XWorm | 1abb33b88140

Filters:

File Name	Category	Type	Verdict	Actions

C:\Users\OqXZRaykm\AppData\Roaming\ReturnType.exe

Sample File

Binary

Also Known As	C:\Users\OqXZRaykm\Desktop\cry.exe (VM File, Sample File, Accessed File) c:\users\oqxzraykm\appdata\roaming\returntype.exe (Accessed File) c:\users\oqxzraykm\desktop\cry.exe (Accessed File)
MIME Type	application/vnd.microsoft.portable-executable
File Size	1.25 MB
MD5	a4c1ea4b6e69e69462efa7659ff6f48c
SHA1	cf71024bf28f10f63bf7cd27dba64d406c2ed97c
SHA256	1abb33b881408b0341a530de14b0afdb88b96ffcd0254dd397848db3e6508803
SSDeep	24576:/84F/cDq4sTq+gdI2W+7nMS9LJf4bcwGCYVgERFh7IfEx0ECnaf:kEcyjgmkMS9L2cFCER0f+0ECna
ImpHash	f34d5f2d4577ed6d9ceec516c1f5a744

PE Information

Version Information (11)

Sections (3)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x00402000	0x00141054	0x00141200	0x00000200	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	7.62
.rsrc	0x00544000	0x00000578	0x00000600	0x00141400	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.0
.reloc	0x00546000	0x0000000C	0x00000200	0x00141A00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	0.1

Imports (1)

mscoree.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
_CorExeMain	-	0x00402000	0x00143028	0x00141228	0x00000000

Memory Dumps (11)

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
cry.exe	1	0x00010000	0x00157FFF	Relevant Image	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x04AB0000	0x04B91FFF	Reflectively Loaded .NET Assembly	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x04BF0000	0x04BF0FFF	First Execution	32-bit	0x04BF0000	... Actions Go to Process Download Dump
clrjit.dll	1	0x6DF30000	0x6DFB8FFF	First Execution	32-bit	0x6DF77AB3	... Actions Go to Process Download Dump
buffer	1	0x04DF0000	0x04E45FFF	Reflectively Loaded .NET Assembly	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x04F70000	0x04FB5FFF	Reflectively Loaded .NET Assembly	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x0276BA94	0x0276BA9A	First Execution	32-bit	0x0276BA94	... Actions Go to Process Download Dump
amsi.dll	1	0x6CCA0000	0x6CCAFFFF	First Execution	32-bit	0x6CCA48F0	... Actions Go to Process Download Dump
buffer	1	0x00610000	0x0065EFFF	Reflectively Loaded .NET Assembly	32-bit	-	... Actions Go to Process Download Dump
cry.exe	1	0x00010000	0x00157FFF	Final Dump	32-bit	-	... Actions Go to Process Download Dump
cry.exe	1	0x00010000	0x00157FFF	Process Termination	32-bit	-	... Actions Go to Process Download Dump

C:\Users\OqXZRaykm\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ReturnType.vbs

Dropped File

Text

MIME Type	text/plain
File Size	89 Bytes
MD5	415af1a46ecad7605e9baeeb18c8e7b9
SHA1	ce470ca058e4bf7af16678a6189406f0d8ca72c1
SHA256	8826ad3144a42bbc2811755373739b19eb73ed8b748d6a6782fa4d2fbbbfff76
SSDeep	3:FER/n0eFHHov9/3Ec+wREaKC5w2XjJHn:FER/lFHIl/1+wiaZ5weJ
ImpHash	-