Windows Analysis Report
GPgMeqI8Gy.exe

Overview

General Information

Sample name:	GPgMeqI8Gy.exe renamed because original name is a hash value
Original sample name:	078bded0d7282b8b8daf4b40b837233a.exe
Analysis ID:	1429288
MD5:	078bded0d7282b8b8daf4b40b837233a
SHA1:	526430046baebe7f7eb80960a1869718a142446e
SHA256:	fd733056fe23c1d58de2178610834b5633dea41bd19f08063cff06a3732e9221
Tags:	32exeXWorm
Infos:

Detection

XWorm

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected XWorm

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

AV process strings found (often used to terminate AV products)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

One or more processes crash

PE file contains an invalid checksum

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: GPgMeqI8Gy.exe

Avira: detected

Found malware configuration

Source: 0.2.GPgMeqI8Gy.exe.8ada48.1.raw.unpack

Malware Configuration Extractor: Xworm {"C2 url": ["fuckurfeelins.anondns.net"], "Port": "3134", "Aes key": "3134", "Install file": "USB.exe", "Version": "XWorm V2.1"}

Multi AV Scanner detection for domain / URL

Source: fuckurfeelins.anondns.net

Virustotal: Detection: 10%

Perma Link

Multi AV Scanner detection for submitted file

Source: GPgMeqI8Gy.exe	Virustotal: Detection: 33%			Perma Link
Source: GPgMeqI8Gy.exe	ReversingLabs: Detection: 23%

Uses 32bit PE files

Source: GPgMeqI8Gy.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.84.67:443 -> 192.168.2.5:49705 version: TLS 1.2

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: fuckurfeelins.anondns.net

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: paste.ee

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.21.84.67 104.21.84.67
Source: Joe Sandbox View	IP Address: 104.21.84.67 104.21.84.67

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /r/tC4AK HTTP/1.1User-Agent: HimanenHost: paste.ee

Source: unknown

DNS traffic detected: queries for: paste.ee

Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.00000000008D8000.00000004.00000020.00020000.00000000.sdmp, GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.00000000008D8000.00000004.00000020.00020000.00000000.sdmp, GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee;
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.00000000008D8000.00000004.00000020.00020000.00000000.sdmp, GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.00000000008D8000.00000004.00000020.00020000.00000000.sdmp, GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com;
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.00000000008D8000.00000004.00000020.00020000.00000000.sdmp, GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.00000000008D8000.00000004.00000020.00020000.00000000.sdmp, GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.gstatic.com;
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/r/tC4AK
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/r/tC4AK)
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/r/tC4AKZd
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/r/tC4AK_
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/r/tC4AKpns
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/r/tC4AKs
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/r/tC4AKy
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.00000000008D8000.00000004.00000020.00020000.00000000.sdmp, GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.gravatar.com
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.00000000008D8000.00000004.00000020.00020000.00000000.sdmp, GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://themes.googleusercontent.com
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.00000000008D8000.00000004.00000020.00020000.00000000.sdmp, GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.00000000008D8000.00000004.00000020.00020000.00000000.sdmp, GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com;
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.00000000008D8000.00000004.00000020.00020000.00000000.sdmp, GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown

HTTPS traffic detected: 104.21.84.67:443 -> 192.168.2.5:49705 version: TLS 1.2

One or more processes crash

Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 2040

Sample file is different than original file name gathered from version info

Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename4horus.exe4 vs GPgMeqI8Gy.exe
Source: GPgMeqI8Gy.exe, 00000000.00000002.2269904300.0000000000709000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBas.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD vs GPgMeqI8Gy.exe
Source: GPgMeqI8Gy.exe	Binary or memory string: OriginalFilenameBas.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD vs GPgMeqI8Gy.exe

Uses 32bit PE files

Source: GPgMeqI8Gy.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.2.GPgMeqI8Gy.exe.8ada48.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.GPgMeqI8Gy.exe.8ada48.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal92.troj.evad.winEXE@2/6@1/1

Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5712

Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe

File created: C:\Users\user\AppData\Local\Temp\~DF1873810ED438744D.TMP

Jump to behavior

Source: GPgMeqI8Gy.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: GPgMeqI8Gy.exe	Virustotal: Detection: 33%
Source: GPgMeqI8Gy.exe	ReversingLabs: Detection: 23%

Source: unknown	Process created: C:\Users\user\Desktop\GPgMeqI8Gy.exe "C:\Users\user\Desktop\GPgMeqI8Gy.exe"
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 2040

Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: asycfilt.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: GPgMeqI8Gy.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: GPgMeqI8Gy.exe

Static file information: File size 3162112 > 1048576

Source: GPgMeqI8Gy.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x26a000

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.GPgMeqI8Gy.exe.8ada48.1.raw.unpack, Helper.cs

.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

PE file contains an invalid checksum

Source: GPgMeqI8Gy.exe

Static PE information: real checksum: 0x3095ab should be: 0x30959d

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Code function: 0_2_004058FA push ds; ret	0_2_00405902
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Code function: 0_2_004038AC push ds; iretd	0_2_00403902
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Code function: 0_2_00403DD1 push ds; iretd	0_2_00403DD2
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Code function: 0_2_004079EA push ds; retf	0_2_00407A46
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Code function: 0_2_00409A1E push ds; iretd	0_2_00409A2F
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Code function: 0_2_00406F17 push dword ptr [ebp+7Ch]; ret	0_2_00406F1A
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Code function: 0_2_00407B20 push ds; ret	0_2_00407B2A

Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000890000.00000004.00000020.00020000.00000000.sdmp, GPgMeqI8Gy.exe, 00000000.00000002.2270244784.00000000008F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 0.2.GPgMeqI8Gy.exe.8ada48.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.GPgMeqI8Gy.exe.8ada48.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2270244784.0000000000890000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GPgMeqI8Gy.exe PID: 5712, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 0.2.GPgMeqI8Gy.exe.8ada48.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.GPgMeqI8Gy.exe.8ada48.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2270244784.0000000000890000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GPgMeqI8Gy.exe PID: 5712, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.84.67	paste.ee	United States		13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
paste.ee	104.21.84.67	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
fuckurfeelins.anondns.net	true	11%, Virustotal, Browse	unknown
https://paste.ee/r/tC4AK	false		high

AV Detection

Antivirus / Scanner detection for submitted sample

Source: GPgMeqI8Gy.exe

Avira: detected

Found malware configuration

Source: 0.2.GPgMeqI8Gy.exe.8ada48.1.raw.unpack

Malware Configuration Extractor: Xworm {"C2 url": ["fuckurfeelins.anondns.net"], "Port": "3134", "Aes key": "3134", "Install file": "USB.exe", "Version": "XWorm V2.1"}

Multi AV Scanner detection for domain / URL

Source: fuckurfeelins.anondns.net

Virustotal: Detection: 10%

Perma Link

Multi AV Scanner detection for submitted file

Source: GPgMeqI8Gy.exe	Virustotal: Detection: 33%			Perma Link
Source: GPgMeqI8Gy.exe	ReversingLabs: Detection: 23%

Uses 32bit PE files

Source: GPgMeqI8Gy.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.84.67:443 -> 192.168.2.5:49705 version: TLS 1.2

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: fuckurfeelins.anondns.net

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: paste.ee

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.21.84.67 104.21.84.67
Source: Joe Sandbox View	IP Address: 104.21.84.67 104.21.84.67

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /r/tC4AK HTTP/1.1User-Agent: HimanenHost: paste.ee

Source: unknown

DNS traffic detected: queries for: paste.ee

Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.00000000008D8000.00000004.00000020.00020000.00000000.sdmp, GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.00000000008D8000.00000004.00000020.00020000.00000000.sdmp, GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee;
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.00000000008D8000.00000004.00000020.00020000.00000000.sdmp, GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.00000000008D8000.00000004.00000020.00020000.00000000.sdmp, GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com;
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.00000000008D8000.00000004.00000020.00020000.00000000.sdmp, GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.00000000008D8000.00000004.00000020.00020000.00000000.sdmp, GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.gstatic.com;
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/r/tC4AK
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/r/tC4AK)
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/r/tC4AKZd
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/r/tC4AK_
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/r/tC4AKpns
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/r/tC4AKs
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/r/tC4AKy
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.00000000008D8000.00000004.00000020.00020000.00000000.sdmp, GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.gravatar.com
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.00000000008D8000.00000004.00000020.00020000.00000000.sdmp, GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://themes.googleusercontent.com
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.00000000008D8000.00000004.00000020.00020000.00000000.sdmp, GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.00000000008D8000.00000004.00000020.00020000.00000000.sdmp, GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com;
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.00000000008D8000.00000004.00000020.00020000.00000000.sdmp, GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown

HTTPS traffic detected: 104.21.84.67:443 -> 192.168.2.5:49705 version: TLS 1.2

One or more processes crash

Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 2040

Sample file is different than original file name gathered from version info

Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename4horus.exe4 vs GPgMeqI8Gy.exe
Source: GPgMeqI8Gy.exe, 00000000.00000002.2269904300.0000000000709000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBas.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD vs GPgMeqI8Gy.exe
Source: GPgMeqI8Gy.exe	Binary or memory string: OriginalFilenameBas.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD vs GPgMeqI8Gy.exe

Uses 32bit PE files

Source: GPgMeqI8Gy.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.2.GPgMeqI8Gy.exe.8ada48.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.GPgMeqI8Gy.exe.8ada48.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal92.troj.evad.winEXE@2/6@1/1

Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5712

Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe

File created: C:\Users\user\AppData\Local\Temp\~DF1873810ED438744D.TMP

Jump to behavior

Source: GPgMeqI8Gy.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: GPgMeqI8Gy.exe	Virustotal: Detection: 33%
Source: GPgMeqI8Gy.exe	ReversingLabs: Detection: 23%

Source: unknown	Process created: C:\Users\user\Desktop\GPgMeqI8Gy.exe "C:\Users\user\Desktop\GPgMeqI8Gy.exe"
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 2040

Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: asycfilt.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: GPgMeqI8Gy.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: GPgMeqI8Gy.exe

Static file information: File size 3162112 > 1048576

Source: GPgMeqI8Gy.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x26a000

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.GPgMeqI8Gy.exe.8ada48.1.raw.unpack, Helper.cs

.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

PE file contains an invalid checksum

Source: GPgMeqI8Gy.exe

Static PE information: real checksum: 0x3095ab should be: 0x30959d

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Code function: 0_2_004058FA push ds; ret	0_2_00405902
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Code function: 0_2_004038AC push ds; iretd	0_2_00403902
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Code function: 0_2_00403DD1 push ds; iretd	0_2_00403DD2
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Code function: 0_2_004079EA push ds; retf	0_2_00407A46
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Code function: 0_2_00409A1E push ds; iretd	0_2_00409A2F
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Code function: 0_2_00406F17 push dword ptr [ebp+7Ch]; ret	0_2_00406F1A
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Code function: 0_2_00407B20 push ds; ret	0_2_00407B2A

Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GPgMeqI8Gy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: GPgMeqI8Gy.exe, 00000000.00000002.2270244784.0000000000890000.00000004.00000020.00020000.00000000.sdmp, GPgMeqI8Gy.exe, 00000000.00000002.2270244784.00000000008F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 0.2.GPgMeqI8Gy.exe.8ada48.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.GPgMeqI8Gy.exe.8ada48.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2270244784.0000000000890000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GPgMeqI8Gy.exe PID: 5712, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 0.2.GPgMeqI8Gy.exe.8ada48.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.GPgMeqI8Gy.exe.8ada48.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2270244784.0000000000890000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GPgMeqI8Gy.exe PID: 5712, type: MEMORYSTR

ID:	1429288
Product:	CloudBasic
Start time:	21:08:13
Start date:	21.04.2024
Sample:	GPgMeqI8Gy.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	078bded0d7282b8b8daf4b40b837233a
SHA1:	526430046baebe7f7eb80960a1869718a142446e
SHA256:	fd733056fe23c1d58de2178610834b5633dea41bd19f08063cff06a3732e9221
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_GPgMeqI8Gy.exe_de8d58464aa976eaa2d71339736e9f1ea83188_862451b2_447a96d9-4583-4615-85b3-a704a995c147\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	F5C30BC928CFD6CC04C72BEE94CACBFD	982783A6E0D3B8E6E16655FF8C31DCF9357FC4FE	A5DBE55B067A07383A5FA4F15331182DDEF8CC12FFD79D92256FB04997A9883C
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8E03.tmp.dmp	Mini DuMP crash report, 14 streams, Sun Apr 21 19:09:20 2024, 0x1205a4 type	5B265E94F41B5A28237605F7AC1428E1	45EA400CC12E16EE598459D2DDBD0DD16A399326	24B3574DE24675BC756F033FAA0311AED3EB2054C26D3783342DDE9D914B6B7B
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8F0E.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	CA1479266407ECE856E799FD13A7F6CD	52EAC05BA9137017315B71414784BDDEF9EC400A	D48D7FED2B05C2DD2551D749D2D85147AA25196929B991A8C69BDD1CCF5DD71E
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8F2E.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	E9DE7E43F48E3C2748E6B5055B518D82	5A9FEDA35833CCE4A4BA934B261C7201D5AD09B2	C793EA53DCBE7158FBFB4705D0DAEA09A9DE1879F50C59738E98208F36F1A99C
C:\Users\user\AppData\Local\Temp\~DF1873810ED438744D.TMP	Composite Document File V2 Document, Cannot read section info	E0B8C91D2A1312F1A5F64C488F9F9D27	751AB6CB79AF075433414701B435A25C6BB0FE94	1D2987A8B152EC69A9AB08BAF5AE48BFD4EF8218BAE2CB1CB921FFCD7AD733BB
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	5BA773F1E11A365A67E9F9DB665462B2	90E9CB106E68BE7FF741ED7865A13942923025CC	4BE6F1B631F8A1A2E5F5DD778C50F6E8D8F901EBFD5E784790DF5865385B3514

Windows Analysis Report
GPgMeqI8Gy.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report GPgMeqI8Gy.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
GPgMeqI8Gy.exe

Malware Threat Intel
Provided by