Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe

Overview

General Information

Sample name:SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe
Analysis ID:1433539
MD5:a8f5eb653b660a24e0a0017c684c1b96
SHA1:4b75c2c8dba5f4198873a8ed0e0c4d2bf146d881
SHA256:d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51
Tags:exe
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Sample uses string decryption to hide its real strings
Uses dynamic DNS services
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["dav12221.duckdns.org"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.3319035853.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000001.00000002.3319035853.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x785c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x78f9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x7a0e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x750a:$cnc4: POST / HTTP/1.1
    00000000.00000002.2061672625.0000000005910000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_DLInjector02Detects downloader injectorditekSHen
    • 0x3346b:$x1: In$J$ct0r
    00000000.00000002.2061389020.00000000034D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000002.2061389020.00000000034D1000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xf43a4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xfd5cc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x109314:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xf4441:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xfd669:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x1093b1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xf4556:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xfd77e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x1094c6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xf4052:$cnc4: POST / HTTP/1.1
      • 0xfd27a:$cnc4: POST / HTTP/1.1
      • 0x108fc2:$cnc4: POST / HTTP/1.1
      Click to see the 3 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.400000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
        1.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.400000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x7a5c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x7af9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x7c0e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x770a:$cnc4: POST / HTTP/1.1
        0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.5910000.4.unpackMALWARE_Win_DLInjector02Detects downloader injectorditekSHen
        • 0x3166b:$x1: In$J$ct0r
        0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.450c590.3.unpackMALWARE_Win_DLInjector02Detects downloader injectorditekSHen
        • 0x3166b:$x1: In$J$ct0r
        0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.5910000.4.raw.unpackMALWARE_Win_DLInjector02Detects downloader injectorditekSHen
        • 0x3346b:$x1: In$J$ct0r
        Click to see the 14 entries

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Found malware configuration
        Source: 00000000.00000002.2061389020.00000000034D1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["dav12221.duckdns.org"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}
        Sample uses string decryption to hide its real strings
        Source: 1.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.400000.0.unpackString decryptor: dav12221.duckdns.org
        Source: 1.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.400000.0.unpackString decryptor: 7000
        Source: 1.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.400000.0.unpackString decryptor: <123456789>
        Source: 1.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.400000.0.unpackString decryptor: <Xwormmm>
        Source: 1.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.400000.0.unpackString decryptor: XWorm V5.2
        Source: 1.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.400000.0.unpackString decryptor: USB.exe
        Source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000001.00000002.3323026235.00000000058BA000.00000004.00000010.00020000.00000000.sdmp
        Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000001.00000002.3319877443.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Windows.Forms.pdbH source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: System.Xml.ni.pdb source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000001.00000002.3319877443.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: Accessibility.pdb source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: System.ni.pdbRSDS source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: System.Configuration.ni.pdb source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: mscorlib.ni.pdbRSDS source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: mscorlib.pdb0 source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000001.00000002.3323026235.00000000058BA000.00000004.00000010.00020000.00000000.sdmp
        Source: Binary string: System.Configuration.pdb source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: System.Xml.pdb source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: System.Xml.pdb` source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: o.pdb source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000001.00000002.3323026235.00000000058BA000.00000004.00000010.00020000.00000000.sdmp
        Source: Binary string: System.pdb source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: Accessibility.pdbP source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: System.Xml.ni.pdbRSDS# source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: System.Core.ni.pdb source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: Microsoft.VisualBasic.pdb source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000000.00000002.2062955260.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000000.00000002.2061389020.00000000034D1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: %%.pdb source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000001.00000002.3323026235.00000000058BA000.00000004.00000010.00020000.00000000.sdmp
        Source: Binary string: System.Windows.Forms.pdb source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: mscorlib.pdb source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000001.00000002.3319877443.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp, WER6A45.tmp.dmp.7.dr
        Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000001.00000002.3319877443.0000000001041000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Drawing.pdb source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: mscorlib.ni.pdb source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: \??\C:\Windows\mscorlib.pdb source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000001.00000002.3319877443.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.pdb4 source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: System.Core.pdb source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: symbols\dll\mscorlib.pdbLb source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000001.00000002.3323026235.00000000058BA000.00000004.00000010.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb{ft source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000001.00000002.3319877443.0000000001041000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.PDB source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000001.00000002.3319877443.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: System.ni.pdb source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: o0C:\Windows\mscorlib.pdb source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000001.00000002.3323026235.00000000058BA000.00000004.00000010.00020000.00000000.sdmp
        Source: Binary string: System.Core.ni.pdbRSDS source: WER6A45.tmp.dmp.7.dr

        Networking

        barindex
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: dav12221.duckdns.org
        Uses dynamic DNS services
        Source: unknownDNS query: name: dav12221.duckdns.org
        Yara detected Generic Downloader
        Source: Yara matchFile source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.34e1e04.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.34df5c4.2.raw.unpack, type: UNPACKEDPE
        Source: global trafficTCP traffic: 192.168.2.5:49705 -> 207.32.218.48:7000
        Source: Joe Sandbox ViewASN Name: 1GSERVERSUS 1GSERVERSUS
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficDNS traffic detected: DNS query: dav12221.duckdns.org

        Key, Mouse, Clipboard, Microphone and Screen Capturing

        barindex
        Contains functionality to log keystrokes (.Net Source)
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.35bd948.1.raw.unpack, XLogger.cs.Net Code: KeyboardLayout

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 1.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.5910000.4.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.450c590.3.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.5910000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.450c590.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.35bd948.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.35bd948.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.35bd948.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.34e1e04.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.34e1e04.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.34df5c4.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.34df5c4.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
        Source: 00000001.00000002.3319035853.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
        Source: 00000000.00000002.2061672625.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects downloader injector Author: ditekSHen
        Source: 00000000.00000002.2061389020.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeCode function: 0_2_01A5AA280_2_01A5AA28
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeCode function: 0_2_01A591500_2_01A59150
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeCode function: 1_2_0136E83C1_2_0136E83C
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 1304
        Source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000000.00000002.2059950940.000000000150E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe
        Source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000000.00000002.2062955260.0000000005B10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe
        Source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000000.00000002.2061672625.0000000005910000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameExample.dll0 vs SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe
        Source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000000.00000002.2061548987.00000000044D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameExample.dll0 vs SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe
        Source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000000.00000000.2057100989.00000000010A0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedccw.exel% vs SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe
        Source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000000.00000002.2061389020.00000000034D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe
        Source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000000.00000002.2061389020.00000000034D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe
        Source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000001.00000002.3319035853.000000000040C000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe
        Source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000001.00000002.3322576781.0000000005379000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe
        Source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeBinary or memory string: OriginalFilenamedccw.exel% vs SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe
        Source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: 1.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.5910000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.450c590.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.5910000.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.450c590.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.35bd948.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.35bd948.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.35bd948.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.34e1e04.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.34e1e04.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.34df5c4.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.34df5c4.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
        Source: 00000001.00000002.3319035853.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
        Source: 00000000.00000002.2061672625.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
        Source: 00000000.00000002.2061389020.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.5910000.4.raw.unpack, DarkListView.csCryptographic APIs: 'TransformFinalBlock'
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.450c590.3.raw.unpack, DarkListView.csCryptographic APIs: 'TransformFinalBlock'
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.35bd948.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.35bd948.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.35bd948.1.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.5910000.4.raw.unpack, DarkComboBox.csBase64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.450c590.3.raw.unpack, DarkComboBox.csBase64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/4@2/1
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.logJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeMutant created: NULL
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeMutant created: \Sessions\1\BaseNamedObjects\VnoSv30JNEHEbKof
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4696
        Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\7327edff-e120-410d-918e-17ee65893590Jump to behavior
        Source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe "C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe"
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe "C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe"
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 1304
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe "C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe"Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000001.00000002.3323026235.00000000058BA000.00000004.00000010.00020000.00000000.sdmp
        Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000001.00000002.3319877443.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Windows.Forms.pdbH source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: System.Xml.ni.pdb source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000001.00000002.3319877443.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: Accessibility.pdb source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: System.ni.pdbRSDS source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: System.Configuration.ni.pdb source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: mscorlib.ni.pdbRSDS source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: mscorlib.pdb0 source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000001.00000002.3323026235.00000000058BA000.00000004.00000010.00020000.00000000.sdmp
        Source: Binary string: System.Configuration.pdb source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: System.Xml.pdb source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: System.Xml.pdb` source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: o.pdb source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000001.00000002.3323026235.00000000058BA000.00000004.00000010.00020000.00000000.sdmp
        Source: Binary string: System.pdb source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: Accessibility.pdbP source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: System.Xml.ni.pdbRSDS# source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: System.Core.ni.pdb source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: Microsoft.VisualBasic.pdb source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000000.00000002.2062955260.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000000.00000002.2061389020.00000000034D1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: %%.pdb source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000001.00000002.3323026235.00000000058BA000.00000004.00000010.00020000.00000000.sdmp
        Source: Binary string: System.Windows.Forms.pdb source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: mscorlib.pdb source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000001.00000002.3319877443.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp, WER6A45.tmp.dmp.7.dr
        Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000001.00000002.3319877443.0000000001041000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Drawing.pdb source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: mscorlib.ni.pdb source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: \??\C:\Windows\mscorlib.pdb source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000001.00000002.3319877443.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.pdb4 source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: System.Core.pdb source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: symbols\dll\mscorlib.pdbLb source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000001.00000002.3323026235.00000000058BA000.00000004.00000010.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb{ft source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000001.00000002.3319877443.0000000001041000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.PDB source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000001.00000002.3319877443.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: System.ni.pdb source: WER6A45.tmp.dmp.7.dr
        Source: Binary string: o0C:\Windows\mscorlib.pdb source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000001.00000002.3323026235.00000000058BA000.00000004.00000010.00020000.00000000.sdmp
        Source: Binary string: System.Core.ni.pdbRSDS source: WER6A45.tmp.dmp.7.dr

        Data Obfuscation

        barindex
        .NET source code contains method to dynamically call methods (often used by packers)
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.35bd948.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.35bd948.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.35bd948.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
        .NET source code contains potential unpacker
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.35bd948.1.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.35bd948.1.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.35bd948.1.raw.unpack, Messages.cs.Net Code: Memory
        Source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeStatic PE information: 0x91B6DABA [Thu Jun 20 21:44:26 2047 UTC]
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Yara detected AntiVM3
        Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe PID: 2680, type: MEMORYSTR
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeMemory allocated: 1A10000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeMemory allocated: 34D0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeMemory allocated: 3240000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeMemory allocated: 1310000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeMemory allocated: 2C60000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeMemory allocated: 4C60000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeWindow / User API: threadDelayed 466Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeWindow / User API: threadDelayed 9520Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe TID: 4276Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe TID: 6024Thread sleep count: 466 > 30Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe TID: 6024Thread sleep time: -466000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe TID: 6024Thread sleep count: 9520 > 30Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe TID: 6024Thread sleep time: -9520000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe, 00000001.00000002.3319877443.0000000000FC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        .NET source code references suspicious native API functions
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.5b10000.5.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.5b10000.5.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.5b10000.5.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.csReference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.35bd948.1.raw.unpack, Messages.csReference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
        Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.35bd948.1.raw.unpack, XLogger.csReference to suspicious API methods: MapVirtualKey(vkCode, 0u)
        Injects a PE file into a foreign processes
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeMemory written: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe "C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe"Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Stealing of Sensitive Information

        barindex
        Yara detected XWorm
        Source: Yara matchFile source: 1.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.35bd948.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.35bd948.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.34e1e04.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.34df5c4.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000001.00000002.3319035853.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2061389020.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe PID: 2680, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe PID: 4696, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected XWorm
        Source: Yara matchFile source: 1.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.35bd948.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.35bd948.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.34e1e04.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.34df5c4.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000001.00000002.3319035853.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2061389020.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe PID: 2680, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe PID: 4696, type: MEMORYSTR

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
        Native API        		1
        DLL Side-Loading        		111
        Process Injection        		1
        Masquerading        		1
        Input Capture        		11
        Security Software Discovery        		Remote Services1
        Input Capture        		1
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
        DLL Side-Loading        		1
        Disable or Modify Tools        		LSASS Memory1
        Process Discovery        		Remote Desktop Protocol11
        Archive Collected Data        		1
        Non-Standard Port        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)41
        Virtualization/Sandbox Evasion        		Security Account Manager41
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
        Process Injection        		NTDS1
        Application Window Discovery        		Distributed Component Object ModelInput Capture21
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        Deobfuscate/Decode Files or Information        		LSA Secrets13
        System Information Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Obfuscated Files or Information        		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
        Software Packing        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Timestomp        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
        DLL Side-Loading        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe11%ReversingLabs

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        dav12221.duckdns.org0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        dav12221.duckdns.org
        		207.32.218.48
        		truetrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          dav12221.duckdns.orgtrue
          • Avira URL Cloud: safe
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          207.32.218.48
          		dav12221.duckdns.orgUnited States
          		143151GSERVERSUStrue

          General Information

          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1433539
          Start date and time:2024-04-29 18:21:08 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 5m 45s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:10
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe
          Detection:MAL
          Classification:mal100.troj.spyw.evad.winEXE@4/4@2/1
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 98%
          • Number of executed functions: 21
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Found application associated with file extension: .exe

          Warnings

          • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • Report size getting too big, too many NtSetInformationFile calls found.
          • VT rate limit hit for: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe

          Simulations

          Behavior and APIs

          TimeTypeDescription
          18:22:02API Interceptor1586881x Sleep call for process: SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe modified

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          1GSERVERSUShttp://142.202.242.176:770Get hashmaliciousUnknownBrowse
          • 142.202.242.176
          mrPTE618YB.exeGet hashmaliciousPureLog StealerBrowse
          • 142.202.241.217
          SecuriteInfo.com.Trojan.PWS.Siggen3.25256.942.20710.exeGet hashmaliciousExela Stealer, XmrigBrowse
          • 142.202.242.45
          file.exeGet hashmaliciousPureLog StealerBrowse
          • 142.202.241.217
          SecuriteInfo.com.Trojan.Siggen27.52043.15111.6134.exeGet hashmaliciousXmrigBrowse
          • 142.202.242.43
          uQeIMs91Vh.exeGet hashmaliciousAmadey, PureLog Stealer, RedLine, RisePro Stealer, zgRATBrowse
          • 142.202.241.217
          jr8jf4ddoW.rtfGet hashmaliciousUnknownBrowse
          • 207.32.219.82
          vabSc00Ygm.rtfGet hashmaliciousUnknownBrowse
          • 207.32.219.82
          Payment_Draft_confirmation.xla.xlsxGet hashmaliciousSnake KeyloggerBrowse
          • 207.32.219.82
          ym34LUmk5B.rtfGet hashmaliciousUnknownBrowse
          • 207.32.219.82

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\ProgramData\Microsoft\Windows\WER\Temp\WER6A45.tmp.dmp

          Download File
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:Mini DuMP crash report, 15 streams, Mon Apr 29 16:23:56 2024, 0x1205a4 type
          Category:dropped
          Size (bytes):274027
          Entropy (8bit):3.9918700410401287
          Encrypted:false
          SSDEEP:3072:uC/oc4uEqsyae2LTg1kGJJxSIQe7gnkUUpr:uDc4xyaXTg1kYJ0IxUUp
          MD5:24187A3A7B1998E6CE3275F84DF2DD29
          SHA1:5643E7D56AFA8C808630F758BC23B12EDFE915BC
          SHA-256:222926B45E3D961C44BAF61013D5C1BD6B388DE275D3831C9F5731BD180FD401
          SHA-512:B51DA0D7C4AF9A17FC7300D240369D665006946F9E2FDE40B18FAB6C31CA50477387B48B0CB5AC3612755B8E476E4D3F12E8FB2164295848AECB839C936DA937
          Malicious:false
          Reputation:low
          Preview:MDMP..a..... ........./f........................T...........$...."......$+...H..........`.......8...........T...........(3..C...........@"..........,$..............................................................................eJ.......$......GenuineIntel............T.......X...'./f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\ProgramData\Microsoft\Windows\WER\Temp\WER6BDD.tmp.WERInternalMetadata.xml

          Download File
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):6504
          Entropy (8bit):3.7353959933578893
          Encrypted:false
          SSDEEP:192:R6l7wVeJVa6rko3YZKkkpr789bV8sfEnm:R6lXJI6rko3Y0klVPfJ
          MD5:8B96234BDF36804B15E464141D3DCBEC
          SHA1:035F5C93E1E791559ECB0F54738916BFD0E753A3
          SHA-256:AB0B908DD2C98A336BAE8DCB57AE8F9478F1BB4D98815E8911A6422ABC11872C
          SHA-512:7A1727C3041519B114A165D5E040E3EEB495E4EEC88F837DC4EAAB569DA6B14BF842846F4FC549372766F94DDE28C061D44505B8F295DE02907B759EA1CD710D
          Malicious:false
          Reputation:low
          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.6.9.6.<./.P.i.

          C:\ProgramData\Microsoft\Windows\WER\Temp\WER6C1C.tmp.xml

          Download File
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):4882
          Entropy (8bit):4.573396433392947
          Encrypted:false
          SSDEEP:48:cvIwWl8zs+Jg77aI9X8WpW8VYdPYm8M4JW5yFZC+q8vF5DgVhgfNoed:uIjf0I7917V0SJWKCKFdgnENoed
          MD5:E69780FEFA7196D818CC6AD5AF3554C0
          SHA1:153F59C0F4A0CE0D0D851713C09BCCA087775EA0
          SHA-256:E062C7D5C9C63EB5488EF22FD09EC687A3072FFDA5C3F9FC8AE8F12D2AE65EC1
          SHA-512:B66147D0DCD8BD1FD12A92A70EEFA80BD236E9AA00150B2C18D5B40563CA0281CCD24BB5BE40569F8F74295E64766BAD3BA4A0E18E7AE2B91313656B1C795727
          Malicious:false
          Reputation:low
          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="301406" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe.log

          Download File
          Process:C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):706
          Entropy (8bit):5.349842958726647
          Encrypted:false
          SSDEEP:12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M9XKbbDLI4MWuPJKAVKhat92n4M6:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84j
          MD5:9BA266AD16952A9A57C3693E0BCFED48
          SHA1:5DB70A3A7F1DB4E3879265AB336B2FA1AFBCECD5
          SHA-256:A6DFD14E82D7D47195A1EC7F31E64C2820AB8721EF4B5825E21E742093B55C0E
          SHA-512:678E1F639379FC24919B7CF562FA19CE53363CBD4B0EAB66486F6F8D5DD5958DE3AAE8D7842EE868EFCC39D907FDC1A3ACF464E29D37B0DAEE9874C39730FE8E
          Malicious:false
          Reputation:moderate, very likely benign file
          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
          Entropy (8bit):6.767935251678155
          TrID:
          • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
          • Win32 Executable (generic) a (10002005/4) 49.93%
          • Windows Screen Saver (13104/52) 0.07%
          • Generic Win/DOS Executable (2004/3) 0.01%
          • DOS Executable Generic (2002/1) 0.01%
          File name:SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe
          File size:773'632 bytes
          MD5:a8f5eb653b660a24e0a0017c684c1b96
          SHA1:4b75c2c8dba5f4198873a8ed0e0c4d2bf146d881
          SHA256:d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51
          SHA512:0ff6026999fee1e6456a6557a82079a03622480edfd5aef9f7c1e3b03266a1e589fc4b3eb4568f3bec9f5f5f439f58aa313c8409241cbe4e1ffc1043c66a0b01
          SSDEEP:12288:HwglEe171o1+1k155scBRTWgwxPzDnkbIStV4bkX7cst2Ket3D6ohYc8A4isx:CnNKkbI0NjKRs
          TLSH:45F48D107BE88A3EE2FF57BBF4B24415ABF1E4036302E75E086162AD0C977918D516E7
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. .......................@............@................................

          File Icon

          Icon Hash:00928e8e8686b000

          Static PE Info

          General

          Entrypoint:0x4be11e
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Time Stamp:0x91B6DABA [Thu Jun 20 21:44:26 2047 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:4
          OS Version Minor:0
          File Version Major:4
          File Version Minor:0
          Subsystem Version Major:4
          Subsystem Version Minor:0
          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

          Entrypoint Preview

          Instruction
          jmp dword ptr [00402000h]
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0xbe0cc0x4f.text
          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc00000x62a.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0xc20000xc.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x20000xbc1240xbc200505a4c0907cff210f6c53288a7eee91bFalse0.4978976328903654data6.778124497983712IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rsrc0xc00000x62a0x800312de2b86560bd067f126601a200fdb1False0.34423828125data3.4842369416204884IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0xc20000xc0x200ab449042a5f84f343f2669749d9bb3ebFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_VERSION0xc00a00x3a0data0.43103448275862066
          RT_MANIFEST0xc04400x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

          Imports

          DLLImport
          mscoree.dll_CorExeMain

          Network Behavior

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Apr 29, 2024 18:22:04.294526100 CEST497057000192.168.2.5207.32.218.48
          Apr 29, 2024 18:22:05.300713062 CEST497057000192.168.2.5207.32.218.48
          Apr 29, 2024 18:22:07.300627947 CEST497057000192.168.2.5207.32.218.48
          Apr 29, 2024 18:22:11.300652027 CEST497057000192.168.2.5207.32.218.48
          Apr 29, 2024 18:22:19.300625086 CEST497057000192.168.2.5207.32.218.48
          Apr 29, 2024 18:22:25.489764929 CEST497137000192.168.2.5207.32.218.48
          Apr 29, 2024 18:22:26.503801107 CEST497137000192.168.2.5207.32.218.48
          Apr 29, 2024 18:22:28.519342899 CEST497137000192.168.2.5207.32.218.48
          Apr 29, 2024 18:22:32.519699097 CEST497137000192.168.2.5207.32.218.48
          Apr 29, 2024 18:22:40.535079002 CEST497137000192.168.2.5207.32.218.48
          Apr 29, 2024 18:22:46.648909092 CEST497147000192.168.2.5207.32.218.48
          Apr 29, 2024 18:22:47.644395113 CEST497147000192.168.2.5207.32.218.48
          Apr 29, 2024 18:22:49.659936905 CEST497147000192.168.2.5207.32.218.48
          Apr 29, 2024 18:22:53.675564051 CEST497147000192.168.2.5207.32.218.48
          Apr 29, 2024 18:23:01.691193104 CEST497147000192.168.2.5207.32.218.48
          Apr 29, 2024 18:23:07.965379000 CEST497167000192.168.2.5207.32.218.48
          Apr 29, 2024 18:23:08.975747108 CEST497167000192.168.2.5207.32.218.48
          Apr 29, 2024 18:23:10.972465038 CEST497167000192.168.2.5207.32.218.48
          Apr 29, 2024 18:23:14.972789049 CEST497167000192.168.2.5207.32.218.48
          Apr 29, 2024 18:23:23.097459078 CEST497167000192.168.2.5207.32.218.48
          Apr 29, 2024 18:23:29.314485073 CEST497187000192.168.2.5207.32.218.48
          Apr 29, 2024 18:23:30.394331932 CEST497187000192.168.2.5207.32.218.48
          Apr 29, 2024 18:23:32.503695011 CEST497187000192.168.2.5207.32.218.48
          Apr 29, 2024 18:23:36.503753901 CEST497187000192.168.2.5207.32.218.48
          Apr 29, 2024 18:23:44.597457886 CEST497187000192.168.2.5207.32.218.48
          Apr 29, 2024 18:23:50.803333998 CEST497197000192.168.2.5207.32.218.48
          Apr 29, 2024 18:23:51.894330025 CEST497197000192.168.2.5207.32.218.48
          Apr 29, 2024 18:23:53.894337893 CEST497197000192.168.2.5207.32.218.48
          Apr 29, 2024 18:23:57.894334078 CEST497197000192.168.2.5207.32.218.48
          Apr 29, 2024 18:24:05.894465923 CEST497197000192.168.2.5207.32.218.48

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Apr 29, 2024 18:22:04.147083044 CEST5649553192.168.2.51.1.1.1
          Apr 29, 2024 18:22:04.288372040 CEST53564951.1.1.1192.168.2.5
          Apr 29, 2024 18:23:07.817404032 CEST5214153192.168.2.51.1.1.1
          Apr 29, 2024 18:23:07.964548111 CEST53521411.1.1.1192.168.2.5

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          Apr 29, 2024 18:22:04.147083044 CEST192.168.2.51.1.1.10xc18aStandard query (0)dav12221.duckdns.orgA (IP address)IN (0x0001)false
          Apr 29, 2024 18:23:07.817404032 CEST192.168.2.51.1.1.10xf3fStandard query (0)dav12221.duckdns.orgA (IP address)IN (0x0001)false

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Apr 29, 2024 18:22:04.288372040 CEST1.1.1.1192.168.2.50xc18aNo error (0)dav12221.duckdns.org207.32.218.48A (IP address)IN (0x0001)false
          Apr 29, 2024 18:23:07.964548111 CEST1.1.1.1192.168.2.50xf3fNo error (0)dav12221.duckdns.org207.32.218.48A (IP address)IN (0x0001)false

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:18:21:59
          Start date:29/04/2024
          Path:C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe"
          Imagebase:0xfe0000
          File size:773'632 bytes
          MD5 hash:A8F5EB653B660A24E0A0017C684C1B96
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: MALWARE_Win_DLInjector02, Description: Detects downloader injector, Source: 00000000.00000002.2061672625.0000000005910000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2061389020.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2061389020.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
          Reputation:low
          Has exited:true

          General

          Target ID:1
          Start time:18:21:59
          Start date:29/04/2024
          Path:C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.ALLD.tr.8114.2947.exe"
          Imagebase:0x8d0000
          File size:773'632 bytes
          MD5 hash:A8F5EB653B660A24E0A0017C684C1B96
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000002.3319035853.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000001.00000002.3319035853.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
          Reputation:low
          Has exited:false

          General

          Target ID:7
          Start time:18:23:56
          Start date:29/04/2024
          Path:C:\Windows\SysWOW64\WerFault.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 1304
          Imagebase:0x680000
          File size:483'680 bytes
          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:false

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:5.2%
            Dynamic/Decrypted Code Coverage:100%
            Signature Coverage:76%
            Total number of Nodes:25
            Total number of Limit Nodes:1
            execution_graph 12727 1a5a968 12728 1a5a982 12727->12728 12729 1a5a9d2 12728->12729 12731 1a5aa28 12728->12731 12732 1a5aa5b 12731->12732 12751 1a59b1c 12732->12751 12734 1a5ac32 12735 1a59b28 Wow64GetThreadContext 12734->12735 12736 1a5ad2c 12734->12736 12735->12736 12737 1a59b40 ReadProcessMemory 12736->12737 12738 1a5ae0c 12737->12738 12750 1a5a758 VirtualAllocEx 12738->12750 12739 1a5af29 12749 1a5a600 WriteProcessMemory 12739->12749 12740 1a5b00d 12741 1a5b208 12740->12741 12745 1a5a600 WriteProcessMemory 12740->12745 12747 1a5a600 WriteProcessMemory 12741->12747 12742 1a5b246 12743 1a5b32e 12742->12743 12746 1a5a4d8 Wow64SetThreadContext 12742->12746 12748 1a5a878 ResumeThread 12743->12748 12744 1a5b3eb 12744->12728 12745->12740 12746->12743 12747->12742 12748->12744 12749->12740 12750->12739 12752 1a5b558 CreateProcessW 12751->12752 12754 1a5b73e 12752->12754

            Executed Functions

            Function 01A59150 Relevance: 2.8, Strings: 2, Instructions: 260COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 0 1a59150-1a5915d 1 1a59166-1a59176 0->1 2 1a5915f-1a59161 0->2 4 1a5917d-1a5918d 1->4 5 1a59178 1->5 3 1a59405-1a5940c 2->3 7 1a59193-1a591a1 4->7 8 1a593ec-1a593fa 4->8 5->3 11 1a591a7 7->11 12 1a5940d-1a59486 7->12 8->12 13 1a593fc-1a59400 call 1a588d8 8->13 11->12 14 1a591c5-1a591e6 11->14 15 1a59284-1a592a5 11->15 16 1a59304-1a59341 11->16 17 1a59346-1a5936c 11->17 18 1a593e0-1a593ea 11->18 19 1a591ae-1a591c0 11->19 20 1a591eb-1a5920d 11->20 21 1a592aa-1a592d2 11->21 22 1a592d7-1a592ff 11->22 23 1a59371-1a5939d 11->23 24 1a59212-1a59233 11->24 25 1a593bc-1a593de 11->25 26 1a5939f-1a593ba call 1a503e0 11->26 27 1a5925e-1a5927f 11->27 28 1a59238-1a59259 11->28 13->3 14->3 15->3 16->3 17->3 18->3 19->3 20->3 21->3 22->3 23->3 24->3 25->3 26->3 27->3 28->3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2060569885.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1a50000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: Xaq$$]q
            • API String ID: 0-1280934391
            • Opcode ID: bee8b2d25d8773546444f5ad614b5dbb3145f38e748c276990fd4a36b4f572f4
            • Instruction ID: 3c764b7a73c1c1b2d7253f77ad9a1020826ee758158d07d82df1b2829161d577
            • Opcode Fuzzy Hash: bee8b2d25d8773546444f5ad614b5dbb3145f38e748c276990fd4a36b4f572f4
            • Instruction Fuzzy Hash: F6817334B08218DBDB58DF79945467F7AB7BFC8710B09852DE40AEB389DE349C028792
            Uniqueness

            Uniqueness Score: -1.00%

            Function 01A5AA28 Relevance: 1.9, Strings: 1, Instructions: 615COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 126 1a5aa28-1a5aa59 127 1a5aa60-1a5abe6 126->127 128 1a5aa5b 126->128 135 1a5ac0d-1a5ac52 call 1a59b1c 127->135 136 1a5abe8-1a5ac0c 127->136 128->127 140 1a5ac54-1a5ac70 135->140 141 1a5ac7b-1a5ace5 135->141 136->135 140->141 147 1a5ace7 141->147 148 1a5acec-1a5ad18 141->148 147->148 150 1a5ad79-1a5adab call 1a59b34 148->150 151 1a5ad1a-1a5ad27 call 1a59b28 148->151 156 1a5add4 150->156 157 1a5adad-1a5adc9 150->157 155 1a5ad2c-1a5ad4c 151->155 158 1a5ad75-1a5ad77 155->158 159 1a5ad4e-1a5ad6a 155->159 160 1a5add5-1a5addf 156->160 157->156 158->160 159->158 161 1a5ade6-1a5ae2c call 1a59b40 160->161 162 1a5ade1 160->162 169 1a5ae55-1a5ae6e 161->169 170 1a5ae2e-1a5ae4a 161->170 162->161 171 1a5aec6-1a5af3e call 1a5a758 169->171 172 1a5ae70-1a5ae9c call 1a59b4c 169->172 170->169 184 1a5af40-1a5af51 171->184 185 1a5af53-1a5af55 171->185 178 1a5aec5 172->178 179 1a5ae9e-1a5aeba 172->179 178->171 179->178 186 1a5af5b-1a5af6f 184->186 185->186 187 1a5af71-1a5afab 186->187 188 1a5afac-1a5afc3 186->188 187->188 189 1a5afc5-1a5afe1 188->189 190 1a5afec-1a5b02d call 1a5a600 188->190 189->190 194 1a5b056-1a5b08b 190->194 195 1a5b02f-1a5b04b 190->195 199 1a5b1e3-1a5b202 194->199 195->194 201 1a5b090-1a5b114 199->201 202 1a5b208-1a5b266 call 1a5a600 199->202 212 1a5b1d8-1a5b1dd 201->212 213 1a5b11a-1a5b18c call 1a5a600 201->213 207 1a5b28f-1a5b2c2 202->207 208 1a5b268-1a5b284 202->208 214 1a5b2c4-1a5b2cb 207->214 215 1a5b2cc-1a5b2df 207->215 208->207 212->199 224 1a5b18e-1a5b1ae 213->224 214->215 217 1a5b2e6-1a5b311 215->217 218 1a5b2e1 215->218 222 1a5b313-1a5b32c call 1a5a4d8 217->222 223 1a5b37b-1a5b3ad call 1a59b58 217->223 218->217 226 1a5b32e-1a5b34e 222->226 232 1a5b3d6 223->232 233 1a5b3af-1a5b3cb 223->233 227 1a5b1d7 224->227 228 1a5b1b0-1a5b1cc 224->228 230 1a5b377-1a5b379 226->230 231 1a5b350-1a5b36c 226->231 227->212 228->227 235 1a5b3d7-1a5b3e9 call 1a5a878 230->235 231->230 232->235 233->232 239 1a5b3eb-1a5b40b 235->239 242 1a5b434-1a5b53d 239->242 243 1a5b40d-1a5b429 239->243 243->242
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2060569885.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1a50000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: (
            • API String ID: 0-3887548279
            • Opcode ID: de8ca4105c5a4585b83d44b85139c5db487cc9e63efb05fe1aaf6c7d21dd53bd
            • Instruction ID: 6c4ad3980e58ef9c64a89acf549119ba23369d384b891fcd46831b3be1a1b827
            • Opcode Fuzzy Hash: de8ca4105c5a4585b83d44b85139c5db487cc9e63efb05fe1aaf6c7d21dd53bd
            • Instruction Fuzzy Hash: A552E270E052288FDB64DF69C994BDDBBB2BF89300F1085EAC409AB291DB345E85CF51
            Uniqueness

            Uniqueness Score: -1.00%

            Function 01A59B1C Relevance: 1.7, APIs: 1, Instructions: 223processCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 254 1a59b1c-1a5b5e3 256 1a5b5e5-1a5b5f7 254->256 257 1a5b5fa-1a5b608 254->257 256->257 258 1a5b61f-1a5b65b 257->258 259 1a5b60a-1a5b61c 257->259 260 1a5b65d-1a5b66c 258->260 261 1a5b66f-1a5b73c CreateProcessW 258->261 259->258 260->261 265 1a5b745-1a5b804 261->265 266 1a5b73e-1a5b744 261->266 276 1a5b806-1a5b82f 265->276 277 1a5b83a-1a5b845 265->277 266->265 276->277
            APIs
            • CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 01A5B729
            Memory Dump Source
            • Source File: 00000000.00000002.2060569885.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1a50000_SecuriteInfo.jbxd
            Similarity
            • API ID: CreateProcess
            • String ID:
            • API String ID: 963392458-0
            • Opcode ID: 43821b971b09eefb04cc1bd99f747abe61b66b9aba2f711ca489d6b40f0d2399
            • Instruction ID: eb54683c3a3793a775afd333a7033adabad03a1a4d7c1a29052def40872b62a3
            • Opcode Fuzzy Hash: 43821b971b09eefb04cc1bd99f747abe61b66b9aba2f711ca489d6b40f0d2399
            • Instruction Fuzzy Hash: 8C81D274C00259CFDB61CFA9C980BDDBBB5BF19300F0491AAE509B7220D7749A85CF64
            Uniqueness

            Uniqueness Score: -1.00%

            Function 01A5A600 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 281 1a5a600-1a5a66b 283 1a5a682-1a5a6e3 WriteProcessMemory 281->283 284 1a5a66d-1a5a67f 281->284 286 1a5a6e5-1a5a6eb 283->286 287 1a5a6ec-1a5a73e 283->287 284->283 286->287
            APIs
            • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01A5A6D3
            Memory Dump Source
            • Source File: 00000000.00000002.2060569885.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1a50000_SecuriteInfo.jbxd
            Similarity
            • API ID: MemoryProcessWrite
            • String ID:
            • API String ID: 3559483778-0
            • Opcode ID: 655e9a79938a9efeceb39a2d9c83620dd0b3b6fc3ab642a7aefb584836f7b018
            • Instruction ID: 599f8cc796b836166c23f44f2b5211f2c24cd06db6f80ff3ff7800dd7a6c1c4e
            • Opcode Fuzzy Hash: 655e9a79938a9efeceb39a2d9c83620dd0b3b6fc3ab642a7aefb584836f7b018
            • Instruction Fuzzy Hash: 17419AB4D012589FCF00CFA9D984AEEFBF1BB49310F14902AE819B7210D739AA45CB64
            Uniqueness

            Uniqueness Score: -1.00%

            Function 01A59B40 Relevance: 1.6, APIs: 1, Instructions: 103COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 292 1a59b40-1a5ba45 ReadProcessMemory 294 1a5ba47-1a5ba4d 292->294 295 1a5ba4e-1a5ba8c 292->295 294->295
            APIs
            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01A5BA35
            Memory Dump Source
            • Source File: 00000000.00000002.2060569885.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1a50000_SecuriteInfo.jbxd
            Similarity
            • API ID: MemoryProcessRead
            • String ID:
            • API String ID: 1726664587-0
            • Opcode ID: 29a0f195a71cb8b381e701ed90fd882a48faa3c14df87a0b6b08d3e1e5bdaa86
            • Instruction ID: 19d636dc1d975e86bfc79d7cf1b7e03449d62e82e6baea728aac951f0834021f
            • Opcode Fuzzy Hash: 29a0f195a71cb8b381e701ed90fd882a48faa3c14df87a0b6b08d3e1e5bdaa86
            • Instruction Fuzzy Hash: 0F4177B9D04258DFCF10CFAAD984AEEFBB5BB59310F14902AE914B7210D335A945CF64
            Uniqueness

            Uniqueness Score: -1.00%

            Function 01A5A758 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 298 1a5a758-1a5a812 VirtualAllocEx 301 1a5a814-1a5a81a 298->301 302 1a5a81b-1a5a865 298->302 301->302
            APIs
            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01A5A802
            Memory Dump Source
            • Source File: 00000000.00000002.2060569885.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1a50000_SecuriteInfo.jbxd
            Similarity
            • API ID: AllocVirtual
            • String ID:
            • API String ID: 4275171209-0
            • Opcode ID: 0e371e55171813aaebb792fb6fff23b180d44a6d3c4cb6a42c0902bfa16185b2
            • Instruction ID: d32d6c7f5352399653bd5f08171e548fcb5878494527d19528c58fb5bd2cccb9
            • Opcode Fuzzy Hash: 0e371e55171813aaebb792fb6fff23b180d44a6d3c4cb6a42c0902bfa16185b2
            • Instruction Fuzzy Hash: C93188B8D042589FCF10CFA9D984ADEFBB5BB59310F10942AE819B7310D735A946CFA4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 01A5A4D8 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 307 1a5a4d8-1a5a538 309 1a5a54f-1a5a597 Wow64SetThreadContext 307->309 310 1a5a53a-1a5a54c 307->310 312 1a5a5a0-1a5a5ec 309->312 313 1a5a599-1a5a59f 309->313 310->309 313->312
            APIs
            • Wow64SetThreadContext.KERNEL32(?,?), ref: 01A5A587
            Memory Dump Source
            • Source File: 00000000.00000002.2060569885.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1a50000_SecuriteInfo.jbxd
            Similarity
            • API ID: ContextThreadWow64
            • String ID:
            • API String ID: 983334009-0
            • Opcode ID: bf0bf8a6fb4c94b6c2ecba769c7b386c2acd0533a2fb2303a32a26d6a1a38040
            • Instruction ID: da8106276459d7b5da45f8bc1a06c61253ef4f2027204a673c031197fded33ee
            • Opcode Fuzzy Hash: bf0bf8a6fb4c94b6c2ecba769c7b386c2acd0533a2fb2303a32a26d6a1a38040
            • Instruction Fuzzy Hash: 25319BB4D012589FDB14DFAAD984AEEFBF1BF49314F24802AE419B7240D738A945CF94
            Uniqueness

            Uniqueness Score: -1.00%

            Function 01A59B28 Relevance: 1.6, APIs: 1, Instructions: 91threadCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 318 1a59b28-1a5b8d4 320 1a5b8d6-1a5b8e8 318->320 321 1a5b8eb-1a5b932 Wow64GetThreadContext 318->321 320->321 322 1a5b934-1a5b93a 321->322 323 1a5b93b-1a5b973 321->323 322->323
            APIs
            • Wow64GetThreadContext.KERNEL32(?,?), ref: 01A5B922
            Memory Dump Source
            • Source File: 00000000.00000002.2060569885.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1a50000_SecuriteInfo.jbxd
            Similarity
            • API ID: ContextThreadWow64
            • String ID:
            • API String ID: 983334009-0
            • Opcode ID: 60b49c577cc15d160329961a4f35523af598ca323fa78b5807573a7eb8916308
            • Instruction ID: a4f93c252ce1c58c1863e28bb1207ecb5ab660496bd5dbce72682452793ad767
            • Opcode Fuzzy Hash: 60b49c577cc15d160329961a4f35523af598ca323fa78b5807573a7eb8916308
            • Instruction Fuzzy Hash: F2319AB4D05258DFCB10CFAAD484AAEFBF1AB49310F14902AE818B7350D378A945CFA4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 01A5A878 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 326 1a5a878-1a5a906 ResumeThread 329 1a5a90f-1a5a951 326->329 330 1a5a908-1a5a90e 326->330 330->329
            APIs
            • ResumeThread.KERNELBASE(?), ref: 01A5A8F6
            Memory Dump Source
            • Source File: 00000000.00000002.2060569885.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1a50000_SecuriteInfo.jbxd
            Similarity
            • API ID: ResumeThread
            • String ID:
            • API String ID: 947044025-0
            • Opcode ID: 9b180d4fda10d5c6324a44e5a25d9da855084c950e57a3e1e58ac31422cad29c
            • Instruction ID: 0f6b162be526ff67b232e95459b52822a67a27ba251e8587921c7f12253a3d65
            • Opcode Fuzzy Hash: 9b180d4fda10d5c6324a44e5a25d9da855084c950e57a3e1e58ac31422cad29c
            • Instruction Fuzzy Hash: 1B31ABB4D012189FCB14DFAAD584A9EFBB5BF49310F14942AE819B7310C735A941CFA4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0182D4CC Relevance: .1, Instructions: 75COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2060306661.000000000182D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0182D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_182d000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a11b5e2d208237c7c654aea91f0a761eea8d0284e5203d41fd9a7ae355d8b10e
            • Instruction ID: e29586e713fbda3215f3c5b38e5f4c2bb79350282016468e0b60d83b0ab0d1fc
            • Opcode Fuzzy Hash: a11b5e2d208237c7c654aea91f0a761eea8d0284e5203d41fd9a7ae355d8b10e
            • Instruction Fuzzy Hash: EE214871504204DFDB06DF58DAC0F26BF65FB98318F20C669E9098B256C37AD586C7A1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0182D4C7 Relevance: .1, Instructions: 56COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2060306661.000000000182D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0182D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_182d000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
            • Instruction ID: fb6bba5aee19087cfe6ee3755b6e55824e3b4fb14532d497e3239eb85acf042e
            • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
            • Instruction Fuzzy Hash: 1211E172404240DFDB02CF54D6C4B16BF72FB88314F24C6A9E9094B257C33AD59ACBA2
            Uniqueness

            Uniqueness Score: -1.00%

            Execution Graph

            Execution Coverage:6.3%
            Dynamic/Decrypted Code Coverage:100%
            Signature Coverage:0%
            Total number of Nodes:72
            Total number of Limit Nodes:5
            execution_graph 12773 1361cc0 12774 1361d04 SetWindowsHookExW 12773->12774 12776 1361d4a 12774->12776 12777 13671c0 DuplicateHandle 12778 1367256 12777->12778 12779 13677d8 12780 1367806 12779->12780 12783 1366d3c 12780->12783 12782 1367826 12784 1366d47 12783->12784 12785 136834c 12784->12785 12789 1369fb0 12784->12789 12794 1369fd0 12784->12794 12799 1369fe0 12784->12799 12785->12782 12791 1369fb3 12789->12791 12790 1369fbb 12790->12785 12791->12790 12804 136a190 12791->12804 12808 136a180 12791->12808 12796 1369fdb 12794->12796 12795 136a025 12795->12785 12796->12795 12797 136a190 2 API calls 12796->12797 12798 136a180 2 API calls 12796->12798 12797->12795 12798->12795 12800 1369feb 12799->12800 12801 136a025 12800->12801 12802 136a190 2 API calls 12800->12802 12803 136a180 2 API calls 12800->12803 12801->12785 12802->12801 12803->12801 12805 136a19d 12804->12805 12807 136a1d6 12805->12807 12820 1367f64 12805->12820 12807->12790 12809 136a1c3 12808->12809 12812 136a18b 12808->12812 12810 136a237 12809->12810 12809->12812 12811 1367f98 2 API calls 12810->12811 12813 136a248 12810->12813 12811->12813 12814 136a1d6 12812->12814 12816 1367f64 2 API calls 12812->12816 12815 1367fa8 2 API calls 12813->12815 12814->12790 12817 136a2b7 12815->12817 12816->12814 12819 136f6c0 2 API calls 12817->12819 12818 136a2f1 12818->12790 12819->12818 12821 1367f6f 12820->12821 12823 136a248 12821->12823 12828 1367f98 12821->12828 12834 1367fa8 12823->12834 12825 136a2b7 12838 136f6c0 12825->12838 12826 136a2f1 12826->12807 12829 1367fa3 12828->12829 12830 1367fa8 2 API calls 12829->12830 12831 136a2b7 12830->12831 12833 136f6c0 2 API calls 12831->12833 12832 136a2f1 12832->12823 12833->12832 12836 1367fb3 12834->12836 12835 136b5d8 12835->12825 12836->12835 12837 1369fe0 2 API calls 12836->12837 12837->12835 12840 136f6f1 12838->12840 12841 136f73d 12838->12841 12839 136f6fd 12839->12826 12840->12839 12843 136f938 12840->12843 12841->12826 12846 136f988 12843->12846 12844 136f942 12844->12841 12847 136f999 12846->12847 12850 136f9bc 12846->12850 12855 136e950 12847->12855 12850->12844 12851 136f9b4 12851->12850 12852 136fbc0 GetModuleHandleW 12851->12852 12853 136fbed 12852->12853 12853->12844 12856 136fb78 GetModuleHandleW 12855->12856 12858 136f9a4 12856->12858 12858->12850 12859 136fc20 12858->12859 12860 136e950 GetModuleHandleW 12859->12860 12861 136fc34 12860->12861 12861->12851

            Executed Functions

            Function 0136F988 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
            Download Yara Rule

            Control-flow Graph

            Memory Dump Source
            • Source File: 00000001.00000002.3320373820.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_1360000_SecuriteInfo.jbxd
            Similarity
            • API ID: HandleModule
            • String ID:
            • API String ID: 4139908857-0
            • Opcode ID: 66d94398e5970f37ee59c30df519c4a0df1fb804bb7ac6bfe3275a993774498b
            • Instruction ID: a2795d8206359fee9397cad1c65a192fa6c233f5b39c9ab8197d447596bce997
            • Opcode Fuzzy Hash: 66d94398e5970f37ee59c30df519c4a0df1fb804bb7ac6bfe3275a993774498b
            • Instruction Fuzzy Hash: 1A714870A00B058FE724DF29D15475ABBF9BF88304F108A2ED48AD7A44DB75E849CF90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 013671B8 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 56 13671b8-13671ba 57 13671c0-1367254 DuplicateHandle 56->57 58 1367256-136725c 57->58 59 136725d-136727a 57->59 58->59
            APIs
            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01367247
            Memory Dump Source
            • Source File: 00000001.00000002.3320373820.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_1360000_SecuriteInfo.jbxd
            Similarity
            • API ID: DuplicateHandle
            • String ID:
            • API String ID: 3793708945-0
            • Opcode ID: 19e9512232297313291b5c61b55ba7788804a0bf535a7f32aa8a1a1bbdac67b2
            • Instruction ID: 031fa659f46ef2b41f06f0287e6459b9a39ddbe26a4888e784babed868f3baf2
            • Opcode Fuzzy Hash: 19e9512232297313291b5c61b55ba7788804a0bf535a7f32aa8a1a1bbdac67b2
            • Instruction Fuzzy Hash: 9721E5B59012499FDB10CF9AD584ADEBFF8FB48314F14801AE954A7250C378A954CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 013671C0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 62 13671c0-1367254 DuplicateHandle 63 1367256-136725c 62->63 64 136725d-136727a 62->64 63->64
            APIs
            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01367247
            Memory Dump Source
            • Source File: 00000001.00000002.3320373820.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_1360000_SecuriteInfo.jbxd
            Similarity
            • API ID: DuplicateHandle
            • String ID:
            • API String ID: 3793708945-0
            • Opcode ID: d6fa87cdca7cc7c1d5b9cd533f06815f438f27d2fb19eb2b056dfa42d8e8f2e6
            • Instruction ID: 9ad790ce3b3a2522f951d67519170f26967cc5f866f9f4432d627214d8bb2ebb
            • Opcode Fuzzy Hash: d6fa87cdca7cc7c1d5b9cd533f06815f438f27d2fb19eb2b056dfa42d8e8f2e6
            • Instruction Fuzzy Hash: 9021C4B59002499FDB10CF9AD584ADEBFF9FB48314F14841AE918A3350D378A954CFA5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 01361CB8 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 67 1361cb8-1361d0a 70 1361d16-1361d48 SetWindowsHookExW 67->70 71 1361d0c 67->71 72 1361d51-1361d76 70->72 73 1361d4a-1361d50 70->73 74 1361d14 71->74 73->72 74->70
            APIs
            • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 01361D3B
            Memory Dump Source
            • Source File: 00000001.00000002.3320373820.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_1360000_SecuriteInfo.jbxd
            Similarity
            • API ID: HookWindows
            • String ID:
            • API String ID: 2559412058-0
            • Opcode ID: 64a7ab8e8d63f7a50150cac8f2fcef57808f71bac907d04e083e66cbdbd22b05
            • Instruction ID: 6489a138d6e05b0b3007e7d5aa3a0d216a675562d40454b8987349fda6b09585
            • Opcode Fuzzy Hash: 64a7ab8e8d63f7a50150cac8f2fcef57808f71bac907d04e083e66cbdbd22b05
            • Instruction Fuzzy Hash: 6B2125B59002098FDB14DFA9C844BEEFBF5FF88314F148429D418A7250C774A945CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 01361CC0 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 78 1361cc0-1361d0a 80 1361d16-1361d48 SetWindowsHookExW 78->80 81 1361d0c 78->81 82 1361d51-1361d76 80->82 83 1361d4a-1361d50 80->83 84 1361d14 81->84 83->82 84->80
            APIs
            • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 01361D3B
            Memory Dump Source
            • Source File: 00000001.00000002.3320373820.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_1360000_SecuriteInfo.jbxd
            Similarity
            • API ID: HookWindows
            • String ID:
            • API String ID: 2559412058-0
            • Opcode ID: 8495259c83acb698135ac1278ecb89211e12057e0e3201e3a43c0bc04eceaaa2
            • Instruction ID: 1e535c01d52a6e09e99b7c8a2770274265ea326049d037432e93cc8bc69cb610
            • Opcode Fuzzy Hash: 8495259c83acb698135ac1278ecb89211e12057e0e3201e3a43c0bc04eceaaa2
            • Instruction Fuzzy Hash: 042104B59002098FDB14DF9AC844AEEBBF5BB88314F148419D519A7250C778A945CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0136E950 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 88 136e950-136fbb8 90 136fbc0-136fbeb GetModuleHandleW 88->90 91 136fbba-136fbbd 88->91 92 136fbf4-136fc08 90->92 93 136fbed-136fbf3 90->93 91->90 93->92
            APIs
            • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0136F9A4), ref: 0136FBDE
            Memory Dump Source
            • Source File: 00000001.00000002.3320373820.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_1360000_SecuriteInfo.jbxd
            Similarity
            • API ID: HandleModule
            • String ID:
            • API String ID: 4139908857-0
            • Opcode ID: 8eb78820a4365c817b4c8994889a7c95f48cf6d2bd1246bf092830854bd89423
            • Instruction ID: fed8006bcea71fe2d0b8bd8704c22950de51e10960b7486deccd605c0589a936
            • Opcode Fuzzy Hash: 8eb78820a4365c817b4c8994889a7c95f48cf6d2bd1246bf092830854bd89423
            • Instruction Fuzzy Hash: C71120B5C002498BCB10CF9AD454A9EFBF8EB48314F10C42AD528A7200C378A944CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00F6D500 Relevance: .1, Instructions: 75COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000001.00000002.3319644825.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_f6d000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3e5b9c5e1e4c32381625158956a330190fce2b7ff6db58000bdcd790a5ac3a41
            • Instruction ID: b68a8e126513d4253aea870f3767b66c8aabb2d7e5ade43c39cc233341e39d73
            • Opcode Fuzzy Hash: 3e5b9c5e1e4c32381625158956a330190fce2b7ff6db58000bdcd790a5ac3a41
            • Instruction Fuzzy Hash: F3214872A00204DFCB15DF14D9C0F26BF65FB98328F28C169D90A0B656C336DC06EBA2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00F7D0FC Relevance: .1, Instructions: 72COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000001.00000002.3319741342.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_f7d000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f3b37f432b43b1507bf0fd065da66308ddab54abcd5a8370cb5a8fd8ba9ec5d6
            • Instruction ID: e94d08cf3a67477a020bb40fc2d179aeb80cf36e299c6cd3280d8b2da2ebc50c
            • Opcode Fuzzy Hash: f3b37f432b43b1507bf0fd065da66308ddab54abcd5a8370cb5a8fd8ba9ec5d6
            • Instruction Fuzzy Hash: A821F5715042049FEB05DF14D984B26BB75FF88324FA4C56AD80D4B256C3BAD846EA62
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00F6D4FB Relevance: .1, Instructions: 56COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000001.00000002.3319644825.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_f6d000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
            • Instruction ID: c023690ff618331d43f64856c0a9263bdd4cf87d2a8d2d01b7d8c4e40c93b3d3
            • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
            • Instruction Fuzzy Hash: 06110372904240CFCB16CF10D5C4B16BF71FB94324F28C6A9DC0A0B656C336D85ADBA2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00F7D0F7 Relevance: .1, Instructions: 53COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000001.00000002.3319741342.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_f7d000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
            • Instruction ID: a2e323e184df89669fa2f85fa4aec28f39516bc95279c542be851f2c51256d62
            • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
            • Instruction Fuzzy Hash: 9211BE75904280CFEB06CF10D9C4B15BB71FB84324F64C6AAD84D4B656C37AD84ADB62
            Uniqueness

            Uniqueness Score: -1.00%