr)(ulong)patch.Length, 64u, out var _) |
Source: xmo4WvZPV3Q0.exe, 00000001.00000002.2576593809.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, xmo4WvZPV3Q0.exe, 00000001.00000002.2576593809.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, xmo4WvZPV3Q0.exe, 00000001.00000002.2576593809.0000000002A72000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Program Manager |
Source: xmo4WvZPV3Q0.exe, 00000001.00000002.2576593809.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, xmo4WvZPV3Q0.exe, 00000001.00000002.2576593809.0000000002A72000.00000004.00000800.00020000.00000000.sdmp, xmo4WvZPV3Q0.exe, 00000001.00000002.2576593809.0000000002A5F000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Program Manager@ |
Source: Yara match |
File source: xmo4WvZPV3Q0.exe, type: SAMPLE |
Source: Yara match |
File source: 1.0.xmo4WvZPV3Q0.exe.450000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000001.00000000.1328895348.0000000000452000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: xmo4WvZPV3Q0.exe PID: 6964, type: MEMORYSTR |
Source: xmo4WvZPV3Q0.exe, 00000001.00000000.1328895348.0000000000452000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: MSASCui.exe |
Source: xmo4WvZPV3Q0.exe, 00000001.00000000.1328895348.0000000000452000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: procexp.exe |
Source: xmo4WvZPV3Q0.exe, 00000001.00000002.2578546588.000000001B3F0000.00000004.00000020.00020000.00000000.sdmp, xmo4WvZPV3Q0.exe, 00000001.00000002.2576145165.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe |
Source: xmo4WvZPV3Q0.exe, 00000001.00000000.1328895348.0000000000452000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: MsMpEng.exe |
Source: Yara match |
File source: 00000001.00000002.2576593809.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.2576593809.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: xmo4WvZPV3Q0.exe PID: 6964, type: MEMORYSTR |
Source: Yara match |
File source: 00000001.00000002.2576593809.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.2576593809.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: xmo4WvZPV3Q0.exe PID: 6964, type: MEMORYSTR |