Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe
Analysis ID:1639671
MD5:8b0e4317838530055106d49da9c7bf23
SHA1:d80b23881876d8aefbc634ea7028f2f0f987eb35
SHA256:35303bc14a55f6d4c7f184b6fd63c6a14910013bc3b96d4f3c19e649dec75a6c
Tags:exeuser-SecuriteInfoCom
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe (PID: 6920 cmdline: "C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe" MD5: 8B0E4317838530055106D49DA9C7BF23)
    • MSBuild.exe (PID: 2176 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe (PID: 4404 cmdline: "C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe" MD5: 8B0E4317838530055106D49DA9C7BF23)
    • RegAsm.exe (PID: 768 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["147.185.221.25"], "Port": 64864, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000003.1114583957.000000000367C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000006.00000003.1114583957.000000000367C000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0xf5eb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0xf688:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0xf79d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0xf17d:$cnc4: POST / HTTP/1.1
    00000006.00000003.1114583957.000000000368E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000006.00000003.1114583957.000000000368E000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x886b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x8908:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x8a1d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x83fd:$cnc4: POST / HTTP/1.1
      00000001.00000002.3350712838.000000000284E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        Click to see the 9 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.368e3a0.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
          6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.368e3a0.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
          • 0x4d79:$str01: $VB$Local_Port
          • 0x4d6a:$str02: $VB$Local_Host
          • 0x504f:$str03: get_Jpeg
          • 0x4a29:$str04: get_ServicePack
          • 0x5ceb:$str05: Select * from AntivirusProduct
          • 0x5ee9:$str06: PCRestart
          • 0x5efd:$str07: shutdown.exe /f /r /t 0
          • 0x5faf:$str08: StopReport
          • 0x5f85:$str09: StopDDos
          • 0x607b:$str10: sendPlugin
          • 0x6219:$str12: -ExecutionPolicy Bypass -File "
          • 0x6342:$str13: Content-length: 5235
          6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.368e3a0.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x66cb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x6768:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x687d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x625d:$cnc4: POST / HTTP/1.1
          6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.3683120.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
            6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.3683120.1.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
            • 0x4d79:$str01: $VB$Local_Port
            • 0x4d6a:$str02: $VB$Local_Host
            • 0x504f:$str03: get_Jpeg
            • 0x4a29:$str04: get_ServicePack
            • 0x5ceb:$str05: Select * from AntivirusProduct
            • 0x5ee9:$str06: PCRestart
            • 0x5efd:$str07: shutdown.exe /f /r /t 0
            • 0x5faf:$str08: StopReport
            • 0x5f85:$str09: StopDDos
            • 0x607b:$str10: sendPlugin
            • 0x6219:$str12: -ExecutionPolicy Bypass -File "
            • 0x6342:$str13: Content-length: 5235
            Click to see the 25 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, ProcessId: 6324, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutoStartApp

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-16T01:43:15.787345+010028531931Malware Command and Control Activity Detected192.168.2.749704147.185.221.2564864TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeAvira: detection malicious, Label: TR/AVI.XWorm.knmju
            Found malware configuration
            Source: 00000002.00000002.3351469960.0000000002AB1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["147.185.221.25"], "Port": 64864, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeReversingLabs: Detection: 33%
            Multi AV Scanner detection for submitted file
            Source: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeVirustotal: Detection: 42%Perma Link
            Source: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeReversingLabs: Detection: 33%
            Joe Sandbox ML detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Sample uses string decryption to hide its real strings
            Source: 00000001.00000002.3350712838.000000000284E000.00000004.00000020.00020000.00000000.sdmpString decryptor: 147.185.221.25
            Source: 00000001.00000002.3350712838.000000000284E000.00000004.00000020.00020000.00000000.sdmpString decryptor: 64864
            Source: 00000001.00000002.3350712838.000000000284E000.00000004.00000020.00020000.00000000.sdmpString decryptor: <123456789>
            Source: 00000001.00000002.3350712838.000000000284E000.00000004.00000020.00020000.00000000.sdmpString decryptor: <Xwormmm>
            Source: 00000001.00000002.3350712838.000000000284E000.00000004.00000020.00020000.00000000.sdmpString decryptor: XWorm V5.6
            Source: 00000001.00000002.3350712838.000000000284E000.00000004.00000020.00020000.00000000.sdmpString decryptor: USB.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.7:49681 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.7:49683 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.7:49689 version: TLS 1.2
            Source: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 0_2_00563424 FindFirstFileExW,0_2_00563424
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 1_2_00DC3424 FindFirstFileExW,1_2_00DC3424

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49682 -> 147.185.221.25:64864
            Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49704 -> 147.185.221.25:64864
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 147.185.221.25
            Source: global trafficTCP traffic: 192.168.2.7:49682 -> 147.185.221.25:64864
            Source: Joe Sandbox ViewIP Address: 185.166.143.48 185.166.143.48
            Source: Joe Sandbox ViewIP Address: 147.185.221.25 147.185.221.25
            Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
            Source: unknownTCP traffic detected without corresponding DNS query: 23.199.215.203
            Source: unknownTCP traffic detected without corresponding DNS query: 2.18.98.62
            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.25
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.25
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.25
            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.25
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.25
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.25
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.25
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.25
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.25
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.15
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.15
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.15
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.15
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.25
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.15
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.15
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.25
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.25
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.25
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.25
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.25
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.15
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.25
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.25
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.25
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.25
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.25
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.25
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.25
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.25
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.25
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.25
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.25
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.25
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 1_2_00DA1070 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,InternetOpenA,FreeLibrary,_strlen,InternetOpenUrlA,FreeLibrary,InternetReadFile,FreeLibrary,1_2_00DA1070
            Source: global trafficHTTP traffic detected: GET /riskwca/cscacxxxc/raw/16e98537939dbd6e2c9c4b3c241587b92e1bf2cf/sdfsdfc HTTP/1.1Accept: */*User-Agent: Chrome/95.0.4638.54Host: bitbucket.org
            Source: global trafficHTTP traffic detected: GET /riskwca/cscacxxxc/raw/16e98537939dbd6e2c9c4b3c241587b92e1bf2cf/sdfsdfc HTTP/1.1Accept: */*User-Agent: Chrome/95.0.4638.54Host: bitbucket.org
            Source: global trafficHTTP traffic detected: GET /riskwca/cscacxxxc/raw/16e98537939dbd6e2c9c4b3c241587b92e1bf2cf/sdfsdfc HTTP/1.1Accept: */*User-Agent: Chrome/95.0.4638.54Host: bitbucket.org
            Source: global trafficHTTP traffic detected: GET /r/gsr1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
            Source: global trafficHTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
            Source: global trafficDNS traffic detected: DNS query: bitbucket.org
            Source: global trafficDNS traffic detected: DNS query: c.pki.goog
            Source: RegSvcs.exe, 00000002.00000002.3351469960.0000000002AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000003.00000002.1040941521.0000000002CE8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000003.00000003.1039037230.0000000002CE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aui-cdn.atlassian.com/
            Source: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000003.00000002.1040941521.0000000002CE8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000003.00000003.1039037230.0000000002CE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net
            Source: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000003.00000002.1040941521.0000000002CE8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000003.00000003.1039037230.0000000002CE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-exp.prod-east.fronte
            Source: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000003.00000002.1040941521.0000000002CE8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000003.00000003.1039037230.0000000002CE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net
            Source: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000003.00000002.1040941521.0000000002CE8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000003.00000003.1039037230.0000000002CE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net
            Source: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000006.00000002.1118387844.00000000010E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000006.00000002.1118779907.0000000003640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/
            Source: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000001.00000002.3350712838.0000000002818000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/L
            Source: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000006.00000003.1117634851.00000000010E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000006.00000002.1118387844.00000000010E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/emCertificates
            Source: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000003.00000002.1040900244.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000003.00000002.1040941521.0000000002CE8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000003.00000002.1040603183.000000000130B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000003.00000003.1039037230.0000000002CE8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000006.00000002.1118195057.0000000001020000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000006.00000003.1117634851.00000000010E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000006.00000002.1118444909.00000000010F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000006.00000002.1118387844.00000000010E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000006.00000002.1118195057.000000000102C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000006.00000003.1116334589.00000000010F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/riskwca/cscacxxxc/raw/16e98537939dbd6e2c9c4b3c241587b92e1bf2cf/sdfsdfc
            Source: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000006.00000003.1117634851.00000000010E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000006.00000002.1118387844.00000000010E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/riskwca/cscacxxxc/raw/16e98537939dbd6e2c9c4b3c241587b92e1bf2cf/sdfsdfc7
            Source: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000006.00000002.1118779907.0000000003640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/riskwca/cscacxxxc/raw/16e98537939dbd6e2c9c4b3c241587b92e1bf2cf/sdfsdfc?
            Source: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000003.00000002.1040900244.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/riskwca/cscacxxxc/raw/16e98537939dbd6e2c9c4b3c241587b92e1bf2cf/sdfsdfcEB
            Source: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000001.00000002.3349516025.0000000000B7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/riskwca/cscacxxxc/raw/16e98537939dbd6e2c9c4b3c241587b92e1bf2cf/sdfsdfcw
            Source: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000003.00000002.1040941521.0000000002CE8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000003.00000003.1039037230.0000000002CE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.cookielaw.org/
            Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49689
            Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49672
            Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49679 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49681
            Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49689 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49681 -> 443
            Source: unknownHTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.7:49681 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.7:49683 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.7:49689 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Contains functionality to log keystrokes (.Net Source)
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d58c00.0.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d63e80.1.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.368e3a0.0.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.3683120.1.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.368e3a0.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.368e3a0.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.3683120.1.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.3683120.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d63e80.1.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d63e80.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.368e3a0.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.368e3a0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.3683120.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.3683120.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d63e80.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d63e80.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d58c00.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d58c00.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d58c00.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d58c00.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 1.2.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.28518a0.3.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 1.2.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.28518a0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000006.00000003.1114583957.000000000367C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000006.00000003.1114583957.000000000368E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000001.00000002.3350712838.000000000284E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000002.00000002.3348856700.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000003.00000003.1038950135.0000000002D46000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 0_2_005610100_2_00561010
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 0_2_005550A70_2_005550A7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 0_2_0054B1A00_2_0054B1A0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 0_2_005672820_2_00567282
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 0_2_005613700_2_00561370
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 0_2_0054D9970_2_0054D997
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 0_2_0055FB690_2_0055FB69
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 0_2_00556E700_2_00556E70
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 0_2_0054EF600_2_0054EF60
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 1_2_00DB50A71_2_00DB50A7
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 1_2_00DC10101_2_00DC1010
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 1_2_00DAB1A01_2_00DAB1A0
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 1_2_00DC72821_2_00DC7282
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 1_2_00DC13701_2_00DC1370
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 1_2_00DAD9971_2_00DAD997
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 1_2_00DBFB691_2_00DBFB69
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 1_2_00DB6E701_2_00DB6E70
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 1_2_00DAEF601_2_00DAEF60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0102EAF82_2_0102EAF8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_010213992_2_01021399
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_050604402_2_05060440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0506B7F82_2_0506B7F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0506BC9A2_2_0506BC9A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05066F302_2_05066F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0506AFC02_2_0506AFC0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: String function: 004814C0 appears 895 times
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: String function: 0054DDF0 appears 55 times
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: String function: 00DADDF0 appears 55 times
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: String function: 00CE14C0 appears 894 times
            Source: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000001.00000002.3350712838.000000000284E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXtest.exe4 vs SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000003.00000002.1041070588.0000000002D6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXtest.exe4 vs SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000003.00000003.1038950135.0000000002D46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXtest.exe4 vs SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000006.00000003.1114583957.000000000367C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXtest.exe4 vs SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000006.00000003.1114583957.000000000368E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXtest.exe4 vs SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.368e3a0.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.368e3a0.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.3683120.1.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.3683120.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d63e80.1.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d63e80.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.368e3a0.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.368e3a0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.3683120.1.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.3683120.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d63e80.1.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d63e80.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d58c00.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d58c00.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d58c00.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d58c00.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 1.2.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.28518a0.3.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 1.2.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.28518a0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000006.00000003.1114583957.000000000367C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000006.00000003.1114583957.000000000368E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000001.00000002.3350712838.000000000284E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000002.00000002.3348856700.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000003.00000003.1038950135.0000000002D46000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d58c00.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d58c00.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d58c00.0.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d63e80.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d63e80.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d63e80.1.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.368e3a0.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.368e3a0.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.368e3a0.0.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.3683120.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.3683120.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d58c00.0.raw.unpack, Settings.csBase64 encoded string: 'i6wjdd6v/qLXpY54F7War5+GnUJ/rJWnok0g+FHeFC/MvIdDBSWdXZyx6oR2WazQ', 'Z7q11UtCAb4+3fq2sk1Z3ubEpA/GcGnnG/IvQRoFsRVPG95Mx9mAovR/ZzU6JiX4'
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d63e80.1.raw.unpack, Settings.csBase64 encoded string: 'i6wjdd6v/qLXpY54F7War5+GnUJ/rJWnok0g+FHeFC/MvIdDBSWdXZyx6oR2WazQ', 'Z7q11UtCAb4+3fq2sk1Z3ubEpA/GcGnnG/IvQRoFsRVPG95Mx9mAovR/ZzU6JiX4'
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.368e3a0.0.raw.unpack, Settings.csBase64 encoded string: 'i6wjdd6v/qLXpY54F7War5+GnUJ/rJWnok0g+FHeFC/MvIdDBSWdXZyx6oR2WazQ', 'Z7q11UtCAb4+3fq2sk1Z3ubEpA/GcGnnG/IvQRoFsRVPG95Mx9mAovR/ZzU6JiX4'
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.3683120.1.raw.unpack, Settings.csBase64 encoded string: 'i6wjdd6v/qLXpY54F7War5+GnUJ/rJWnok0g+FHeFC/MvIdDBSWdXZyx6oR2WazQ', 'Z7q11UtCAb4+3fq2sk1Z3ubEpA/GcGnnG/IvQRoFsRVPG95Mx9mAovR/ZzU6JiX4'
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d63e80.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d63e80.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d58c00.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d58c00.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.3683120.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.3683120.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.368e3a0.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.368e3a0.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/4@3/2
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeFile created: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\KZ0Q65QrYPyx36QY
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeMutant created: \Sessions\1\BaseNamedObjects\AutoStartupInstanceMutex
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
            Source: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeVirustotal: Detection: 42%
            Source: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeReversingLabs: Detection: 33%
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe"
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeProcess created: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe "C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe"
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe "C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe"
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe "C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe"
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeProcess created: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe "C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe" Jump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeStatic file information: File size 1229312 > 1048576
            Source: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d58c00.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d58c00.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d63e80.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d63e80.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.368e3a0.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.368e3a0.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.3683120.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.3683120.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            .NET source code contains potential unpacker
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d58c00.0.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d58c00.0.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d58c00.0.raw.unpack, Messages.cs.Net Code: Memory
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d63e80.1.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d63e80.1.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d63e80.1.raw.unpack, Messages.cs.Net Code: Memory
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.368e3a0.0.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.368e3a0.0.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.368e3a0.0.raw.unpack, Messages.cs.Net Code: Memory
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.3683120.1.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.3683120.1.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.3683120.1.raw.unpack, Messages.cs.Net Code: Memory
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 0_2_00541750 LoadLibraryA,GetProcAddress,FreeLibrary,KiUserCallbackDispatcher,FreeLibrary,0_2_00541750
            Source: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeStatic PE information: section name: .fptable
            Source: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.0.drStatic PE information: section name: .fptable
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 0_2_0054DCC4 push ecx; ret 0_2_0054DCD7
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 1_2_00DADCC4 push ecx; ret 1_2_00DADCD7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05061DF0 push esp; iretd 2_2_05061DF1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05061E32 pushad ; iretd 2_2_05061E19
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05061E72 pushfd ; iretd 2_2_05061E79
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeFile created: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AutoStartAppJump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AutoStartAppJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 0_2_005418E0 _Smanip,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,FreeLibrary,0_2_005418E0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 980Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8856Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 0_2_00563424 FindFirstFileExW,0_2_00563424
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 1_2_00DC3424 FindFirstFileExW,1_2_00DC3424
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000001.00000002.3350712838.000000000283F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW\
            Source: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000000.00000002.891602917.00000000013A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000001.00000002.3349516025.0000000000C45000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000001.00000002.3350712838.000000000283F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000003.00000003.1039444151.00000000013D0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000003.00000003.1039843147.00000000013D0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000003.00000002.1040941521.0000000002D2C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000003.00000003.1039037230.0000000002D2C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000003.00000002.1040831316.00000000013D0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe, 00000006.00000003.1117550460.00000000010BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: RegSvcs.exe, 00000002.00000002.3350076608.0000000000D4F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 0_2_00551BE3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00551BE3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 0_2_00541750 LoadLibraryA,GetProcAddress,FreeLibrary,KiUserCallbackDispatcher,FreeLibrary,0_2_00541750
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 0_2_00564050 GetProcessHeap,0_2_00564050
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 0_2_0054E1BC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0054E1BC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 0_2_00551BE3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00551BE3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 0_2_0054DE62 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0054DE62
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 0_2_0054DFF1 SetUnhandledExceptionFilter,0_2_0054DFF1
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 1_2_00DAE1BC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00DAE1BC
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 1_2_00DB1BE3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00DB1BE3
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 1_2_00DADE62 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00DADE62
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 1_2_00DADFF1 SetUnhandledExceptionFilter,1_2_00DADFF1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Allocates memory in foreign processes
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
            Contains functionality to inject code into remote processes
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 1_2_00DA18E0 _Smanip,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,FreeLibrary,FreeLibrary,1_2_00DA18E0
            Injects a PE file into a foreign processes
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 40C000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 40E000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 8AB008Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeProcess created: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe "C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe" Jump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: EnumSystemLocalesW,0_2_0056604B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: EnumSystemLocalesW,0_2_00566096
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: EnumSystemLocalesW,0_2_00566131
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_005661BC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: GetLocaleInfoW,0_2_00566410
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00566535
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: GetLocaleInfoW,0_2_0056663B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00566717
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: EnumSystemLocalesW,0_2_0055A874
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: GetLocaleInfoW,0_2_0055ACCF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_00565D99
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: EnumSystemLocalesW,1_2_00DC6096
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: EnumSystemLocalesW,1_2_00DC604B
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,1_2_00DC61BC
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: EnumSystemLocalesW,1_2_00DC6131
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: GetLocaleInfoW,1_2_00DC6410
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,1_2_00DC6535
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: GetLocaleInfoW,1_2_00DC663B
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,1_2_00DC6717
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: EnumSystemLocalesW,1_2_00DBA874
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: GetLocaleInfoW,1_2_00DBACCF
            Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,1_2_00DC5D99
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeCode function: 0_2_0054E05B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_0054E05B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: RegSvcs.exe, 00000002.00000002.3349580343.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: RegSvcs.exe, 00000002.00000002.3353746182.0000000006453000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3349580343.0000000000CA6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3353746182.00000000064A3000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3350076608.0000000000D4F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.368e3a0.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.3683120.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d63e80.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.368e3a0.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.3683120.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d63e80.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d58c00.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d58c00.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.28518a0.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000003.1114583957.000000000367C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.1114583957.000000000368E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.3350712838.000000000284E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.3348856700.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1038950135.0000000002D46000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe PID: 6324, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6568, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe PID: 6920, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe PID: 4404, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.368e3a0.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.3683120.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d63e80.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.368e3a0.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.3683120.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d63e80.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d58c00.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.3.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.2d58c00.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe.28518a0.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000003.1114583957.000000000367C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.1114583957.000000000368E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.3350712838.000000000284E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.3348856700.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1038950135.0000000002D46000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe PID: 6324, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6568, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe PID: 6920, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe PID: 4404, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		1
            Registry Run Keys / Startup Folder            		411
            Process Injection            		1
            Masquerading            		1
            Input Capture            		1
            System Time Discovery            		Remote Services1
            Input Capture            		11
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Native API            		1
            DLL Side-Loading            		1
            Registry Run Keys / Startup Folder            		1
            Disable or Modify Tools            		LSASS Memory241
            Security Software Discovery            		Remote Desktop Protocol11
            Archive Collected Data            		1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		111
            Virtualization/Sandbox Evasion            		Security Account Manager111
            Virtualization/Sandbox Evasion            		SMB/Windows Admin Shares1
            Clipboard Data            		2
            Ingress Tool Transfer            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture2
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
            Deobfuscate/Decode Files or Information            		LSA Secrets2
            File and Directory Discovery            		SSHKeylogging13
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
            Obfuscated Files or Information            		Cached Domain Credentials24
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1639671 Sample: SecuriteInfo.com.Win32.RATX... Startdate: 16/03/2025 Architecture: WINDOWS Score: 100 31 pki-goog.l.google.com 2->31 33 c.pki.goog 2->33 35 2 other IPs or domains 2->35 49 Suricata IDS alerts for network traffic 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 9 other signatures 2->55 8 SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe 3 2->8         started        11 SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe 12 2->11         started        13 SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe 12 2->13         started        signatures3 process4 file5 27 SecuriteInfo.com.W...gen.28955.11907.exe, PE32 8->27 dropped 29 SecuriteInfo.com.W...exe:Zone.Identifier, ASCII 8->29 dropped 15 SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe 1 13 8->15         started        19 RegAsm.exe 11->19         started        21 MSBuild.exe 13->21         started        process6 dnsIp7 39 bitbucket.org 185.166.143.48, 443, 49681, 49683 AMAZON-02US Germany 15->39 41 Antivirus detection for dropped file 15->41 43 Multi AV Scanner detection for dropped file 15->43 45 Contains functionality to inject code into remote processes 15->45 47 3 other signatures 15->47 23 RegSvcs.exe 3 15->23         started        signatures8 process9 dnsIp10 37 147.185.221.25, 49682, 49690, 49696 SALSGIVERUS United States 23->37 57 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->57 signatures11

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.