Edit tour

Windows Analysis Report
zXtG0a5Gt0.exe

Overview

General Information

Sample name:	zXtG0a5Gt0.exe renamed because original name is a hash value
Original sample name:	dc3657abea2cc9c36a8f7a7cf4f61a22ba2172bd1040c229d5b2cdd8af10bff0.exe
Analysis ID:	1631786
MD5:	89757ce41562cf1c80dbc27625d64cbb
SHA1:	2ba3c337f490e647361869e54116f08aa190a983
SHA256:	dc3657abea2cc9c36a8f7a7cf4f61a22ba2172bd1040c229d5b2cdd8af10bff0
Tags:	exeuser-adrian__luca
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected AntiVM3

Yara detected XWorm

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Drops VBS files to the startup folder

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

zXtG0a5Gt0.exe (PID: 7912 cmdline: "C:\Users\user\Desktop\zXtG0a5Gt0.exe" MD5: 89757CE41562CF1C80DBC27625D64CBB)

InstallUtil.exe (PID: 7632 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

WerFault.exe (PID: 3484 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7632 -s 908 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://cyber.wtf/2025/02/12/unpacking-pyarmor-v8-scripts/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["147.124.212.231"], "Aes key": "6262", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.2534889840.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000006.00000002.2534889840.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x79e0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7a7d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7b92:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x768e:$cnc4: POST / HTTP/1.1
00000001.00000002.1370075880.0000000006150000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000001.00000002.1355552792.0000000002616000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000001.00000002.1355552792.0000000002616000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000001.00000002.1355552792.0000000002616000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x5d0e8:$s8: Win32_ComputerSystem 0xb3b9c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xb3c39:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xb3d4e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xb384a:$cnc4: POST / HTTP/1.1
00000001.00000002.1365290075.0000000003561000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: zXtG0a5Gt0.exe PID: 7912	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: zXtG0a5Gt0.exe PID: 7912	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: zXtG0a5Gt0.exe PID: 7912	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: InstallUtil.exe PID: 7632	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.zXtG0a5Gt0.exe.26c1fbc.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
1.2.zXtG0a5Gt0.exe.26c1fbc.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x47c4:$str01: $VB$Local_Port 0x47b5:$str02: $VB$Local_Host 0x4a9f:$str03: get_Jpeg 0x4474:$str04: get_ServicePack 0x551c:$str05: Select * from AntivirusProduct 0x571a:$str06: PCRestart 0x572e:$str07: shutdown.exe /f /r /t 0 0x57e0:$str08: StopReport 0x57b6:$str09: StopDDos 0x58ac:$str10: sendPlugin 0x5a4a:$str12: -ExecutionPolicy Bypass -File " 0x5b73:$str13: Content-length: 5235
1.2.zXtG0a5Gt0.exe.26c1fbc.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x5de0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5e7d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5f92:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x5a8e:$cnc4: POST / HTTP/1.1
1.2.zXtG0a5Gt0.exe.6150000.10.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
6.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
6.2.InstallUtil.exe.400000.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x65c4:$str01: $VB$Local_Port 0x65b5:$str02: $VB$Local_Host 0x689f:$str03: get_Jpeg 0x6274:$str04: get_ServicePack 0x731c:$str05: Select * from AntivirusProduct 0x751a:$str06: PCRestart 0x752e:$str07: shutdown.exe /f /r /t 0 0x75e0:$str08: StopReport 0x75b6:$str09: StopDDos 0x76ac:$str10: sendPlugin 0x784a:$str12: -ExecutionPolicy Bypass -File " 0x7973:$str13: Content-length: 5235
6.2.InstallUtil.exe.400000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7be0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7c7d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7d92:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x788e:$cnc4: POST / HTTP/1.1
1.2.zXtG0a5Gt0.exe.6150000.10.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
1.2.zXtG0a5Gt0.exe.37629f1.4.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
1.2.zXtG0a5Gt0.exe.3782a11.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
1.2.zXtG0a5Gt0.exe.26c1fbc.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
1.2.zXtG0a5Gt0.exe.26c1fbc.0.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x65c4:$str01: $VB$Local_Port 0x65b5:$str02: $VB$Local_Host 0x689f:$str03: get_Jpeg 0x6274:$str04: get_ServicePack 0x731c:$str05: Select * from AntivirusProduct 0x751a:$str06: PCRestart 0x752e:$str07: shutdown.exe /f /r /t 0 0x75e0:$str08: StopReport 0x75b6:$str09: StopDDos 0x76ac:$str10: sendPlugin 0x784a:$str12: -ExecutionPolicy Bypass -File " 0x7973:$str13: Content-length: 5235
1.2.zXtG0a5Gt0.exe.26c1fbc.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7be0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7c7d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7d92:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x788e:$cnc4: POST / HTTP/1.1
1.2.zXtG0a5Gt0.exe.370b3a0.5.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 9 entries

Sigma Signatures

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\zXtG0a5Gt0.exe, ProcessId: 7912, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ticks.vbs

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: zXtG0a5Gt0.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Ticks.exe

Avira: detection malicious, Label: TR/Dldr.Agent.juage

Found malware configuration

Source: 00000001.00000002.1355552792.0000000002616000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["147.124.212.231"], "Aes key": "6262", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Ticks.exe

ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: zXtG0a5Gt0.exe	Virustotal: Detection: 61%			Perma Link
Source: zXtG0a5Gt0.exe	ReversingLabs: Detection: 65%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000006.00000002.2534889840.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String decryptor: 147.124.212.231
Source: 00000006.00000002.2534889840.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String decryptor: 6262
Source: 00000006.00000002.2534889840.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String decryptor: <Xwormmm>
Source: 00000006.00000002.2534889840.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String decryptor: XWorm V5.6
Source: 00000006.00000002.2534889840.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String decryptor: USB.exe

Source: zXtG0a5Gt0.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 194.15.112.248:443 -> 192.168.2.4:49717 version: TLS 1.2

Source: zXtG0a5Gt0.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\System.pdbrsio source: InstallUtil.exe, 00000006.00000002.2535890695.00000000010D4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000006.00000002.2535189290.0000000000BC7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 00000006.00000002.2535890695.0000000001062000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: InstallUtil.exe, 00000006.00000002.2535890695.00000000010D4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: InstallUtil.exe, 00000006.00000002.2535890695.00000000010D4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: InstallUtil.exe, 00000006.00000002.2535189290.0000000000BC7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: zXtG0a5Gt0.exe, 00000001.00000002.1371129170.0000000006460000.00000004.08000000.00040000.00000000.sdmp, zXtG0a5Gt0.exe, 00000001.00000002.1365290075.0000000003842000.00000004.00000800.00020000.00000000.sdmp, zXtG0a5Gt0.exe, 00000001.00000002.1365290075.0000000003892000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ((.pdb source: InstallUtil.exe, 00000006.00000002.2535189290.0000000000BC7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000006.00000002.2535890695.00000000010D4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000006.00000002.2535189290.0000000000BC7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdbl, P source: InstallUtil.exe, 00000006.00000002.2535890695.00000000010D4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\InstallUtil.pdb4 source: InstallUtil.exe, 00000006.00000002.2535890695.00000000010D4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: zXtG0a5Gt0.exe, 00000001.00000002.1371129170.0000000006460000.00000004.08000000.00040000.00000000.sdmp, zXtG0a5Gt0.exe, 00000001.00000002.1365290075.0000000003842000.00000004.00000800.00020000.00000000.sdmp, zXtG0a5Gt0.exe, 00000001.00000002.1365290075.0000000003892000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000006.00000002.2535189290.0000000000BC7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: zXtG0a5Gt0.exe, 00000001.00000002.1365290075.0000000003976000.00000004.00000800.00020000.00000000.sdmp, zXtG0a5Gt0.exe, 00000001.00000002.1365290075.0000000003943000.00000004.00000800.00020000.00000000.sdmp, zXtG0a5Gt0.exe, 00000001.00000002.1370260672.00000000061B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000006.00000002.2535890695.000000000107D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: zXtG0a5Gt0.exe, 00000001.00000002.1365290075.0000000003976000.00000004.00000800.00020000.00000000.sdmp, zXtG0a5Gt0.exe, 00000001.00000002.1365290075.0000000003943000.00000004.00000800.00020000.00000000.sdmp, zXtG0a5Gt0.exe, 00000001.00000002.1370260672.00000000061B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\InstallUtil.pdbQ source: InstallUtil.exe, 00000006.00000002.2535890695.00000000010D4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000006.00000002.2535189290.0000000000BC7000.00000004.00000010.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 4x nop then jmp 0612D029h	1_2_0612CFE5
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 4x nop then jmp 0612D029h	1_2_0612D1E7
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 4x nop then jmp 0620384Bh	1_2_06203668
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 4x nop then jmp 0620384Bh	1_2_06203678
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 4x nop then jmp 0620384Bh	1_2_0620374E

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 147.124.212.231

Source: Joe Sandbox View

IP Address: 194.15.112.248 194.15.112.248

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic

HTTP traffic detected: GET /wacv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36Host: oshi.atConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /wacv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36Host: oshi.atConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: oshi.at

Source: zXtG0a5Gt0.exe, Ticks.exe.1.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: zXtG0a5Gt0.exe, Ticks.exe.1.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: zXtG0a5Gt0.exe, Ticks.exe.1.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: zXtG0a5Gt0.exe, Ticks.exe.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: zXtG0a5Gt0.exe, Ticks.exe.1.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: zXtG0a5Gt0.exe, Ticks.exe.1.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: zXtG0a5Gt0.exe, Ticks.exe.1.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: zXtG0a5Gt0.exe, Ticks.exe.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: zXtG0a5Gt0.exe, 00000001.00000002.1355552792.0000000002561000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: zXtG0a5Gt0.exe, Ticks.exe.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: zXtG0a5Gt0.exe, Ticks.exe.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: zXtG0a5Gt0.exe, Ticks.exe.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: zXtG0a5Gt0.exe, 00000001.00000002.1365290075.0000000003976000.00000004.00000800.00020000.00000000.sdmp, zXtG0a5Gt0.exe, 00000001.00000002.1365290075.0000000003943000.00000004.00000800.00020000.00000000.sdmp, zXtG0a5Gt0.exe, 00000001.00000002.1370260672.00000000061B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: zXtG0a5Gt0.exe, 00000001.00000002.1365290075.0000000003976000.00000004.00000800.00020000.00000000.sdmp, zXtG0a5Gt0.exe, 00000001.00000002.1365290075.0000000003943000.00000004.00000800.00020000.00000000.sdmp, zXtG0a5Gt0.exe, 00000001.00000002.1370260672.00000000061B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: zXtG0a5Gt0.exe, 00000001.00000002.1365290075.0000000003976000.00000004.00000800.00020000.00000000.sdmp, zXtG0a5Gt0.exe, 00000001.00000002.1365290075.0000000003943000.00000004.00000800.00020000.00000000.sdmp, zXtG0a5Gt0.exe, 00000001.00000002.1370260672.00000000061B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: zXtG0a5Gt0.exe, 00000001.00000002.1355552792.0000000002561000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oshi.at
Source: zXtG0a5Gt0.exe, 00000001.00000002.1355552792.0000000002561000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oshi.at/wacv
Source: zXtG0a5Gt0.exe, Ticks.exe.1.dr	String found in binary or memory: https://oshi.at/wacvWMust
Source: zXtG0a5Gt0.exe, 00000001.00000002.1365290075.0000000003976000.00000004.00000800.00020000.00000000.sdmp, zXtG0a5Gt0.exe, 00000001.00000002.1365290075.0000000003943000.00000004.00000800.00020000.00000000.sdmp, zXtG0a5Gt0.exe, 00000001.00000002.1370260672.00000000061B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: zXtG0a5Gt0.exe, 00000001.00000002.1365290075.0000000003976000.00000004.00000800.00020000.00000000.sdmp, zXtG0a5Gt0.exe, 00000001.00000002.1365290075.0000000003943000.00000004.00000800.00020000.00000000.sdmp, zXtG0a5Gt0.exe, 00000001.00000002.1370260672.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, zXtG0a5Gt0.exe, 00000001.00000002.1355552792.0000000002616000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: zXtG0a5Gt0.exe, 00000001.00000002.1365290075.0000000003976000.00000004.00000800.00020000.00000000.sdmp, zXtG0a5Gt0.exe, 00000001.00000002.1365290075.0000000003943000.00000004.00000800.00020000.00000000.sdmp, zXtG0a5Gt0.exe, 00000001.00000002.1370260672.00000000061B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: zXtG0a5Gt0.exe, 00000001.00000002.1368563919.0000000005E71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/r
Source: zXtG0a5Gt0.exe, Ticks.exe.1.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443

Source: unknown

HTTPS traffic detected: 194.15.112.248:443 -> 192.168.2.4:49717 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.zXtG0a5Gt0.exe.26c1fbc.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 1.2.zXtG0a5Gt0.exe.26c1fbc.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 6.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 6.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.2.zXtG0a5Gt0.exe.26c1fbc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 1.2.zXtG0a5Gt0.exe.26c1fbc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000006.00000002.2534889840.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000001.00000002.1355552792.0000000002616000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_055F7130 NtProtectVirtualMemory,	1_2_055F7130
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_055FA988 NtResumeThread,	1_2_055FA988
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_055F712A NtProtectVirtualMemory,	1_2_055F712A
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_055FA982 NtResumeThread,	1_2_055FA982

Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_04A42C69	1_2_04A42C69
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_04A426E8	1_2_04A426E8
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_04A426D8	1_2_04A426D8
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_055F38C8	1_2_055F38C8
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_055F8EC8	1_2_055F8EC8
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_055F003A	1_2_055F003A
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_055F38B8	1_2_055F38B8
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_055F8EB9	1_2_055F8EB9
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_06009763	1_2_06009763
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_06005A28	1_2_06005A28
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_06001F59	1_2_06001F59
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_06001F68	1_2_06001F68
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_0600DC7F	1_2_0600DC7F
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_0600DC90	1_2_0600DC90
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_06007DF0	1_2_06007DF0
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_06045C48	1_2_06045C48
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_06043082	1_2_06043082
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_06043088	1_2_06043088
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_060422AA	1_2_060422AA
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_060422F8	1_2_060422F8
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_06070E21	1_2_06070E21
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_06070E30	1_2_06070E30
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_0607E288	1_2_0607E288
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_060772F3	1_2_060772F3
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_06077300	1_2_06077300
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_060779B7	1_2_060779B7
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_06128FF8	1_2_06128FF8
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_0612E4B0	1_2_0612E4B0
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_0612F1A8	1_2_0612F1A8
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_0612F62E	1_2_0612F62E
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_0612E4A1	1_2_0612E4A1
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_0612F197	1_2_0612F197
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_06143428	1_2_06143428
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_06146C78	1_2_06146C78
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_0614B278	1_2_0614B278
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_06148E70	1_2_06148E70
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_06148E80	1_2_06148E80
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_06146C69	1_2_06146C69
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_0614A560	1_2_0614A560
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_06141590	1_2_06141590
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_061415A0	1_2_061415A0
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_0614A560	1_2_0614A560
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_06144B18	1_2_06144B18
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_06140006	1_2_06140006
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_06140040	1_2_06140040
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_0620B020	1_2_0620B020
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_0620B030	1_2_0620B030
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_06201AA2	1_2_06201AA2
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_06201AB0	1_2_06201AB0
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_062176C0	1_2_062176C0
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_06219858	1_2_06219858
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_0621D9E0	1_2_0621D9E0
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_062176B0	1_2_062176B0
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_0621A540	1_2_0621A540
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_0621A550	1_2_0621A550
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_0621001F	1_2_0621001F
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_0621EFDB	1_2_0621EFDB
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_0621DD07	1_2_0621DD07
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_0621984B	1_2_0621984B
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_0652FB40	1_2_0652FB40
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_0652F890	1_2_0652F890
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_0652DF78	1_2_0652DF78
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_06510040	1_2_06510040
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_0652E418	1_2_0652E418
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_06510006	1_2_06510006
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_06045C43	1_2_06045C43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_012E12D8	6_2_012E12D8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7632 -s 908

Source: zXtG0a5Gt0.exe

Static PE information: invalid certificate

Source: zXtG0a5Gt0.exe, 00000001.00000002.1371129170.0000000006460000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs zXtG0a5Gt0.exe
Source: zXtG0a5Gt0.exe, 00000001.00000002.1354783384.000000000075E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs zXtG0a5Gt0.exe
Source: zXtG0a5Gt0.exe, 00000001.00000002.1365290075.0000000003976000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs zXtG0a5Gt0.exe
Source: zXtG0a5Gt0.exe, 00000001.00000000.1266020504.00000000002BC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamereff.exe, vs zXtG0a5Gt0.exe
Source: zXtG0a5Gt0.exe, 00000001.00000002.1365290075.0000000003842000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs zXtG0a5Gt0.exe
Source: zXtG0a5Gt0.exe, 00000001.00000002.1365290075.0000000003943000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs zXtG0a5Gt0.exe
Source: zXtG0a5Gt0.exe, 00000001.00000002.1355552792.000000000275B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRAw.exe4 vs zXtG0a5Gt0.exe
Source: zXtG0a5Gt0.exe, 00000001.00000002.1355552792.00000000025AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs zXtG0a5Gt0.exe
Source: zXtG0a5Gt0.exe, 00000001.00000002.1368848994.0000000005EF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameGwdziqmhz.dll" vs zXtG0a5Gt0.exe
Source: zXtG0a5Gt0.exe, 00000001.00000002.1370260672.00000000061B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs zXtG0a5Gt0.exe
Source: zXtG0a5Gt0.exe, 00000001.00000002.1365290075.0000000003892000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs zXtG0a5Gt0.exe
Source: zXtG0a5Gt0.exe, 00000001.00000002.1355552792.0000000002616000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRAw.exe4 vs zXtG0a5Gt0.exe
Source: zXtG0a5Gt0.exe	Binary or memory string: OriginalFilenamereff.exe, vs zXtG0a5Gt0.exe

Source: zXtG0a5Gt0.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1.2.zXtG0a5Gt0.exe.26c1fbc.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 1.2.zXtG0a5Gt0.exe.26c1fbc.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 6.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 6.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.2.zXtG0a5Gt0.exe.26c1fbc.0.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 1.2.zXtG0a5Gt0.exe.26c1fbc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000006.00000002.2534889840.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000001.00000002.1355552792.0000000002616000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: zXtG0a5Gt0.exe, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Ticks.exe.1.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 1.2.zXtG0a5Gt0.exe.3842640.7.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 1.2.zXtG0a5Gt0.exe.3842640.7.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 1.2.zXtG0a5Gt0.exe.3842640.7.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 1.2.zXtG0a5Gt0.exe.3842640.7.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 1.2.zXtG0a5Gt0.exe.6460000.12.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 1.2.zXtG0a5Gt0.exe.6460000.12.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 1.2.zXtG0a5Gt0.exe.6460000.12.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 1.2.zXtG0a5Gt0.exe.6460000.12.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 1.2.zXtG0a5Gt0.exe.6460000.12.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 1.2.zXtG0a5Gt0.exe.6460000.12.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 1.2.zXtG0a5Gt0.exe.3842640.7.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 1.2.zXtG0a5Gt0.exe.3842640.7.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 1.2.zXtG0a5Gt0.exe.6460000.12.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 1.2.zXtG0a5Gt0.exe.6460000.12.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.zXtG0a5Gt0.exe.3842640.7.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 1.2.zXtG0a5Gt0.exe.3842640.7.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 1.2.zXtG0a5Gt0.exe.3842640.7.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 1.2.zXtG0a5Gt0.exe.3842640.7.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@4/3@1/1

Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ticks.vbs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3484:64:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: \Sessions\1\BaseNamedObjects\hvvodBAOHulLeYa8

Source: unknown	Process created: C:\Users\user\Desktop\zXtG0a5Gt0.exe "C:\Users\user\Desktop\zXtG0a5Gt0.exe"
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7632 -s 908
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior

Source: zXtG0a5Gt0.exe, -.cs	.Net Code: _0001 System.AppDomain.Load(byte[])
Source: Ticks.exe.1.dr, -.cs	.Net Code: _0001 System.AppDomain.Load(byte[])
Source: 1.2.zXtG0a5Gt0.exe.61b0000.11.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 1.2.zXtG0a5Gt0.exe.61b0000.11.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 1.2.zXtG0a5Gt0.exe.61b0000.11.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 1.2.zXtG0a5Gt0.exe.61b0000.11.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 1.2.zXtG0a5Gt0.exe.61b0000.11.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 1.2.zXtG0a5Gt0.exe.3842640.7.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 1.2.zXtG0a5Gt0.exe.3842640.7.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 1.2.zXtG0a5Gt0.exe.3842640.7.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 1.2.zXtG0a5Gt0.exe.3976628.2.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 1.2.zXtG0a5Gt0.exe.3976628.2.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 1.2.zXtG0a5Gt0.exe.3976628.2.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 1.2.zXtG0a5Gt0.exe.3976628.2.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 1.2.zXtG0a5Gt0.exe.3976628.2.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 1.2.zXtG0a5Gt0.exe.6460000.12.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 1.2.zXtG0a5Gt0.exe.6460000.12.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 1.2.zXtG0a5Gt0.exe.6460000.12.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Source: Yara match	File source: 1.2.zXtG0a5Gt0.exe.6150000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.zXtG0a5Gt0.exe.6150000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.zXtG0a5Gt0.exe.37629f1.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.zXtG0a5Gt0.exe.3782a11.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.zXtG0a5Gt0.exe.370b3a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1370075880.0000000006150000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1355552792.0000000002616000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1365290075.0000000003561000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zXtG0a5Gt0.exe PID: 7912, type: MEMORYSTR

Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_055F9760 push es; iretd	1_2_055F976C
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_055F7392 pushad ; ret	1_2_055F7399
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_055F8E78 pushfd ; iretd	1_2_055F8E79
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_055F72E8 push eax; ret	1_2_055F72E9
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_06074F08 pushfd ; ret	1_2_06074F15
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_06120C3B push esp; iretd	1_2_06120C41
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_06120C38 pushad ; iretd	1_2_06120C39
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_0614688D push es; iretd	1_2_061468B8
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_06213781 push es; iretd	1_2_06213783
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_06213EAF push es; ret	1_2_06213EB0
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_06212FD2 push ebx; iretd	1_2_06212FD6
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_06213D33 push es; ret	1_2_06213D78
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Code function: 1_2_065136B7 push esp; iretd	1_2_065136BA

Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Memory allocated: 2500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Memory allocated: 2560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Memory allocated: 4560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 12A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2F00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1430000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Window / User API: threadDelayed 3259			Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Window / User API: threadDelayed 6535			Jump to behavior

Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 8004	Thread sleep count: 3259 > 30	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 8004	Thread sleep count: 6535 > 30	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -99859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -99750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -99640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -99531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -99394s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -99265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -99156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -99047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -98937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -98823s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -98701s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -98578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -98469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -98359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -98216s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -98093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -97820s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -97703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -97492s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -97385s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -97265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -97156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -97047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -96937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -96828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -96718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -96609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -96500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -96390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -96281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -96172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -96062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -95953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -95844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -95734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -95625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -95515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -95406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -95297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -95187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -95059s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -94925s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -94781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -94597s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -94469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -94359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -94250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -94140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe TID: 7976	Thread sleep time: -94031s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 99859	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 99750	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 99640	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 99531	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 99394	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 99265	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 99156	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 99047	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 98937	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 98823	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 98701	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 98578	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 98469	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 98359	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 98216	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 98093	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 97820	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 97703	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 97492	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 97385	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 97265	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 97156	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 97047	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 96937	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 96828	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 96718	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 96609	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 96500	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 96390	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 96281	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 96172	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 96062	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 95953	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 95844	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 95734	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 95625	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 95515	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 95406	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 95297	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 95187	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 95059	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 94925	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 94781	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 94597	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 94469	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 94359	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 94250	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 94140	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Thread delayed: delay time: 94031	Jump to behavior

Source: zXtG0a5Gt0.exe, 00000001.00000002.1355552792.0000000002616000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: zXtG0a5Gt0.exe, 00000001.00000002.1355552792.0000000002616000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: zXtG0a5Gt0.exe, 00000001.00000002.1354783384.0000000000792000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 40C000	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 40E000	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: CB5008	Jump to behavior

Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Queries volume information: C:\Users\user\Desktop\zXtG0a5Gt0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zXtG0a5Gt0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: Yara match	File source: 1.2.zXtG0a5Gt0.exe.26c1fbc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.zXtG0a5Gt0.exe.26c1fbc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2534889840.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1355552792.0000000002616000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zXtG0a5Gt0.exe PID: 7912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7632, type: MEMORYSTR

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Scheduled Task/Job	1 Scripting	211 Process Injection	1 Masquerading	OS Credential Dumping	211 Security Software Discovery	Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Registry Run Keys / Startup Folder	2 Registry Run Keys / Startup Folder	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 DLL Side-Loading	1 DLL Side-Loading	211 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Source	Detection	Scanner	Label	Link
zXtG0a5Gt0.exe	62%	Virustotal		Browse
zXtG0a5Gt0.exe	66%	ReversingLabs	ByteCode-MSIL.Backdoor.Crysan
zXtG0a5Gt0.exe	100%	Avira	TR/Dldr.Agent.juage

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Ticks.exe	100%	Avira	TR/Dldr.Agent.juage
C:\Users\user\AppData\Roaming\Ticks.exe	66%	ReversingLabs	ByteCode-MSIL.Backdoor.Crysan

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report zXtG0a5Gt0.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ticks.vbs

C:\Users\user\AppData\Roaming\Ticks.exe

C:\Users\user\AppData\Roaming\Ticks.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
zXtG0a5Gt0.exe

Source	Detection	Scanner	Label
https://oshi.at/wacv	0%	Avira URL Cloud	safe
https://oshi.at/wacvWMust	0%	Avira URL Cloud	safe
147.124.212.231	0%	Avira URL Cloud	safe
https://oshi.at	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
https://oshi.at/wacv	false	Avira URL Cloud: safe	unknown
147.124.212.231	true	Avira URL Cloud: safe	unknown

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/mgravell/protobuf-net	zXtG0a5Gt0.exe, 00000001.00000002.1365290075.0000000003976000.00000004.00000800.00020000.00000000.sdmp, zXtG0a5Gt0.exe, 00000001.00000002.1365290075.0000000003943000.00000004.00000800.00020000.00000000.sdmp, zXtG0a5Gt0.exe, 00000001.00000002.1370260672.00000000061B0000.00000004.08000000.00040000.00000000.sdmp	false		high
https://oshi.at	zXtG0a5Gt0.exe, 00000001.00000002.1355552792.0000000002561000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://oshi.at/wacvWMust	zXtG0a5Gt0.exe, Ticks.exe.1.dr	false	Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-neti	zXtG0a5Gt0.exe, 00000001.00000002.1365290075.0000000003976000.00000004.00000800.00020000.00000000.sdmp, zXtG0a5Gt0.exe, 00000001.00000002.1365290075.0000000003943000.00000004.00000800.00020000.00000000.sdmp, zXtG0a5Gt0.exe, 00000001.00000002.1370260672.00000000061B0000.00000004.08000000.00040000.00000000.sdmp	false		high
https://stackoverflow.com/q/14436606/23354	zXtG0a5Gt0.exe, 00000001.00000002.1365290075.0000000003976000.00000004.00000800.00020000.00000000.sdmp, zXtG0a5Gt0.exe, 00000001.00000002.1365290075.0000000003943000.00000004.00000800.00020000.00000000.sdmp, zXtG0a5Gt0.exe, 00000001.00000002.1370260672.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, zXtG0a5Gt0.exe, 00000001.00000002.1355552792.0000000002616000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	zXtG0a5Gt0.exe, 00000001.00000002.1365290075.0000000003976000.00000004.00000800.00020000.00000000.sdmp, zXtG0a5Gt0.exe, 00000001.00000002.1365290075.0000000003943000.00000004.00000800.00020000.00000000.sdmp, zXtG0a5Gt0.exe, 00000001.00000002.1370260672.00000000061B0000.00000004.08000000.00040000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	zXtG0a5Gt0.exe, 00000001.00000002.1355552792.0000000002561000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	zXtG0a5Gt0.exe, 00000001.00000002.1365290075.0000000003976000.00000004.00000800.00020000.00000000.sdmp, zXtG0a5Gt0.exe, 00000001.00000002.1365290075.0000000003943000.00000004.00000800.00020000.00000000.sdmp, zXtG0a5Gt0.exe, 00000001.00000002.1370260672.00000000061B0000.00000004.08000000.00040000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	zXtG0a5Gt0.exe, 00000001.00000002.1365290075.0000000003976000.00000004.00000800.00020000.00000000.sdmp, zXtG0a5Gt0.exe, 00000001.00000002.1365290075.0000000003943000.00000004.00000800.00020000.00000000.sdmp, zXtG0a5Gt0.exe, 00000001.00000002.1370260672.00000000061B0000.00000004.08000000.00040000.00000000.sdmp	false		high

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1631786
Start date and time:	2025-03-07 15:47:40 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	zXtG0a5Gt0.exe renamed because original name is a hash value
Original Sample Name:	dc3657abea2cc9c36a8f7a7cf4f61a22ba2172bd1040c229d5b2cdd8af10bff0.exe
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@4/3@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 96% Number of executed functions: 342 Number of non-executed functions: 48
Cookbook Comments:	Found application associated with file extension: .exe

Time	Type	Description
09:48:46	API Interceptor	60x Sleep call for process: zXtG0a5Gt0.exe modified
14:48:56	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ticks.vbs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
194.15.112.248	Order.xlsx.exe	Get hash	malicious	DarkCloud	Browse
	Payment receipt.exe	Get hash	malicious	XWorm	Browse
	IMG_1047_3026.exe	Get hash	malicious	AgentTesla	Browse
	Ref#8520163.exe	Get hash	malicious	AgentTesla	Browse
	Ref#1106227.exe	Get hash	malicious	DarkCloud	Browse
	IMG_5016_2237.exe	Get hash	malicious	DarkCloud	Browse
	rIMG_1160_3079.exe	Get hash	malicious	AgentTesla	Browse
	Ref#106027.exe	Get hash	malicious	DarkCloud	Browse
	ELlt5sD224.exe	Get hash	malicious	AgentTesla	Browse
	7kjEh7IF49.exe	Get hash	malicious	AgentTesla	Browse

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
oshi.at	Order.xlsx.exe	Get hash	malicious	DarkCloud	Browse	194.15.112.248
	Payment receipt.exe	Get hash	malicious	XWorm	Browse	194.15.112.248
	IMG_1047_3026.exe	Get hash	malicious	AgentTesla	Browse	194.15.112.248
	Ref#8520163.exe	Get hash	malicious	AgentTesla	Browse	194.15.112.248
	Ref#1106227.exe	Get hash	malicious	DarkCloud	Browse	194.15.112.248
	IMG_5016_2237.exe	Get hash	malicious	DarkCloud	Browse	194.15.112.248
	rIMG_1160_3079.exe	Get hash	malicious	AgentTesla	Browse	194.15.112.248
	Ref#106027.exe	Get hash	malicious	DarkCloud	Browse	194.15.112.248
	ELlt5sD224.exe	Get hash	malicious	AgentTesla	Browse	194.15.112.248
	7kjEh7IF49.exe	Get hash	malicious	AgentTesla	Browse	194.15.112.248

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
INTERNATIONAL-HOSTING-SOLUTIONS-ASEUDCrouteGB	Order.xlsx.exe	Get hash	malicious	DarkCloud	Browse	194.15.112.248
	Payment receipt.exe	Get hash	malicious	XWorm	Browse	194.15.112.248
	IMG_1047_3026.exe	Get hash	malicious	AgentTesla	Browse	194.15.112.248
	Ref#8520163.exe	Get hash	malicious	AgentTesla	Browse	194.15.112.248
	Ref#1106227.exe	Get hash	malicious	DarkCloud	Browse	194.15.112.248
	IMG_5016_2237.exe	Get hash	malicious	DarkCloud	Browse	194.15.112.248
	rIMG_1160_3079.exe	Get hash	malicious	AgentTesla	Browse	194.15.112.248
	Ref#106027.exe	Get hash	malicious	DarkCloud	Browse	194.15.112.248
	ELlt5sD224.exe	Get hash	malicious	AgentTesla	Browse	194.15.112.248
	7kjEh7IF49.exe	Get hash	malicious	AgentTesla	Browse	194.15.112.248

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	OfQ4QRmP65.exe	Get hash	malicious	Unknown	Browse	194.15.112.248
	ckHregxJIq.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	194.15.112.248
	OfQ4QRmP65.exe	Get hash	malicious	Unknown	Browse	194.15.112.248
	gIPDZfPhpW.exe	Get hash	malicious	Unknown	Browse	194.15.112.248
	PvAmrCZENy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	194.15.112.248
	gIPDZfPhpW.exe	Get hash	malicious	Unknown	Browse	194.15.112.248
	8JVG9KELay.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	194.15.112.248
	bdc2be5bddda548dec3c2d88464a698627ac9447aae621d8.ps1	Get hash	malicious	LummaC Stealer	Browse	194.15.112.248
	https://rea.grupolalegion.ec/p.php/1	Get hash	malicious	CAPTCHA Scam ClickFix, LummaC Stealer	Browse	194.15.112.248

Process:	C:\Users\user\Desktop\zXtG0a5Gt0.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	80
Entropy (8bit):	4.77019102629464
Encrypted:	false
SSDEEP:	3:FER/n0eFHHot+kiEaKC5UkHn:FER/lFHIwknaZ5UO
MD5:	39BC99232A88BE224BA34A7651DE688B
SHA1:	438C2E3712A361C44BDFCD3433AFEAC848C1CA54
SHA-256:	E67B1256A7A57CD26AF16ADD8C522BB126EBCB7A0682628FBFD4B590C7FADD27
SHA-512:	5C36D671E9EF4210BA51D6DE16F4DCA4FD9640BE0BB14F4D38A1D4A49030EC2DCC94B661E724F6166AFA7A840CE01681575A2C6760B846C4EFD7F5031D6F1153
Malicious:	true
Reputation:	low
Preview:	CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\Ticks.exe"""