Edit tour

Windows Analysis Report
0eVxwphG1t.exe

Overview

General Information

Sample name:	0eVxwphG1t.exe renamed because original name is a hash value
Original sample name:	b819fd21177ac66b9c645dcc82572b3eb774a14598dac95621edb06fb5e411fc.exe
Analysis ID:	1546354
MD5:	9bc57b0a4b416e360a8e20ed5dda6cd0
SHA1:	7246f4cdcb19afa4de09a36972492aa067daac51
SHA256:	b819fd21177ac66b9c645dcc82572b3eb774a14598dac95621edb06fb5e411fc
Tags:	exeuser-Chainskilabs
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

0eVxwphG1t.exe (PID: 3552 cmdline: "C:\Users\user\Desktop\0eVxwphG1t.exe" MD5: 9BC57B0A4B416E360A8E20ED5DDA6CD0)

WerFault.exe (PID: 940 cmdline: C:\Windows\system32\WerFault.exe -u -p 3552 -s 1836 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["join-ez.gl.at.ply.gg"], "Port": "55", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
0eVxwphG1t.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0eVxwphG1t.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xc615:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xc6b2:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xc7c7:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xc39f:$cnc4: POST / HTTP/1.1

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xc615:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xc6b2:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xc7c7:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xc39f:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2093824292.0000000000622000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.2093824292.0000000000622000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xc415:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xc4b2:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xc5c7:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xc19f:$cnc4: POST / HTTP/1.1
Process Memory Space: 0eVxwphG1t.exe PID: 3552	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.0eVxwphG1t.exe.620000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.0eVxwphG1t.exe.620000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xc615:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xc6b2:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xc7c7:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xc39f:$cnc4: POST / HTTP/1.1

Sigma Signatures

System Summary

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\0eVxwphG1t.exe, ProcessId: 3552, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.lnk

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T19:58:12.721750+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.6	49730	TCP
2024-10-31T19:58:50.863131+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.6	49904	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T20:00:11.371139+0100	2853193	1	Malware Command and Control Activity Detected	192.168.2.6	49912	147.185.221.23	55	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 0eVxwphG1t.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe

Avira: detection malicious, Label: HEUR/AGEN.1305769

Found malware configuration

Source: 0eVxwphG1t.exe

Malware Configuration Extractor: Xworm {"C2 url": ["join-ez.gl.at.ply.gg"], "Port": "55", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe

ReversingLabs: Detection: 76%

Multi AV Scanner detection for submitted file

Source: 0eVxwphG1t.exe

ReversingLabs: Detection: 76%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 0eVxwphG1t.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0eVxwphG1t.exe	String decryptor: join-ez.gl.at.ply.gg
Source: 0eVxwphG1t.exe	String decryptor: 55
Source: 0eVxwphG1t.exe	String decryptor: <123456789>
Source: 0eVxwphG1t.exe	String decryptor: <Xwormmm>
Source: 0eVxwphG1t.exe	String decryptor: XWorm V5.6
Source: 0eVxwphG1t.exe	String decryptor: USB.exe
Source: 0eVxwphG1t.exe	String decryptor: %AppData%
Source: 0eVxwphG1t.exe	String decryptor: WindowsUpdate.exe

Source: 0eVxwphG1t.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0eVxwphG1t.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb# source: 0eVxwphG1t.exe, 00000000.00000002.4105625849.000000001B718000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: System.Xml.ni.pdb source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.pdbp source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 0eVxwphG1t.exe, 00000000.00000002.4105923006.000000001BAD9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: System.Configuration.pdb source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdb` source: 0eVxwphG1t.exe, 00000000.00000002.4105923006.000000001BAD9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdba source: 0eVxwphG1t.exe, 00000000.00000002.4105625849.000000001B718000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: 0eVxwphG1t.exe, 00000000.00000002.4105923006.000000001BAD9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdb source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 0eVxwphG1t.exe, 00000000.00000002.4105923006.000000001BAD9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: rootdows\mscorlib.pdbpdblib.pdb source: 0eVxwphG1t.exe, 00000000.00000002.4105625849.000000001B718000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: 0eVxwphG1t.exe, 00000000.00000002.4105625849.000000001B785000.00000004.00000020.00020000.00000000.sdmp, WERC6DF.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: 0eVxwphG1t.exe, 00000000.00000002.4105625849.000000001B74F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: System.Management.pdb source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: System.Management.ni.pdb source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: System.Management.pdbP source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: System.Core.pdb source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: 0eVxwphG1t.exe, 00000000.00000002.4105923006.000000001BAD9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb} source: 0eVxwphG1t.exe, 00000000.00000002.4105625849.000000001B718000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdbRSDS source: WERC6DF.tmp.dmp.6.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49907 -> 147.185.221.23:55
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49912 -> 147.185.221.23:55

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: join-ez.gl.at.ply.gg

Source: global traffic

TCP traffic: 192.168.2.6:49699 -> 147.185.221.23:55

Source: Joe Sandbox View

IP Address: 147.185.221.23 147.185.221.23

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.6:49730
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.6:49904

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: join-ez.gl.at.ply.gg

Source: 0eVxwphG1t.exe, 00000000.00000002.4104313277.0000000002921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net

System Summary

Malicious sample detected (through community Yara rule)

Source: 0eVxwphG1t.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.0eVxwphG1t.exe.620000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.2093824292.0000000000622000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\0eVxwphG1t.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Code function: 0_2_00007FFD34777572	0_2_00007FFD34777572
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Code function: 0_2_00007FFD3477117B	0_2_00007FFD3477117B
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Code function: 0_2_00007FFD347767C6	0_2_00007FFD347767C6

Source: C:\Users\user\Desktop\0eVxwphG1t.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3552 -s 1836

Source: 0eVxwphG1t.exe, 00000000.00000000.2093824292.0000000000622000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXRCleaner2.exe4 vs 0eVxwphG1t.exe
Source: 0eVxwphG1t.exe	Binary or memory string: OriginalFilenameXRCleaner2.exe4 vs 0eVxwphG1t.exe

Source: 0eVxwphG1t.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0eVxwphG1t.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.0eVxwphG1t.exe.620000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.2093824292.0000000000622000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 0eVxwphG1t.exe, 5W9kCoGzxua5wJwSCTiFGiRuyWcrCS6GOQ2nivBdq7lIMEA4j1x7LNGHWiOniQoYjLx8.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0eVxwphG1t.exe, 5W9kCoGzxua5wJwSCTiFGiRuyWcrCS6GOQ2nivBdq7lIMEA4j1x7LNGHWiOniQoYjLx8.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0eVxwphG1t.exe, tuDuo8205kScreoQpUjwwMNgueGyyZTo9789sAYBn77OjYUDWlcZKdVHKKHXzpdSCdKj.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: WindowsUpdate.exe.0.dr, 5W9kCoGzxua5wJwSCTiFGiRuyWcrCS6GOQ2nivBdq7lIMEA4j1x7LNGHWiOniQoYjLx8.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: WindowsUpdate.exe.0.dr, 5W9kCoGzxua5wJwSCTiFGiRuyWcrCS6GOQ2nivBdq7lIMEA4j1x7LNGHWiOniQoYjLx8.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: WindowsUpdate.exe.0.dr, tuDuo8205kScreoQpUjwwMNgueGyyZTo9789sAYBn77OjYUDWlcZKdVHKKHXzpdSCdKj.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0eVxwphG1t.exe, DE2MvAPSWigWdh7UaW8MR0AITzj0hT8jVkjr.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0eVxwphG1t.exe, DE2MvAPSWigWdh7UaW8MR0AITzj0hT8jVkjr.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: WindowsUpdate.exe.0.dr, DE2MvAPSWigWdh7UaW8MR0AITzj0hT8jVkjr.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: WindowsUpdate.exe.0.dr, DE2MvAPSWigWdh7UaW8MR0AITzj0hT8jVkjr.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/7@1/1

Source: C:\Users\user\Desktop\0eVxwphG1t.exe

File created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe

Jump to behavior

Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Mutant created: \Sessions\1\BaseNamedObjects\KAkATVNStE6NQrko
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3552

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\0860294f-c471-487f-ac0d-a325a9b91ce5

Jump to behavior

Source: 0eVxwphG1t.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0eVxwphG1t.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\0eVxwphG1t.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\0eVxwphG1t.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 0eVxwphG1t.exe

ReversingLabs: Detection: 76%

Source: C:\Users\user\Desktop\0eVxwphG1t.exe

File read: C:\Users\user\Desktop\0eVxwphG1t.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\0eVxwphG1t.exe "C:\Users\user\Desktop\0eVxwphG1t.exe"
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3552 -s 1836

Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\0eVxwphG1t.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32

Jump to behavior

Source: WindowsUpdate.lnk.0.dr

LNK file: ..\..\..\..\..\WindowsUpdate.exe

Source: C:\Users\user\Desktop\0eVxwphG1t.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 0eVxwphG1t.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 0eVxwphG1t.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb# source: 0eVxwphG1t.exe, 00000000.00000002.4105625849.000000001B718000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: System.Xml.ni.pdb source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.pdbp source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 0eVxwphG1t.exe, 00000000.00000002.4105923006.000000001BAD9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: System.Configuration.pdb source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdb` source: 0eVxwphG1t.exe, 00000000.00000002.4105923006.000000001BAD9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdba source: 0eVxwphG1t.exe, 00000000.00000002.4105625849.000000001B718000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: 0eVxwphG1t.exe, 00000000.00000002.4105923006.000000001BAD9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdb source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 0eVxwphG1t.exe, 00000000.00000002.4105923006.000000001BAD9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: rootdows\mscorlib.pdbpdblib.pdb source: 0eVxwphG1t.exe, 00000000.00000002.4105625849.000000001B718000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: 0eVxwphG1t.exe, 00000000.00000002.4105625849.000000001B785000.00000004.00000020.00020000.00000000.sdmp, WERC6DF.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: 0eVxwphG1t.exe, 00000000.00000002.4105625849.000000001B74F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: System.Management.pdb source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: System.Management.ni.pdb source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: System.Management.pdbP source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: System.Core.pdb source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: 0eVxwphG1t.exe, 00000000.00000002.4105923006.000000001BAD9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WERC6DF.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb} source: 0eVxwphG1t.exe, 00000000.00000002.4105625849.000000001B718000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdbRSDS source: WERC6DF.tmp.dmp.6.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0eVxwphG1t.exe, hF9D3AYeWElxQJ4yvTCTUARmJz8B1bpMvhWu.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{NygBuQ1TMjqtZzDbHLnJHxOGXTTwnviKJhvZ.UtRWsRb78ORCaMYqbKNVNp2r4XfpltBzFj1o,NygBuQ1TMjqtZzDbHLnJHxOGXTTwnviKJhvZ.kps8r9c6EPLqy1GbZCnS1qhwLqkeCs16l6ke,NygBuQ1TMjqtZzDbHLnJHxOGXTTwnviKJhvZ.dFuGB9pveQAjbnM2XU4z21rSYxk9Ec1dbJ6Y,NygBuQ1TMjqtZzDbHLnJHxOGXTTwnviKJhvZ.ZnTvChJCOVdKvRKrqb5Tq3AgshakA58qpm97,_5W9kCoGzxua5wJwSCTiFGiRuyWcrCS6GOQ2nivBdq7lIMEA4j1x7LNGHWiOniQoYjLx8.HNhob78vm3BnjkW8kHbWrqKIECFYPMsglRjFjWI0drQ7j592IQAMd25DhHCWmp272F4V()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0eVxwphG1t.exe, hF9D3AYeWElxQJ4yvTCTUARmJz8B1bpMvhWu.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{CKOQMK148GFglgSBVjYtiAxG7xAEofbeughNGYpaC6gYBhAAbIUQAbitkzZzc3jbYJyV[2],_5W9kCoGzxua5wJwSCTiFGiRuyWcrCS6GOQ2nivBdq7lIMEA4j1x7LNGHWiOniQoYjLx8.m1XqTEoyMT0eJDnIIBLG295o4LJz7mmRbSeLpzG5LEfYWOp0BWqV6ngZVUnvLg5lHtV7(Convert.FromBase64String(CKOQMK148GFglgSBVjYtiAxG7xAEofbeughNGYpaC6gYBhAAbIUQAbitkzZzc3jbYJyV[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: WindowsUpdate.exe.0.dr, hF9D3AYeWElxQJ4yvTCTUARmJz8B1bpMvhWu.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{NygBuQ1TMjqtZzDbHLnJHxOGXTTwnviKJhvZ.UtRWsRb78ORCaMYqbKNVNp2r4XfpltBzFj1o,NygBuQ1TMjqtZzDbHLnJHxOGXTTwnviKJhvZ.kps8r9c6EPLqy1GbZCnS1qhwLqkeCs16l6ke,NygBuQ1TMjqtZzDbHLnJHxOGXTTwnviKJhvZ.dFuGB9pveQAjbnM2XU4z21rSYxk9Ec1dbJ6Y,NygBuQ1TMjqtZzDbHLnJHxOGXTTwnviKJhvZ.ZnTvChJCOVdKvRKrqb5Tq3AgshakA58qpm97,_5W9kCoGzxua5wJwSCTiFGiRuyWcrCS6GOQ2nivBdq7lIMEA4j1x7LNGHWiOniQoYjLx8.HNhob78vm3BnjkW8kHbWrqKIECFYPMsglRjFjWI0drQ7j592IQAMd25DhHCWmp272F4V()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: WindowsUpdate.exe.0.dr, hF9D3AYeWElxQJ4yvTCTUARmJz8B1bpMvhWu.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{CKOQMK148GFglgSBVjYtiAxG7xAEofbeughNGYpaC6gYBhAAbIUQAbitkzZzc3jbYJyV[2],_5W9kCoGzxua5wJwSCTiFGiRuyWcrCS6GOQ2nivBdq7lIMEA4j1x7LNGHWiOniQoYjLx8.m1XqTEoyMT0eJDnIIBLG295o4LJz7mmRbSeLpzG5LEfYWOp0BWqV6ngZVUnvLg5lHtV7(Convert.FromBase64String(CKOQMK148GFglgSBVjYtiAxG7xAEofbeughNGYpaC6gYBhAAbIUQAbitkzZzc3jbYJyV[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 0eVxwphG1t.exe, hF9D3AYeWElxQJ4yvTCTUARmJz8B1bpMvhWu.cs	.Net Code: Ozr3uT8eaovJxXIImVoMHRinyuULD72dG8BK System.AppDomain.Load(byte[])
Source: 0eVxwphG1t.exe, hF9D3AYeWElxQJ4yvTCTUARmJz8B1bpMvhWu.cs	.Net Code: EMEt4b68XGaSFm266AfRPqDcYyQj8rXIFJUHBf0S3bJIK2INinyjbbZB1koFv1DqKUNJ System.AppDomain.Load(byte[])
Source: 0eVxwphG1t.exe, hF9D3AYeWElxQJ4yvTCTUARmJz8B1bpMvhWu.cs	.Net Code: EMEt4b68XGaSFm266AfRPqDcYyQj8rXIFJUHBf0S3bJIK2INinyjbbZB1koFv1DqKUNJ
Source: WindowsUpdate.exe.0.dr, hF9D3AYeWElxQJ4yvTCTUARmJz8B1bpMvhWu.cs	.Net Code: Ozr3uT8eaovJxXIImVoMHRinyuULD72dG8BK System.AppDomain.Load(byte[])
Source: WindowsUpdate.exe.0.dr, hF9D3AYeWElxQJ4yvTCTUARmJz8B1bpMvhWu.cs	.Net Code: EMEt4b68XGaSFm266AfRPqDcYyQj8rXIFJUHBf0S3bJIK2INinyjbbZB1koFv1DqKUNJ System.AppDomain.Load(byte[])
Source: WindowsUpdate.exe.0.dr, hF9D3AYeWElxQJ4yvTCTUARmJz8B1bpMvhWu.cs	.Net Code: EMEt4b68XGaSFm266AfRPqDcYyQj8rXIFJUHBf0S3bJIK2INinyjbbZB1koFv1DqKUNJ

Source: 0eVxwphG1t.exe, cRCOMDdbqKPFu5F8GnE1shveMLiwVXRkygCsrlwaTBvBcJB0CT3xLb.cs	High entropy of concatenated method names: 'UQO9n34fYnuL8SWva0Kw4oGgeMEEzKN7mllqQqYcZnmJf4CetcEGu2', 'wL847gRuORfiQGP7tJeomi2Tkoh7i8z4CLu8hYDcc7pXNJqaac4O0v', 'eBfAhJB6A3XFFvloDH2CCcUSATbVyCrYkLTcncO6657h6CKxMleCMv', 'DYctTQtIsZhkTYDBdrJyABT6dlzt', 'B1YvDs6voifwnNqCRj489pGlwEot', 'dhb3M6clb2d1AzPORkPT9PEzS2VM', 'BD42hSvJKr7BpLWiqKC7C4R4tUlS', 'LuR0C8xfDPpOClUDV422zJDX75Sn', 'baEnoFCEPMyraBHaWHosdrfmrQGI', 'SGgMPlcRwpQOUeoWnYL754JtwR3Y'
Source: 0eVxwphG1t.exe, NygBuQ1TMjqtZzDbHLnJHxOGXTTwnviKJhvZ.cs	High entropy of concatenated method names: 'STUfgxhrSdjV4XgBdpChLl7QIIXw8Q2yXRYVblbg8Hy3WAG0a6y7SrI1mil5MryOhb6atX4alkhWc0lx8mh24u', 'qDrC9kS3MbD9tyact26Am6BoDu8ik9Jqlm4y7UcX1JOPjZXMakyq6ycCtLrtbyFvZSnC8BWjxHMYmU4crdsBpE', 'A8CrPHRj28zgzoj8ptDofKAgz4ijK7IXPpySIP5ont1olkpiNw7swwJJD8EiXyASI78kyHF0n4afM7BFAyc097', 'pOtMa1GIYoGrIMsabN5vQyOVxMVDyid7Cvnq0g7sVEe1Q0iqyaPU6o6DQw23lrgXm9D5cMMimEyoMnqFfi0aSA'
Source: 0eVxwphG1t.exe, 2FieeZoxiTDXDNjEWT1OqSU5s1XYPlf9kzYKa4ePGKpDZOKibFSqWxny0ecBKXGxqotIPl4mUVZm3AysQM78jx2CUeN1ne.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_89JHJfFhZEzOBVAIMYR7MKQo9zbdNlcrFVMiO80sfGgKMC3Hv2OSNZNbLu0qJMRxiKu806BoDxY2PtqmBjDdkr', 'DN6aYJMFUpGfWPOEJS4HiujUiq33EApJUJOMFut7EVqCUZ4XxYjHDMzPFDrwDnCbIast1Ikzp6VPS6Dn6ISp8n', 'cnwFBporhrgKDwvriG8nFq9hZoI7iVdAvJHOQaH9PJx9Y1U9tKoiAF6jyEwUaGWlOqL8q9n901OB4vdkuKupFb', 'I2T7mFnNuqr9durNOMGHfTmlU1ZbP8L0Gdr4ul3a5a1m0WkcJe5N2GGvYxWFR4MJikn2XCbtbbCHVz4HPk2HNJ'
Source: 0eVxwphG1t.exe, DE2MvAPSWigWdh7UaW8MR0AITzj0hT8jVkjr.cs	High entropy of concatenated method names: 'JTBOR3InHhnTbqdVNpU3RYSx2W86iUnIGsVr', 'CnDvhk2ebTfG8k4pm4xjXXlW6WSCkJjVEKoJ', 'FU7smCBzsebdudxbrXV2PxpSIIdLwemfOuwI', '_2PqW6zr1TxluRHZ5SjaD8OMQrE4o0cWMzrFK', '_6I4KhgXAwiXEdXCCg9K08EJjpYw1CRljcFof', 'TLtxObiGH5j02Ka6KuxTtSPedNrZ3g7vMFX6', 'IvRORgLzFTKJzk20ZShD1ZBVgcexIbfeAiqa', 'fubKyF6llPJZmP1zH6mNPjlfhcRFEi8y1z8A', 'KmOyGqz6w1xBbx6MgxMfV2HO9hk8pw8V5HYo', 'vUNhCQsx2CQBZBFiErLJhQ2XReqX9aUykKC8'
Source: 0eVxwphG1t.exe, 5W9kCoGzxua5wJwSCTiFGiRuyWcrCS6GOQ2nivBdq7lIMEA4j1x7LNGHWiOniQoYjLx8.cs	High entropy of concatenated method names: 'w0zMD4mJpYnUcLQohA9g4kcN9Xkk3nUajyT91qQ20D5fwuPyNKMPVJqEdcdrKhV8pPZZ', 'SxHgRWikAX5tkUzq3NTLJXpRqPudWegWuzQJwrLKid2piU8dnDb5gZtJbKj2RJr0b9sU', 'xbfANXT2ocgqa1chjXHpdagiKBTQq33UYFBeg56bihcw6l8j11XjAvMps1HIES2G8tVl', 'ZLC62MSSJ0HDvrimkPappkfUeCfUcmUhnKrMifvizpo5Vr4ugiY9uzgBy4sdNtNhMTLT', 'L9ahTWqyW44oyKe01AkXCkmHWgzbsa4JineiEK4XJDx0dzMP1fmN3pMtqvqu35hobYxi', 'RF3qdwNfq6Djo1ZFMgdNZUR3MmJIbSkHRWbrIy8BerfsbY6tN7j3j6D85vbK8Lhsant7', '_3QzwXsYRb6Qgzq9vjHm07DMORe8vPh60aprpOyAmo7xyzcu78LBJkgoGHQErzianmisR', 'eg4yvAkTV2qToVPnYlyzLZYqPeN4N6CGhWcTeSClIBJRVMsEycwk6NiLZN8bPcJDLEns', 'CCDA1gEAboHxDd85lR3Ohnz8R0dFNBNMplCBhwdqFkhUPB79iyawJWZOrhAGBdwhaaWk', '_5ZDDPamFsddB5qIIp3OxFSwCDbWBTMK2wnzrJamMj2vbubIjXmVlaxZQMyw3sin2YgGI'
Source: 0eVxwphG1t.exe, hF9D3AYeWElxQJ4yvTCTUARmJz8B1bpMvhWu.cs	High entropy of concatenated method names: '_2CT9zJFCBcpXeFux6hA1o7hqfwI9uWv3gt3B', 'Ozr3uT8eaovJxXIImVoMHRinyuULD72dG8BK', '_8gJcLgq7jzxStXF7qb3x6CkalA37JhEK2fxJ', 'xo5xOENIs8UrKarqP52WXv2RQFMOH1S82GLv', 'e16Yza0dJsOYui6yKawhJvSEfG4l6ekUWvtC', 'CDgiSxNMTZglqSaYapUzpvhjdfnDLkjVzWRU1Pyy37sBrFjw3IAmzX5MUdFmVjPSfhZI', 'lhKc6xVtCMRWAuZtDq3WpsPtFjuuN2rwtdnYgIGxOriF1VKIgnoDSqIjkQagtUOtDp5G', 'IUfM4E9XaOmRr4ZxstxzaeKiOIrydFNsvkGvSpyS4FjrsCfK0NnZXM7fuPh0seSQyQeT', 'rZAXzsWn7uMMRHkNk2mOnZuJRYYOW3RLJObCl93ZxJKO0AS6RoeUEcICiVAOR8vEV02F', 'vFvhhv3TFzBjRzdH7IJsrZc6rWs18bd6FQ0NoSyPEiFI39LZt4RS275ssZZvMFoKhlfo'
Source: 0eVxwphG1t.exe, tuDuo8205kScreoQpUjwwMNgueGyyZTo9789sAYBn77OjYUDWlcZKdVHKKHXzpdSCdKj.cs	High entropy of concatenated method names: '_2oxGGVQpEBTlPtR5DKLKPHfk9yO2h1zRDfnAc9bscdUG5sit2AoNFlnAhLTKX65cddai', 'q8QQeInw5qjBEK9K0cn1EbHFDvC0', 'QYyYZUqahzWX7r6HuE4pJfb9pB1V', '_1gjz9r0gUsM6K91UOgGWfcHVYeSi', 'NrWOAaiFz1oXFzOfUnR1EousJgFs'
Source: 0eVxwphG1t.exe, kKeIJ3B7Gw7AL2SuTxWQYCmRQaW82ounaBT9.cs	High entropy of concatenated method names: '_9MXi1y0sfYjJLWGodwihmq7JAcv663pWa8DE', 'BNBjpiejkOAFnbXvfWPjcgEZQ8vlmgJmx7n7', 'euxgagvMX9FafDjEx28lv8OV1pq3LkM0inUy', 'CvekXDiXp1vk6ry3OXJc1FxkdlhfNiWRV7N6S5pCrrTGQFzeBcPPk6p4mXim30IGHe3aalon941fVHP4nzKM5J', 'JUioR6fzXb266VPo6z6mudpH0zDh', 'Mt8uVUMWPxk664x2njevTl5QZIz3', 'UVPqT7Oh9gD8GYnq0SZM3LZSMJop', '_3cjsgZrRrM4qGvn1NuJZozDIyfjy', 'qDEhL9fYr9O8q3UBNndvpTel3nxi', 'axC67nR0zUMQ39t52bPOx1liB9a2'
Source: 0eVxwphG1t.exe, kPGpDohW3nQJpwycTGI7iXhSKEYGqzf8YZdLQ70YE6XqTU6Kxg9gzknnnvFowAD53Se6.cs	High entropy of concatenated method names: 'PQ2Zs76XS0Hsl8yZluuyhoqmO4wfzeUvV3vk1V0Y8PmBGHh8v2y0KBeJxBwSTEWgNJ2S', 'k7ZuBDkae0jag5T3GJY6LsuZ0Qko', 'tnpeGYMV7Riljk8QKeh2zr1CVt5x', 'uiWPIHbwE896L5fqSQxqlm70fAsi', '_9MaNeM3p4O5LF9hQzntV4LKzA1Y1'
Source: WindowsUpdate.exe.0.dr, cRCOMDdbqKPFu5F8GnE1shveMLiwVXRkygCsrlwaTBvBcJB0CT3xLb.cs	High entropy of concatenated method names: 'UQO9n34fYnuL8SWva0Kw4oGgeMEEzKN7mllqQqYcZnmJf4CetcEGu2', 'wL847gRuORfiQGP7tJeomi2Tkoh7i8z4CLu8hYDcc7pXNJqaac4O0v', 'eBfAhJB6A3XFFvloDH2CCcUSATbVyCrYkLTcncO6657h6CKxMleCMv', 'DYctTQtIsZhkTYDBdrJyABT6dlzt', 'B1YvDs6voifwnNqCRj489pGlwEot', 'dhb3M6clb2d1AzPORkPT9PEzS2VM', 'BD42hSvJKr7BpLWiqKC7C4R4tUlS', 'LuR0C8xfDPpOClUDV422zJDX75Sn', 'baEnoFCEPMyraBHaWHosdrfmrQGI', 'SGgMPlcRwpQOUeoWnYL754JtwR3Y'
Source: WindowsUpdate.exe.0.dr, NygBuQ1TMjqtZzDbHLnJHxOGXTTwnviKJhvZ.cs	High entropy of concatenated method names: 'STUfgxhrSdjV4XgBdpChLl7QIIXw8Q2yXRYVblbg8Hy3WAG0a6y7SrI1mil5MryOhb6atX4alkhWc0lx8mh24u', 'qDrC9kS3MbD9tyact26Am6BoDu8ik9Jqlm4y7UcX1JOPjZXMakyq6ycCtLrtbyFvZSnC8BWjxHMYmU4crdsBpE', 'A8CrPHRj28zgzoj8ptDofKAgz4ijK7IXPpySIP5ont1olkpiNw7swwJJD8EiXyASI78kyHF0n4afM7BFAyc097', 'pOtMa1GIYoGrIMsabN5vQyOVxMVDyid7Cvnq0g7sVEe1Q0iqyaPU6o6DQw23lrgXm9D5cMMimEyoMnqFfi0aSA'
Source: WindowsUpdate.exe.0.dr, 2FieeZoxiTDXDNjEWT1OqSU5s1XYPlf9kzYKa4ePGKpDZOKibFSqWxny0ecBKXGxqotIPl4mUVZm3AysQM78jx2CUeN1ne.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_89JHJfFhZEzOBVAIMYR7MKQo9zbdNlcrFVMiO80sfGgKMC3Hv2OSNZNbLu0qJMRxiKu806BoDxY2PtqmBjDdkr', 'DN6aYJMFUpGfWPOEJS4HiujUiq33EApJUJOMFut7EVqCUZ4XxYjHDMzPFDrwDnCbIast1Ikzp6VPS6Dn6ISp8n', 'cnwFBporhrgKDwvriG8nFq9hZoI7iVdAvJHOQaH9PJx9Y1U9tKoiAF6jyEwUaGWlOqL8q9n901OB4vdkuKupFb', 'I2T7mFnNuqr9durNOMGHfTmlU1ZbP8L0Gdr4ul3a5a1m0WkcJe5N2GGvYxWFR4MJikn2XCbtbbCHVz4HPk2HNJ'
Source: WindowsUpdate.exe.0.dr, DE2MvAPSWigWdh7UaW8MR0AITzj0hT8jVkjr.cs	High entropy of concatenated method names: 'JTBOR3InHhnTbqdVNpU3RYSx2W86iUnIGsVr', 'CnDvhk2ebTfG8k4pm4xjXXlW6WSCkJjVEKoJ', 'FU7smCBzsebdudxbrXV2PxpSIIdLwemfOuwI', '_2PqW6zr1TxluRHZ5SjaD8OMQrE4o0cWMzrFK', '_6I4KhgXAwiXEdXCCg9K08EJjpYw1CRljcFof', 'TLtxObiGH5j02Ka6KuxTtSPedNrZ3g7vMFX6', 'IvRORgLzFTKJzk20ZShD1ZBVgcexIbfeAiqa', 'fubKyF6llPJZmP1zH6mNPjlfhcRFEi8y1z8A', 'KmOyGqz6w1xBbx6MgxMfV2HO9hk8pw8V5HYo', 'vUNhCQsx2CQBZBFiErLJhQ2XReqX9aUykKC8'
Source: WindowsUpdate.exe.0.dr, 5W9kCoGzxua5wJwSCTiFGiRuyWcrCS6GOQ2nivBdq7lIMEA4j1x7LNGHWiOniQoYjLx8.cs	High entropy of concatenated method names: 'w0zMD4mJpYnUcLQohA9g4kcN9Xkk3nUajyT91qQ20D5fwuPyNKMPVJqEdcdrKhV8pPZZ', 'SxHgRWikAX5tkUzq3NTLJXpRqPudWegWuzQJwrLKid2piU8dnDb5gZtJbKj2RJr0b9sU', 'xbfANXT2ocgqa1chjXHpdagiKBTQq33UYFBeg56bihcw6l8j11XjAvMps1HIES2G8tVl', 'ZLC62MSSJ0HDvrimkPappkfUeCfUcmUhnKrMifvizpo5Vr4ugiY9uzgBy4sdNtNhMTLT', 'L9ahTWqyW44oyKe01AkXCkmHWgzbsa4JineiEK4XJDx0dzMP1fmN3pMtqvqu35hobYxi', 'RF3qdwNfq6Djo1ZFMgdNZUR3MmJIbSkHRWbrIy8BerfsbY6tN7j3j6D85vbK8Lhsant7', '_3QzwXsYRb6Qgzq9vjHm07DMORe8vPh60aprpOyAmo7xyzcu78LBJkgoGHQErzianmisR', 'eg4yvAkTV2qToVPnYlyzLZYqPeN4N6CGhWcTeSClIBJRVMsEycwk6NiLZN8bPcJDLEns', 'CCDA1gEAboHxDd85lR3Ohnz8R0dFNBNMplCBhwdqFkhUPB79iyawJWZOrhAGBdwhaaWk', '_5ZDDPamFsddB5qIIp3OxFSwCDbWBTMK2wnzrJamMj2vbubIjXmVlaxZQMyw3sin2YgGI'
Source: WindowsUpdate.exe.0.dr, hF9D3AYeWElxQJ4yvTCTUARmJz8B1bpMvhWu.cs	High entropy of concatenated method names: '_2CT9zJFCBcpXeFux6hA1o7hqfwI9uWv3gt3B', 'Ozr3uT8eaovJxXIImVoMHRinyuULD72dG8BK', '_8gJcLgq7jzxStXF7qb3x6CkalA37JhEK2fxJ', 'xo5xOENIs8UrKarqP52WXv2RQFMOH1S82GLv', 'e16Yza0dJsOYui6yKawhJvSEfG4l6ekUWvtC', 'CDgiSxNMTZglqSaYapUzpvhjdfnDLkjVzWRU1Pyy37sBrFjw3IAmzX5MUdFmVjPSfhZI', 'lhKc6xVtCMRWAuZtDq3WpsPtFjuuN2rwtdnYgIGxOriF1VKIgnoDSqIjkQagtUOtDp5G', 'IUfM4E9XaOmRr4ZxstxzaeKiOIrydFNsvkGvSpyS4FjrsCfK0NnZXM7fuPh0seSQyQeT', 'rZAXzsWn7uMMRHkNk2mOnZuJRYYOW3RLJObCl93ZxJKO0AS6RoeUEcICiVAOR8vEV02F', 'vFvhhv3TFzBjRzdH7IJsrZc6rWs18bd6FQ0NoSyPEiFI39LZt4RS275ssZZvMFoKhlfo'
Source: WindowsUpdate.exe.0.dr, tuDuo8205kScreoQpUjwwMNgueGyyZTo9789sAYBn77OjYUDWlcZKdVHKKHXzpdSCdKj.cs	High entropy of concatenated method names: '_2oxGGVQpEBTlPtR5DKLKPHfk9yO2h1zRDfnAc9bscdUG5sit2AoNFlnAhLTKX65cddai', 'q8QQeInw5qjBEK9K0cn1EbHFDvC0', 'QYyYZUqahzWX7r6HuE4pJfb9pB1V', '_1gjz9r0gUsM6K91UOgGWfcHVYeSi', 'NrWOAaiFz1oXFzOfUnR1EousJgFs'
Source: WindowsUpdate.exe.0.dr, kKeIJ3B7Gw7AL2SuTxWQYCmRQaW82ounaBT9.cs	High entropy of concatenated method names: '_9MXi1y0sfYjJLWGodwihmq7JAcv663pWa8DE', 'BNBjpiejkOAFnbXvfWPjcgEZQ8vlmgJmx7n7', 'euxgagvMX9FafDjEx28lv8OV1pq3LkM0inUy', 'CvekXDiXp1vk6ry3OXJc1FxkdlhfNiWRV7N6S5pCrrTGQFzeBcPPk6p4mXim30IGHe3aalon941fVHP4nzKM5J', 'JUioR6fzXb266VPo6z6mudpH0zDh', 'Mt8uVUMWPxk664x2njevTl5QZIz3', 'UVPqT7Oh9gD8GYnq0SZM3LZSMJop', '_3cjsgZrRrM4qGvn1NuJZozDIyfjy', 'qDEhL9fYr9O8q3UBNndvpTel3nxi', 'axC67nR0zUMQ39t52bPOx1liB9a2'
Source: WindowsUpdate.exe.0.dr, kPGpDohW3nQJpwycTGI7iXhSKEYGqzf8YZdLQ70YE6XqTU6Kxg9gzknnnvFowAD53Se6.cs	High entropy of concatenated method names: 'PQ2Zs76XS0Hsl8yZluuyhoqmO4wfzeUvV3vk1V0Y8PmBGHh8v2y0KBeJxBwSTEWgNJ2S', 'k7ZuBDkae0jag5T3GJY6LsuZ0Qko', 'tnpeGYMV7Riljk8QKeh2zr1CVt5x', 'uiWPIHbwE896L5fqSQxqlm70fAsi', '_9MaNeM3p4O5LF9hQzntV4LKzA1Y1'

Source: C:\Users\user\Desktop\0eVxwphG1t.exe

File created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe

Jump to dropped file

Source: C:\Users\user\Desktop\0eVxwphG1t.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.lnk

Jump to behavior

Source: C:\Users\user\Desktop\0eVxwphG1t.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.lnk

Jump to behavior

Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Memory allocated: D70000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Memory allocated: 1A920000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\0eVxwphG1t.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Window / User API: threadDelayed 4303			Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Window / User API: threadDelayed 5532			Jump to behavior

Source: C:\Users\user\Desktop\0eVxwphG1t.exe TID: 4868	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe TID: 4868	Thread sleep time: -34126476536362649s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe TID: 4592	Thread sleep count: 4303 > 30	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe TID: 4592	Thread sleep count: 5532 > 30	Jump to behavior

Source: C:\Users\user\Desktop\0eVxwphG1t.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\0eVxwphG1t.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: 0eVxwphG1t.exe, 00000000.00000002.4105625849.000000001B6E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW %SystemRoot%\system32\mswsock.dll </workflowInstanceQuery>
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\0eVxwphG1t.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\0eVxwphG1t.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: 0eVxwphG1t.exe, 00000000.00000002.4104313277.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: 0eVxwphG1t.exe, 00000000.00000002.4104313277.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: 0eVxwphG1t.exe, 00000000.00000002.4104313277.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: 0eVxwphG1t.exe, 00000000.00000002.4104313277.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
Source: 0eVxwphG1t.exe, 00000000.00000002.4104313277.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager2

Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Queries volume information: C:\Users\user\Desktop\0eVxwphG1t.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\0eVxwphG1t.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: 0eVxwphG1t.exe, 00000000.00000002.4105625849.000000001B74F000.00000004.00000020.00020000.00000000.sdmp, 0eVxwphG1t.exe, 00000000.00000002.4105625849.000000001B6E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\0eVxwphG1t.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 0eVxwphG1t.exe, type: SAMPLE
Source: Yara match	File source: 0.0.0eVxwphG1t.exe.620000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2093824292.0000000000622000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0eVxwphG1t.exe PID: 3552, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 0eVxwphG1t.exe, type: SAMPLE
Source: Yara match	File source: 0.0.0eVxwphG1t.exe.620000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2093824292.0000000000622000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0eVxwphG1t.exe PID: 3552, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	2 Registry Run Keys / Startup Folder	2 Process Injection	1 Masquerading	OS Credential Dumping	231 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	2 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	141 Virtualization/Sandbox Evasion	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
0eVxwphG1t.exe	76%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
0eVxwphG1t.exe	100%	Avira	HEUR/AGEN.1305769
0eVxwphG1t.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	100%	Avira	HEUR/AGEN.1305769
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	76%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
join-ez.gl.at.ply.gg	147.185.221.23	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
join-ez.gl.at.ply.gg	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.6.dr	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0eVxwphG1t.exe, 00000000.00000002.4104313277.0000000002921000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.185.221.23	join-ez.gl.at.ply.gg	United States		12087	SALSGIVERUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546354
Start date and time:	2024-10-31 19:57:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	0eVxwphG1t.exe renamed because original name is a hash value
Original Sample Name:	b819fd21177ac66b9c645dcc82572b3eb774a14598dac95621edb06fb5e411fc.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/7@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 48 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 0eVxwphG1t.exe, PID 3552 because it is empty
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: 0eVxwphG1t.exe

Simulations

Behavior and APIs

Time	Type	Description
14:57:58	API Interceptor	10344029x Sleep call for process: 0eVxwphG1t.exe modified
15:01:14	API Interceptor	1x Sleep call for process: WerFault.exe modified
19:57:58	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
147.185.221.23	9RgE5uOJwX.exe	Get hash	malicious	XWorm	Browse
	rustdesk.exe	Get hash	malicious	XWorm	Browse
	q0SpP6HxtE.exe	Get hash	malicious	XWorm	Browse
	mkDhqaw9dx.exe	Get hash	malicious	XWorm	Browse
	R7iHtCsOYz.exe	Get hash	malicious	XWorm	Browse
	Zvas34nq1T.exe	Get hash	malicious	XWorm	Browse
	fMdcaIZWzT.exe	Get hash	malicious	XWorm	Browse
	vtuLkV5KEW.exe	Get hash	malicious	XWorm	Browse
	IGznKtHyTp.exe	Get hash	malicious	XWorm	Browse
	6PJia32WYA.exe	Get hash	malicious	Njrat	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SALSGIVERUS	9RgE5uOJwX.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	147.176.169.71
	rustdesk.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	Nurcraft.exe	Get hash	malicious	XWorm	Browse	147.185.221.21
	q0SpP6HxtE.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	7bZWBYVNPU.exe	Get hash	malicious	XWorm	Browse	147.185.221.22
	mkDhqaw9dx.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	R7iHtCsOYz.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	Zvas34nq1T.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	fMdcaIZWzT.exe	Get hash	malicious	XWorm	Browse	147.185.221.23

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_0eVxwphG1t.exe_95a65930a35ae566542ba72920c749d8fab6edd_085328c0_0326773b-bcb6-43e9-8356-2e517094e74f\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2732608280486528
Encrypted:	false
SSDEEP:	192:9OO6Oi/081iHBaWz8iywBlK3hzuiFkZ24lO836:z6Op81iha48i9KRzuiFkY4lO83
MD5:	6A23EBD8EAF22EFEE85C771C30DDA0AC
SHA1:	E3F7A1691147210F7322DC2A3506997570B70144
SHA-256:	66E2DEA13CB80E98FCC62755A3DE22D4C0038ECBB695777FB928F64068EA101B
SHA-512:	68F13EFCF67682BAED413051AA489B54320F023EBDDF5236F365F4287C93CA48BA0367ACD5A8FE4D7216A313F7AC8D8C5FA11E0C1BFF24C77684F73F4871C634
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.8.7.4.8.6.9.8.9.0.2.4.6.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.8.7.4.8.7.0.4.5.2.7.5.3.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.3.2.6.7.7.3.b.-.b.c.b.6.-.4.3.e.9.-.8.3.5.6.-.2.e.5.1.7.0.9.4.e.7.4.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.4.c.c.b.9.0.2.-.1.8.c.3.-.4.0.7.4.-.9.b.6.3.-.3.c.3.4.4.8.2.f.7.4.1.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.0.e.V.x.w.p.h.G.1.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.X.R.C.l.e.a.n.e.r.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.e.0.-.0.0.0.1.-.0.0.1.5.-.6.1.7.8.-.9.0.c.a.c.6.2.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.b.f.f.8.8.c.2.3.e.f.0.a.9.b.c.4.e.e.1.c.d.f.f.0.1.f.c.3.6.4.0.0.0.0.0.0.0.0.0.!.0.0.0.0.7.2.4.6.f.4.c.d.c.b.1.9.a.f.a.4.d.e.0.9.a.3.6.9.7.2.4.9.2.a.a.0.6.7.d.a.a.c.5.1.!.0.e.V.x.w.p.h.G.1.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC6DF.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Thu Oct 31 19:01:10 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	482041
Entropy (8bit):	3.027533634471609
Encrypted:	false
SSDEEP:	3072:6bxPmcSbxPsv2wOgDnZ1CCqqIBC3+vge3M7RxhF4bSD:QxmbxXwZZq7C3QAlh1
MD5:	B88D965F3D52F9616429CDD348A959A9
SHA1:	50567F648EAB24CDE381284F978C6597E17302EA
SHA-256:	E3342EA2F03A15546CA9C29C5162A1C5B2E4556C4BF131C3CF8F56A6E036EDB7
SHA-512:	8D2655E2FF828946781255B92DE355C8E50977F312840BBC57AAEA485D04C9387C2B1315275AB240C6AEECBAE84248AA6EB51B4C7CA3A4D6206E0F6AD89CFACD
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........#g.........................!..$.......$....+...........,.......3..............l.......8...........T............H...............9...........:..............................................................................eJ.......;......Lw......................T...........1.#g....d........................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC867.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8940
Entropy (8bit):	3.7033317093815845
Encrypted:	false
SSDEEP:	192:R6l7wVeJGCV6Y2Dc7gmfZg8xprZ89btVBvPaf/APm:R6lXJrV6YB7gmfKLtjvPaft
MD5:	9B4F921E40B1E6AD68DACB2A2E0FC101
SHA1:	E1B7C662826AEB119042BE5D328A621410B83FCC
SHA-256:	1B348CCFDF037893CB5F17D0EC874150E2D9A6A1E1A6C4163D06FB0097CED813
SHA-512:	1A79A3387A9E8D6FDF1183DAFB73B3CCECC568BE8417A8FE435F1B16D4F496DC870BFB9CBA25B83311F47CCF9939A91C642BC64FD08E1E13205F5176DC7EF054
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.5.5.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC897.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4789
Entropy (8bit):	4.454839992539584
Encrypted:	false
SSDEEP:	48:cvIwWl8zsqJg771I9idWpW8VYQYm8M4Jj3oA9F35Eyq8vroAG6+rVfd:uIjf4I7Vs7VYJj2WG6+rVfd
MD5:	FAB4044EBFD39D95054AE00B9DC52699
SHA1:	25FF7DAAF433B33B0B6FEA88FAEB2DF00838E692
SHA-256:	8D549FF03AEB19CA7F25047DAE97828ED35E6347535A499A0169F9E68BC9F35F
SHA-512:	CC7DEB5B63279604D5460F217220D1E295E6E6CA4311049D85B262D01350B4DBABB53919F3732BEA16673AF003B022622E2BE5390878CF8B3EB2A2494854F45F
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="567963" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.lnk

Download File

Process:	C:\Users\user\Desktop\0eVxwphG1t.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Oct 31 17:57:58 2024, mtime=Thu Oct 31 17:57:58 2024, atime=Thu Oct 31 17:57:58 2024, length=57856, window=hide
Category:	dropped
Size (bytes):	799
Entropy (8bit):	5.070796770437922
Encrypted:	false
SSDEEP:	12:8/14pQ42iypnu8ChUlXIsY//pG0L9RrTYlcE8jAAX+H+W+EJXh1oDomV:8W2iSDtlXUr9OlcEYAAXm+EJx18om
MD5:	F130CE3DD4D3B79D724B598D6500C55C
SHA1:	AFD9A5B23F95BEB5A1F7D9AEF2A87C8312FFE4D4
SHA-256:	63433A02AC78C1E1907AF17983CC76F629B711D18D38E8E2D771AB3CFC6A6486
SHA-512:	105C526FB582C054B1A8C1AA37292ACB1E6892F4F24550826F2F9F89C927BFBBA3B4ABA2D33467BA5E406B47D1170880B471018F4A897B6BEDDED84A497D932E
Malicious:	false
Reputation:	low
Preview:	L..................F.... ....a8..+...a8..+...a8..+............................:..DG..Yr?.D..U..k0.&...&.......$..S....%...+..d.^..+......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2_Y:............................^.A.p.p.D.a.t.a...B.V.1....._Y8...Roaming.@......EW<2_Y8...../.....................g.W.R.o.a.m.i.n.g.....p.2....._Y@. .WINDOW~1.EXE..T......_Y@._Y@...............................W.i.n.d.o.w.s.U.p.d.a.t.e...e.x.e.......b...............-.......a...........b.5......C:\Users\user\AppData\Roaming\WindowsUpdate.exe.. .....\.....\.....\.....\.....\.W.i.n.d.o.w.s.U.p.d.a.t.e...e.x.e.`.......X.......496536...........hT..CrF.f4... .8...Jc...-...-$..hT..CrF.f4... .8...Jc...-...-$.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\WindowsUpdate.exe

Download File

Process:	C:\Users\user\Desktop\0eVxwphG1t.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	57856
Entropy (8bit):	6.0282366952384105
Encrypted:	false
SSDEEP:	1536:2Nltt4OCTcQLe6WskbSjJ6EoBs2vWywOvu:2NltCTcQLepskbSjToIOvu
MD5:	9BC57B0A4B416E360A8E20ED5DDA6CD0
SHA1:	7246F4CDCB19AFA4DE09A36972492AA067DAAC51
SHA-256:	B819FD21177AC66B9C645DCC82572B3EB774A14598DAC95621EDB06FB5E411FC
SHA-512:	DD306CD30727911A7C2335945721A85E8B65ECE05EFE3DD63E0FCB7B05033647FC881F0B78B8B6AC107DDF4F079107D51F835F5469FE4F3D6E787C620FF2FE82
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....."g................................. ........@.. .......................@............@.................................L...O............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......tU.........&.....................................................(.....r...p. U.....(.....ro..p. .....s.........s.........s.........s..........r...p. ..Q..r...p. .7...r\|..p. ..e..r+..p. .R...r...p. ......((....r...p. ~.H..r:..p. C..&(....&+..+5sG... .... .'..oH...(...~....-.(A...(3...~....oI...&.-..ru..p.r$..p. .x!..r^..p. .....r...p..............j..................sJ.............."(C...+.:.t....(>...+..r...p. B....r...p. ....*.r

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4687551687401355
Encrypted:	false
SSDEEP:	6144:MzZfpi6ceLPx9skLmb0f7ZWSP3aJG8nAgeiJRMMhA2zX4WABluuNRjDH5SH:yZHt7ZWOKnMM6bFp7j4
MD5:	4A9061BE528DF682A36ABDBA81BDF0F1
SHA1:	320A0B255A3CA26D107F3FC82537093387B34C6F
SHA-256:	A415EE3E80AFF1B523AF34D63A034E8187F9F1909818BD91FFAE1090172AB505
SHA-512:	433850394B904AAC4523FD0C3FE4F87DE6B0F4BC97DE36940D937C01CF948E53D5B697357B12162C41AE51788E65D5049D1C75383587A6E041C802FC7848EB2C
Malicious:	false
Reputation:	low
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm*.E?.+..............................................................................................................................................................................................................................................................................................................................................K^S.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.0282366952384105
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	0eVxwphG1t.exe
File size:	57'856 bytes
MD5:	9bc57b0a4b416e360a8e20ed5dda6cd0
SHA1:	7246f4cdcb19afa4de09a36972492aa067daac51
SHA256:	b819fd21177ac66b9c645dcc82572b3eb774a14598dac95621edb06fb5e411fc
SHA512:	dd306cd30727911a7c2335945721a85e8b65ece05efe3dd63e0fcb7b05033647fc881f0b78b8b6ac107ddf4f079107d51f835f5469fe4f3d6e787c620ff2fe82
SSDEEP:	1536:2Nltt4OCTcQLe6WskbSjJ6EoBs2vWywOvu:2NltCTcQLepskbSjToIOvu
TLSH:	88438D18B7E24134D1FFABF29DF27162C639E6234913C75F28C502961B53A8DCE41AE6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....."g................................. ........@.. .......................@............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40f79e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6722E7F1 [Thu Oct 31 02:14:09 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf74c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10000	0x4de	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xd7a4	0xd800	93f297c11a9427f072558174110e4ff5	False	0.6194661458333334	data	6.125289573018751	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x10000	0x4de	0x600	6dd5f2cfd266ba0d1b6350271a1beb5e	False	0.3776041666666667	data	3.7492898923498905	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x12000	0xc	0x200	ad0401756654395ca3f89b43f1d6839f	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x100a0	0x254	data			0.4697986577181208
RT_MANIFEST	0x102f4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-31T19:58:12.721750+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.12.23.50	443	192.168.2.6	49730	TCP
2024-10-31T19:58:50.863131+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.6	49904	TCP
2024-10-31T19:59:18.089977+0100	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.6	49907	147.185.221.23	55	TCP
2024-10-31T20:00:11.371139+0100	2853193	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.6	49912	147.185.221.23	55	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 19:57:59.597352028 CET	49699	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:57:59.603441954 CET	55	49699	147.185.221.23	192.168.2.6
Oct 31, 2024 19:57:59.603547096 CET	49699	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:57:59.785370111 CET	49699	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:57:59.793921947 CET	55	49699	147.185.221.23	192.168.2.6
Oct 31, 2024 19:58:08.095529079 CET	55	49699	147.185.221.23	192.168.2.6
Oct 31, 2024 19:58:08.095607996 CET	49699	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:58:08.292886019 CET	49699	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:58:08.296648026 CET	49715	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:58:08.298176050 CET	55	49699	147.185.221.23	192.168.2.6
Oct 31, 2024 19:58:08.301428080 CET	55	49715	147.185.221.23	192.168.2.6
Oct 31, 2024 19:58:08.301491022 CET	49715	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:58:08.320221901 CET	49715	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:58:08.325092077 CET	55	49715	147.185.221.23	192.168.2.6
Oct 31, 2024 19:58:16.782911062 CET	55	49715	147.185.221.23	192.168.2.6
Oct 31, 2024 19:58:16.783098936 CET	49715	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:58:20.058222055 CET	49715	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:58:20.061628103 CET	49783	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:58:20.063150883 CET	55	49715	147.185.221.23	192.168.2.6
Oct 31, 2024 19:58:20.067121029 CET	55	49783	147.185.221.23	192.168.2.6
Oct 31, 2024 19:58:20.067205906 CET	49783	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:58:20.086215019 CET	49783	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:58:20.091082096 CET	55	49783	147.185.221.23	192.168.2.6
Oct 31, 2024 19:58:28.547282934 CET	55	49783	147.185.221.23	192.168.2.6
Oct 31, 2024 19:58:28.547430038 CET	49783	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:58:28.620732069 CET	49783	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:58:28.623101950 CET	49823	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:58:28.625777006 CET	55	49783	147.185.221.23	192.168.2.6
Oct 31, 2024 19:58:28.628150940 CET	55	49823	147.185.221.23	192.168.2.6
Oct 31, 2024 19:58:28.628253937 CET	49823	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:58:28.656430006 CET	49823	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:58:28.661458969 CET	55	49823	147.185.221.23	192.168.2.6
Oct 31, 2024 19:58:37.140386105 CET	55	49823	147.185.221.23	192.168.2.6
Oct 31, 2024 19:58:37.140495062 CET	49823	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:58:37.214499950 CET	49823	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:58:37.216027975 CET	49862	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:58:37.219383001 CET	55	49823	147.185.221.23	192.168.2.6
Oct 31, 2024 19:58:37.221249104 CET	55	49862	147.185.221.23	192.168.2.6
Oct 31, 2024 19:58:37.221332073 CET	49862	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:58:37.272638083 CET	49862	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:58:37.277509928 CET	55	49862	147.185.221.23	192.168.2.6
Oct 31, 2024 19:58:45.735538960 CET	55	49862	147.185.221.23	192.168.2.6
Oct 31, 2024 19:58:45.735681057 CET	49862	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:58:45.934298038 CET	49862	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:58:45.935545921 CET	49895	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:58:45.939160109 CET	55	49862	147.185.221.23	192.168.2.6
Oct 31, 2024 19:58:45.940684080 CET	55	49895	147.185.221.23	192.168.2.6
Oct 31, 2024 19:58:45.940752983 CET	49895	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:58:45.960329056 CET	49895	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:58:45.965312958 CET	55	49895	147.185.221.23	192.168.2.6
Oct 31, 2024 19:58:54.423211098 CET	55	49895	147.185.221.23	192.168.2.6
Oct 31, 2024 19:58:54.423420906 CET	49895	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:58:54.808455944 CET	49895	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:58:54.813479900 CET	55	49895	147.185.221.23	192.168.2.6
Oct 31, 2024 19:58:54.840564966 CET	49905	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:58:54.845500946 CET	55	49905	147.185.221.23	192.168.2.6
Oct 31, 2024 19:58:54.845592976 CET	49905	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:58:54.869210958 CET	49905	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:58:54.875993967 CET	55	49905	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:03.328686953 CET	55	49905	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:03.328797102 CET	49905	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:07.011353970 CET	49905	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:07.013226986 CET	49906	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:07.016345024 CET	55	49905	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:07.018145084 CET	55	49906	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:07.022074938 CET	49906	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:07.080329895 CET	49906	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:07.085318089 CET	55	49906	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:07.344736099 CET	49906	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:07.349803925 CET	55	49906	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:15.503534079 CET	55	49906	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:15.504317045 CET	49906	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:18.019531965 CET	49906	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:18.024615049 CET	55	49906	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:18.025700092 CET	49907	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:18.030556917 CET	55	49907	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:18.030622005 CET	49907	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:18.075640917 CET	49907	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:18.080549002 CET	55	49907	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:18.089977026 CET	49907	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:18.094734907 CET	55	49907	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:18.105458021 CET	49907	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:18.110275030 CET	55	49907	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:18.168289900 CET	49907	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:18.173906088 CET	55	49907	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:26.516103029 CET	55	49907	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:26.516181946 CET	49907	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:28.324284077 CET	49907	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:28.328182936 CET	49908	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:28.432212114 CET	55	49907	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:28.432233095 CET	55	49908	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:28.432328939 CET	49908	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:28.470586061 CET	49908	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:28.475564003 CET	55	49908	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:28.605549097 CET	49908	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:28.610452890 CET	55	49908	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:33.512078047 CET	49908	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:33.517026901 CET	55	49908	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:33.778764963 CET	49908	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:33.783693075 CET	55	49908	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:33.824204922 CET	49908	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:33.829093933 CET	55	49908	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:33.839920044 CET	49908	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:33.844737053 CET	55	49908	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:33.886627913 CET	49908	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:33.891606092 CET	55	49908	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:36.914550066 CET	55	49908	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:36.917185068 CET	49908	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:38.902106047 CET	49908	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:38.904331923 CET	49909	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:38.907222033 CET	55	49908	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:38.909198999 CET	55	49909	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:38.910171986 CET	49909	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:39.093095064 CET	49909	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:39.099117994 CET	55	49909	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:39.839808941 CET	49909	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:39.844841003 CET	55	49909	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:41.855487108 CET	49909	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:41.860651016 CET	55	49909	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:46.371146917 CET	49909	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:46.376200914 CET	55	49909	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:47.418185949 CET	55	49909	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:47.422144890 CET	49909	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:50.011447906 CET	49909	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:50.013936996 CET	49910	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:50.016674995 CET	55	49909	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:50.018740892 CET	55	49910	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:50.018814087 CET	49910	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:50.058125973 CET	49910	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:50.062937021 CET	55	49910	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:50.090042114 CET	49910	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:50.094856024 CET	55	49910	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:50.121088982 CET	49910	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:50.126043081 CET	55	49910	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:50.152455091 CET	49910	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:50.157263994 CET	55	49910	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:50.199199915 CET	49910	55	192.168.2.6	147.185.221.23
Oct 31, 2024 19:59:50.204163074 CET	55	49910	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:58.502636909 CET	55	49910	147.185.221.23	192.168.2.6
Oct 31, 2024 19:59:58.502748966 CET	49910	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:00.278913975 CET	49910	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:00.278929949 CET	49911	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:00.284260988 CET	55	49910	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:00.284276962 CET	55	49911	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:00.284410954 CET	49911	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:00.412107944 CET	49911	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:00.418318987 CET	55	49911	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:00.544339895 CET	49911	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:00.549245119 CET	55	49911	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:00.620975971 CET	49911	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:00.625834942 CET	55	49911	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:06.264378071 CET	49911	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:06.270258904 CET	55	49911	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:07.293179035 CET	49911	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:07.298207045 CET	55	49911	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:08.764518976 CET	55	49911	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:08.764590025 CET	49911	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:11.167869091 CET	49911	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:11.170948982 CET	49912	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:11.175940990 CET	55	49911	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:11.177922964 CET	55	49912	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:11.177993059 CET	49912	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:11.219507933 CET	49912	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:11.225143909 CET	55	49912	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:11.277523041 CET	49912	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:11.282469034 CET	55	49912	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:11.324323893 CET	49912	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:11.329129934 CET	55	49912	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:11.371139050 CET	49912	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:11.379035950 CET	55	49912	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:11.418061018 CET	49912	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:11.423007965 CET	55	49912	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:13.214983940 CET	49912	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:13.219940901 CET	55	49912	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:13.480523109 CET	49912	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:13.485466957 CET	55	49912	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:19.230592966 CET	49912	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:19.235801935 CET	55	49912	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:19.653863907 CET	55	49912	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:19.653944016 CET	49912	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:21.699028015 CET	49912	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:21.701750040 CET	49913	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:21.704035044 CET	55	49912	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:21.706614971 CET	55	49913	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:21.706686020 CET	49913	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:21.744992971 CET	49913	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:21.749913931 CET	55	49913	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:26.793229103 CET	49913	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:26.798326015 CET	55	49913	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:26.824147940 CET	49913	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:26.829013109 CET	55	49913	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:26.871042013 CET	49913	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:26.875891924 CET	55	49913	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:26.902447939 CET	49913	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:26.907366037 CET	55	49913	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:26.917941093 CET	49913	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:26.923140049 CET	55	49913	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:26.996268988 CET	49913	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:27.001913071 CET	55	49913	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:27.058623075 CET	49913	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:27.063568115 CET	55	49913	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:27.089876890 CET	49913	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:27.094855070 CET	55	49913	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:27.105463982 CET	49913	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:27.110268116 CET	55	49913	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:28.606153011 CET	49913	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:28.611246109 CET	55	49913	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:30.180473089 CET	55	49913	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:30.182352066 CET	49913	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:32.122142076 CET	49913	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:32.126143932 CET	49914	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:32.127254963 CET	55	49913	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:32.131633043 CET	55	49914	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:32.137861967 CET	49914	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:32.218133926 CET	49914	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:32.225863934 CET	55	49914	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:33.699254036 CET	49914	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:33.704293013 CET	55	49914	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:37.023143053 CET	49914	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:37.028150082 CET	55	49914	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:37.293103933 CET	49914	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:37.298531055 CET	55	49914	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:41.101279974 CET	55	49914	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:41.101347923 CET	49914	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:41.101902962 CET	55	49914	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:41.101946115 CET	49914	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:41.102442980 CET	55	49914	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:41.102545023 CET	49914	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:42.294157982 CET	49914	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:42.298157930 CET	49915	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:42.299086094 CET	55	49914	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:42.303010941 CET	55	49915	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:42.309762001 CET	49915	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:42.386156082 CET	49915	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:42.391024113 CET	55	49915	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:50.800745010 CET	55	49915	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:50.802225113 CET	49915	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:52.674494028 CET	49915	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:52.679542065 CET	55	49915	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:52.690162897 CET	49916	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:52.695092916 CET	55	49916	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:52.698724985 CET	49916	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:52.882953882 CET	49916	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:52.887846947 CET	55	49916	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:52.996198893 CET	49916	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:53.001255035 CET	55	49916	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:53.027554989 CET	49916	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:53.032423973 CET	55	49916	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:53.777340889 CET	49916	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:53.782275915 CET	55	49916	147.185.221.23	192.168.2.6
Oct 31, 2024 20:00:54.996223927 CET	49916	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:00:55.001511097 CET	55	49916	147.185.221.23	192.168.2.6
Oct 31, 2024 20:01:01.208549976 CET	55	49916	147.185.221.23	192.168.2.6
Oct 31, 2024 20:01:01.208625078 CET	49916	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:01:03.290108919 CET	49916	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:01:03.292398930 CET	49917	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:01:03.295209885 CET	55	49916	147.185.221.23	192.168.2.6
Oct 31, 2024 20:01:03.297370911 CET	55	49917	147.185.221.23	192.168.2.6
Oct 31, 2024 20:01:03.297475100 CET	49917	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:01:03.825592995 CET	49917	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:01:03.830555916 CET	55	49917	147.185.221.23	192.168.2.6
Oct 31, 2024 20:01:05.105541945 CET	49917	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:01:05.110588074 CET	55	49917	147.185.221.23	192.168.2.6
Oct 31, 2024 20:01:07.636858940 CET	49917	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:01:07.641839027 CET	55	49917	147.185.221.23	192.168.2.6
Oct 31, 2024 20:01:09.121119022 CET	49917	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:01:09.126049995 CET	55	49917	147.185.221.23	192.168.2.6
Oct 31, 2024 20:01:09.183558941 CET	49917	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:01:09.188493013 CET	55	49917	147.185.221.23	192.168.2.6
Oct 31, 2024 20:01:09.214807987 CET	49917	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:01:09.219691038 CET	55	49917	147.185.221.23	192.168.2.6
Oct 31, 2024 20:01:09.261674881 CET	49917	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:01:09.266549110 CET	55	49917	147.185.221.23	192.168.2.6
Oct 31, 2024 20:01:09.324182034 CET	49917	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:01:09.329113007 CET	55	49917	147.185.221.23	192.168.2.6
Oct 31, 2024 20:01:11.781377077 CET	55	49917	147.185.221.23	192.168.2.6
Oct 31, 2024 20:01:11.781491995 CET	49917	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:01:15.363027096 CET	49917	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:01:15.367221117 CET	49922	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:01:15.367882967 CET	55	49917	147.185.221.23	192.168.2.6
Oct 31, 2024 20:01:15.372036934 CET	55	49922	147.185.221.23	192.168.2.6
Oct 31, 2024 20:01:15.372102976 CET	49922	55	192.168.2.6	147.185.221.23
Oct 31, 2024 20:01:15.769609928 CET	49922	55	192.168.2.6	147.185.221.23

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 19:57:59.569283962 CET	57997	53	192.168.2.6	1.1.1.1
Oct 31, 2024 19:57:59.583329916 CET	53	57997	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 31, 2024 19:57:59.569283962 CET	192.168.2.6	1.1.1.1	0x8502	Standard query (0)	join-ez.gl.at.ply.gg	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 31, 2024 19:57:59.583329916 CET	1.1.1.1	192.168.2.6	0x8502	No error (0)	join-ez.gl.at.ply.gg		147.185.221.23	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	14:57:53
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\0eVxwphG1t.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\0eVxwphG1t.exe"
Imagebase:	0x620000
File size:	57'856 bytes
MD5 hash:	9BC57B0A4B416E360A8E20ED5DDA6CD0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2093824292.0000000000622000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2093824292.0000000000622000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:01:09
Start date:	31/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 3552 -s 1836
Imagebase:	0x7ff784b70000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FFD3477117B Relevance: 1.8, Strings: 1, Instructions: 532COMMON

Download Yara Rule

Strings

SAO_^, xrefs: 00007FFD347713C1

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID: SAO_^
API String ID: 0-3650529936
Opcode ID: 4cc788296569cc2da938a9dfa89a98b587696107e5e843dc282f52a27bd95df2
Instruction ID: 33f3ea6a35b094cefd18f3d330fb0fec14cfccc5aec4727a2af945122cadc25c
Opcode Fuzzy Hash: 4cc788296569cc2da938a9dfa89a98b587696107e5e843dc282f52a27bd95df2
Instruction Fuzzy Hash: 0BF1D971B1CA494BEB98EB7C88A967977D2FF99300F80457DD44ED3392DE68AC018781

Function 00007FFD347767C6 Relevance: .5, Instructions: 468COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464ced0b8dc3ad0782ce55c82b3c5b20f025e7dc2770b248e7ba80427eb434f
Instruction ID: 38fb13fef39be641d7814fdeb09369fa1418c8982c9c13565867d09f8d59ba93
Opcode Fuzzy Hash: 4464ced0b8dc3ad0782ce55c82b3c5b20f025e7dc2770b248e7ba80427eb434f
Instruction Fuzzy Hash: 61F19270A08A4D8FEBB8DF28C8557F93BD1FB55310F44826AE84DC7295CB78A9458B81

Function 00007FFD34777572 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 804737c720f4632845c11a34d1e7f08e8845d2b384523ec9549b45191f89f8e1
Instruction ID: eb652f6ad571aca74b7936ee344a9bbd8cfd77b3b4667087ca72834b06c41e80
Opcode Fuzzy Hash: 804737c720f4632845c11a34d1e7f08e8845d2b384523ec9549b45191f89f8e1
Instruction Fuzzy Hash: 2CE1A570A08A4D8FEBA8DF28C8957F97BD1FF55310F44826AD84DC7295DA78A8418BC1

Function 00007FFD34778B10 Relevance: 1.6, Strings: 1, Instructions: 373COMMON

Download Yara Rule

Strings

0xf4, xrefs: 00007FFD34778B11

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID: 0xf4
API String ID: 0-2577278657
Opcode ID: 232ac1ade948a50ebb7dcf52f227f6a5f6172a9cc52478926240ad4aa0fd3437
Instruction ID: 00e441dae526d4653d93cd156166029f8849a7c4e7dda67870d2ba575f459659
Opcode Fuzzy Hash: 232ac1ade948a50ebb7dcf52f227f6a5f6172a9cc52478926240ad4aa0fd3437
Instruction Fuzzy Hash: 3531D4A2A0DA8A4FE7459B688CB20F97FB1EF56204B8540B7C185DB1E3DD5C6C069781

Function 00007FFD34778321 Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD34778393

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 3979a075be51e2ee3de6b00db42e11443bf27f2f607e9b211904edf1fc34e1a3
Instruction ID: f93fff2e9289133abeaf6afdc4faa997dd6a5b143acac5e22d107abc509b942d
Opcode Fuzzy Hash: 3979a075be51e2ee3de6b00db42e11443bf27f2f607e9b211904edf1fc34e1a3
Instruction Fuzzy Hash: 5921D171E0835A8FEB409BA8CC955FDBFE0EF4A310F0651BAD948D7192DB6CA84187D1

Function 00007FFD34771FA1 Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

SAO_^, xrefs: 00007FFD34771FE6

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID: SAO_^
API String ID: 0-3650529936
Opcode ID: e559f1a9dcde073069e622d1d070bf369021d9557bf2dcc23c43f857f31e6d2b
Instruction ID: b313dea580a9827404ee835013bc9f37c174f015501f3db8cb75b36194bb9c49
Opcode Fuzzy Hash: e559f1a9dcde073069e622d1d070bf369021d9557bf2dcc23c43f857f31e6d2b
Instruction Fuzzy Hash: 8311F661F0E2828BE71663344CB55783FA1AF43250F8481B5D149CB1D3DEACB8159391

Function 00007FFD34772B58 Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD34778393

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 5531fb8c846db0d919aaf0bfe079cc29b51ba259ba636a3e1d18e311967cfa25
Instruction ID: 0f00c5ec5560b571472d9376521f91b380a70d4ab2e56473de3c7dec971dd5ed
Opcode Fuzzy Hash: 5531fb8c846db0d919aaf0bfe079cc29b51ba259ba636a3e1d18e311967cfa25
Instruction Fuzzy Hash: D611A571E08619CAEB54AB6CC8992FDBBA0EF45305F41513ADA1DE22C0DBBDB84096D1

Function 00007FFD34772008 Relevance: 1.3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

Strings

SAO_^, xrefs: 00007FFD34771FE6

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID: SAO_^
API String ID: 0-3650529936
Opcode ID: 949c90873130bcb207ae2951abdbf97ae366755fd3e064dc12278f8ff862e1b5
Instruction ID: 6f92dad651cf13ae1c6176d4840706deade431fb75a2f54c98a436f72f445515
Opcode Fuzzy Hash: 949c90873130bcb207ae2951abdbf97ae366755fd3e064dc12278f8ff862e1b5
Instruction Fuzzy Hash: 15F08671A0C556CBE365D7248CA1A797BA1BF56320F848A79D12DC22C2DF6CB451E3D0

Function 00007FFD34777FA5 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fbeb03fe85c4cd85b112e63ef78f5892a5506a0fbd64ccc87ae24fb67a2648a
Instruction ID: 7f5049bd45410077e26023bdf2a925c4c8bc155e20f345ef9d4ad6dd2e3f9f6f
Opcode Fuzzy Hash: 4fbeb03fe85c4cd85b112e63ef78f5892a5506a0fbd64ccc87ae24fb67a2648a
Instruction Fuzzy Hash: 1F414592B0DA864FEB4196A86CA60B87FA0FF53310B4840BBD14CC71D3C85DBC0293D1

Function 00007FFD34778E89 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee09d2e74b040a0c7b034408d611dea109686c0490b67a3e73acea73229a6362
Instruction ID: d3799f433826f8efdb2c5267da9da57cae674242f9fb69d6f1a282448325ef02
Opcode Fuzzy Hash: ee09d2e74b040a0c7b034408d611dea109686c0490b67a3e73acea73229a6362
Instruction Fuzzy Hash: 179138A1F1D94A8FF794E7788CA52B47BD1EF46310F8586BAD009C7192DE6CB84683C1

Function 00007FFD34772662 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9be67cacbc8d6137161f1f322a217b456c5809f9f2dc8223e611adbf8e9e4754
Instruction ID: a422de3fb46454b3b8c88a2ce395fb23670549981496806b8162060555bb9a98
Opcode Fuzzy Hash: 9be67cacbc8d6137161f1f322a217b456c5809f9f2dc8223e611adbf8e9e4754
Instruction Fuzzy Hash: D7814CA1B0CA8A4FE799A77C48742B97FD2EF95310F4841BED04AC72D7DD6C68028381

Function 00007FFD34770E10 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b37aa0fd57fb78049583c561f1c6e2d1f15d8cc08be51ab7a88b77c8e7be645b
Instruction ID: 42f0108d1a05947d0c688ad1efccc76930c9ab5873bf833fc0a46519d723a766
Opcode Fuzzy Hash: b37aa0fd57fb78049583c561f1c6e2d1f15d8cc08be51ab7a88b77c8e7be645b
Instruction Fuzzy Hash: C38150A071CD1A9BEB54B7AC98A677EB2D7EFA9300F504579E00DC32D6CD68BC418352

Function 00007FFD34770E08 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb3862d49d895a2db1b3d2ba873b067d69173781564f343df0bdcd0a6db3fe6
Instruction ID: 139d9e48bee0bb591186c4d7bafcf8c2e267f80f5aed124d2e26c423296e42ac
Opcode Fuzzy Hash: 2cb3862d49d895a2db1b3d2ba873b067d69173781564f343df0bdcd0a6db3fe6
Instruction Fuzzy Hash: E48107A2B18E0A4FE7A8A76C58693B977D2FF99310F94457DD00ED32D6DD6C68028380

Function 00007FFD347726C9 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1d466014242d0728e7da4ba2dddaea7a02c2a9bf11d40e2b6a543d73dc7e3ed
Instruction ID: f897fcaaffc61c835f93b9efe9d83afcc0f6afaec26785f40741e436ae3bfadc
Opcode Fuzzy Hash: c1d466014242d0728e7da4ba2dddaea7a02c2a9bf11d40e2b6a543d73dc7e3ed
Instruction Fuzzy Hash: 717118A1B1CA4A4FE798A72C48B52B87BD2FF99310F94457ED04AD32D7DD6C68028381

Function 00007FFD3477840D Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dd13f0dc0250451580794d2c11df1720b84a529c42271464b72648aa5a9b449
Instruction ID: ac15c4e59fe564f817efb8039f56f4f7bbb3bef5e22f0e59f4bd6f6777e66e9f
Opcode Fuzzy Hash: 1dd13f0dc0250451580794d2c11df1720b84a529c42271464b72648aa5a9b449
Instruction Fuzzy Hash: E6516470A08A0D8FDB58DF58D8957EDBBF1FF59311F10826AD44DD3256CA74A842CB81

Function 00007FFD347714C3 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0d608a5c9b7ef5ce8bf37201b685460b3cffce1034d3707b32ab64260905ad
Instruction ID: 8ad75aa0fd061a703448303820c7f187f03b96e7f042c34514415aa24d80b34f
Opcode Fuzzy Hash: 9a0d608a5c9b7ef5ce8bf37201b685460b3cffce1034d3707b32ab64260905ad
Instruction Fuzzy Hash: 8251E7A1B1DE464BE7A8EB2C48B9279BBC2FF99244B84457DD04ED3396DD6CB8014381

Function 00007FFD347740BC Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a1f315d0cc200ba793f31cbe7b437300e927c4738a85a30b6d2199002594dc
Instruction ID: c85938df8ebe5a4d6b5f841950ed09a8023f8df290b76cd4890c21b1eab7decb
Opcode Fuzzy Hash: e8a1f315d0cc200ba793f31cbe7b437300e927c4738a85a30b6d2199002594dc
Instruction Fuzzy Hash: CC518070908A1C8FDB68DF58D855BE9BBF1FB59310F1082AAD04DE3252DE74A9858FC1

Function 00007FFD347799BA Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a8009be231e5639e73c1408405072cb145e34d00a6f3c3c5c4cefb094ae8e5f
Instruction ID: 4429abe3dc88bc99aa71be6b999a640430494ddd6566cea6a04b7afc9d375aa8
Opcode Fuzzy Hash: 2a8009be231e5639e73c1408405072cb145e34d00a6f3c3c5c4cefb094ae8e5f
Instruction Fuzzy Hash: E1513AB1A0D6498FE768EF68DC556B97BE0EF56310F45817ED04DC3192DB68B842CB80

Function 00007FFD347793CD Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 296a89b7be3b446c8c01437d014993160dd4c3319cb612f480fef2721b52a545
Instruction ID: 0d4a2bd848d79f50a9206e0bec6d89b8a07190eebae099dccf5c5e3e5baec53b
Opcode Fuzzy Hash: 296a89b7be3b446c8c01437d014993160dd4c3319cb612f480fef2721b52a545
Instruction Fuzzy Hash: CA513A71B499598FEB55E77888A56F97BE1EF85310F0540BAE00DD7292CD6CAC42C780

Function 00007FFD34772418 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50a22942efebd532693a99495b6fb4fda4f8bad2a35fffd399418beb6440a920
Instruction ID: e062f45175ca84bf21c0cb756a338f5f7dd8cd0899a17c6972729c26893ba36c
Opcode Fuzzy Hash: 50a22942efebd532693a99495b6fb4fda4f8bad2a35fffd399418beb6440a920
Instruction Fuzzy Hash: 4B510330A0D6868FE756973448712B57FA0EF57320F1842E9D0A9D71E3DEACA842C791

Function 00007FFD3477181D Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3edcd2823c804b7f58fa20be4422ce2f3ad7c5e6c30384c3fa2896ba409eed
Instruction ID: c8ad6386b50b3807d846a061fc34e6307d6e76021cd1abf6ef67b5bd9192c9c3
Opcode Fuzzy Hash: 6b3edcd2823c804b7f58fa20be4422ce2f3ad7c5e6c30384c3fa2896ba409eed
Instruction Fuzzy Hash: 46511461B0DAC94FE795AB6C58B5279BFD1EF9B225B0800FAE08DC7293DD5C6806C341

Function 00007FFD34779168 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f548a9ab963ead759fc3aa79fc5c03e8c359d7b48313f918f0aa552c97f71b82
Instruction ID: 98286ffd5da9a1bdacf1d98f8b1e919d549a0f07108ffa0ea8be11d3c957707c
Opcode Fuzzy Hash: f548a9ab963ead759fc3aa79fc5c03e8c359d7b48313f918f0aa552c97f71b82
Instruction Fuzzy Hash: 6C5174B1B1990D8FFB94EB68D8A56BC77E1FF99301F404479E50DD3291CE68B8418B80

Function 00007FFD34770620 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f3eaa1226f54025b68a38cae6cfcb177f452451d6897237ce7b60c77592b56f
Instruction ID: 1efd72376849ea88049aa41f3639294bfa9e523d60be659f33c55ad728701bed
Opcode Fuzzy Hash: 8f3eaa1226f54025b68a38cae6cfcb177f452451d6897237ce7b60c77592b56f
Instruction Fuzzy Hash: 35415B21B1DA8A4FF369A77C48662B97BD5EFC6211B4440BAD44DC3293DC5CBC428391

Function 00007FFD34772175 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3467781ebdb8d19cb1afd850a562e971143538043bdf722a546dda5ebaaa553c
Instruction ID: 7c0f8a53d5b736b16e04dccc02b47d52d5f4594fb180279f7a01df968863e674
Opcode Fuzzy Hash: 3467781ebdb8d19cb1afd850a562e971143538043bdf722a546dda5ebaaa553c
Instruction Fuzzy Hash: 4341A074A0CA1C8FDB98EF58D8A96B97BE0FB55311F01016ED10AC3692CB75E841CB81

Function 00007FFD34770BFE Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc33467201a58eff02d47484e90a7f9b061f4cee8a24551eb866d702579a586f
Instruction ID: b923d6c12deb9545b3b6f20c1ffbc8980c70dd3ad3037f4aed90f5252a647a9e
Opcode Fuzzy Hash: cc33467201a58eff02d47484e90a7f9b061f4cee8a24551eb866d702579a586f
Instruction Fuzzy Hash: 2F414D21B0EA8A4FF7A5A77C48661B93FD6EFD7211B4940BAD44DC7293DC9CAC028341

Function 00007FFD34770E70 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39c0433fac3a0424ff5cdb71c71fb0dead80619440ce9bc3ee390494299ac93e
Instruction ID: fa7a98f3c47cb5ae74f6434f887189479505f52f962602473eef8179fe0dcd14
Opcode Fuzzy Hash: 39c0433fac3a0424ff5cdb71c71fb0dead80619440ce9bc3ee390494299ac93e
Instruction Fuzzy Hash: 1F41ADB4A08A1C8FDB98EF5CD4A9AB977E0FB55311F10457EE00AD3691CB75E841CB80

Function 00007FFD34779420 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99a47c30d57849014095f4917653d19540d2cf765ac6c1ba0111c1867df6f8f0
Instruction ID: 306169533055839a68b6a945218447182512caa3426a30706c2229ffc66ee1e5
Opcode Fuzzy Hash: 99a47c30d57849014095f4917653d19540d2cf765ac6c1ba0111c1867df6f8f0
Instruction Fuzzy Hash: 87419971B1891C8FEB98EB6CD8A96BD77E1EF99310F554079E00ED3292DE78AC418740

Function 00007FFD34778771 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0466db582793b23509c1e5facbc98bb0ef8306c375ffb3c1c7c413dee89bb42c
Instruction ID: 204fac26f494c796d2d96319d0ed134076b8b7f1c3a7b61b506ec3f4dc805355
Opcode Fuzzy Hash: 0466db582793b23509c1e5facbc98bb0ef8306c375ffb3c1c7c413dee89bb42c
Instruction Fuzzy Hash: 9141E971B089498FDB84EB68D8A96BC7BF1EF59310B4541BAD40DD3252DE2CA8418780

Function 00007FFD34770528 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43059b3e73cc0a937d18b8e4451ec0b75f6d592ea1e7827c1f721a5224d25a93
Instruction ID: fe410139daa18c80aca5c27ffe8d6aba580a376a30443c20a5ac7861831b7cfd
Opcode Fuzzy Hash: 43059b3e73cc0a937d18b8e4451ec0b75f6d592ea1e7827c1f721a5224d25a93
Instruction Fuzzy Hash: DE31E921B1C9494FE798EA6C986A27CB7C1EFD9355F0441BEE04EC3397DD68AC418381

Function 00007FFD34770E00 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d299226f3e5d3c838a6fbf9653ed6803b7e6a182a6b6b8509be402bc5678d94e
Instruction ID: 78484e1db45324329646e7bbc5a4741691affba018abfe64cc2c05fd09e61174
Opcode Fuzzy Hash: d299226f3e5d3c838a6fbf9653ed6803b7e6a182a6b6b8509be402bc5678d94e
Instruction Fuzzy Hash: 5341B371F0890A8BEB98EB6888B56B977E1FF59310F54417DD11EE3292DE6CB841C780

Function 00007FFD34770AB0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5df0570bb0b1badb9bae96a36c6546b305b5472e1d31ad7ee3ea8b1bb5a5e261
Instruction ID: 4f5cd694b3ade56d270aac8c2e01dc78ae58a88af0d86cfa90962829f9c01232
Opcode Fuzzy Hash: 5df0570bb0b1badb9bae96a36c6546b305b5472e1d31ad7ee3ea8b1bb5a5e261
Instruction Fuzzy Hash: A531E2A1B18D0A8BFB94B7BC486A3BD76D2EBD9306F40017AE00CC3292DD6CA8014391

Function 00007FFD34770949 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75554d0fbc5d572c2642086c19f9645ce05217cdaafc2764b333deb76afe43ec
Instruction ID: cc9cb3ac55ea867adfcbd195fdc5c7f345647218648ce5413f109ac2868dd62d
Opcode Fuzzy Hash: 75554d0fbc5d572c2642086c19f9645ce05217cdaafc2764b333deb76afe43ec
Instruction Fuzzy Hash: B531B370B18A4E8FEB54EBA888756FD7BB5FF99300F904579D009D3282CE78A841C791

Function 00007FFD34778639 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36b0109124d5dd6627592d81ad1e4c2843ff0428854f9160c11d09fac3cb1e61
Instruction ID: cf8c8aab59cde14c2b490c18959872fcc22053ca08bd8ca2447eca58748cc126
Opcode Fuzzy Hash: 36b0109124d5dd6627592d81ad1e4c2843ff0428854f9160c11d09fac3cb1e61
Instruction Fuzzy Hash: F331E77060DA869FEB56EB3CC8E55B83BF1FF16311B4506A6D008C7292DE78B841C785

Function 00007FFD3477A245 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d7cef062c45e68225f4a72cbeb69564dad05b6bfdaaeb4886502dc319979061
Instruction ID: 30287482f20ee62a47cc25b2cf45fea55bbb04012e6d6f938ac4285697523d2e
Opcode Fuzzy Hash: 5d7cef062c45e68225f4a72cbeb69564dad05b6bfdaaeb4886502dc319979061
Instruction Fuzzy Hash: 0331C23050DB488FDB55DFA8D885AEABBF0FF56310F0482AFD089C3562D764A845CB91

Function 00007FFD3477A00D Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a22a480ad8abc64ac5d081c673570b2e8a2e4a3365736a76249bade56dae647
Instruction ID: 5726527e34c36440be667a049a3d7084a58084374eee87d484592495c2e900b2
Opcode Fuzzy Hash: 6a22a480ad8abc64ac5d081c673570b2e8a2e4a3365736a76249bade56dae647
Instruction Fuzzy Hash: 3631F190B2DA969EEB12A7B85C717BA7FE5EF47314F4409BAE048C71C3D85C6810C392

Function 00007FFD3477956B Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae38da3cac4b9005b4d909d01e0f8a2d76e4d02407b92e2de08af1c51c6d4243
Instruction ID: 5e2cf4a0e1cb52ed7811fdcdfc3073018d11de035f299ba5e5db8a24ab6dc384
Opcode Fuzzy Hash: ae38da3cac4b9005b4d909d01e0f8a2d76e4d02407b92e2de08af1c51c6d4243
Instruction Fuzzy Hash: 9C213CB1F099598FEB98DB2898E56BCBAE1EF45310F40027ED50ED31D2CE6C78418B81

Function 00007FFD34772953 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a50cccce2aefc96acb7ca78e537518daabeaa73b9b79e89073134c4c1a80f024
Instruction ID: 4a9966ab25e65d3f4c04687ee2432d7f030c9e8d6e0e5b58e177f2660796dd88
Opcode Fuzzy Hash: a50cccce2aefc96acb7ca78e537518daabeaa73b9b79e89073134c4c1a80f024
Instruction Fuzzy Hash: 08110A61B1CD5A0FE768A62C58652BD76C1FF89214F84457DD04ED72C7CD5C680243C2

Function 00007FFD3477A051 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e4ae4df2ab20d6fccaf91d07b6b5a7f83600dc945b5b65624544e42a4dd8794
Instruction ID: 1ddaa7d14dc79d47083ba5117e3bab40dfca5db023163f16fd37b69fdd8f1262
Opcode Fuzzy Hash: 4e4ae4df2ab20d6fccaf91d07b6b5a7f83600dc945b5b65624544e42a4dd8794
Instruction Fuzzy Hash: 2821A190B1DD9A9AF755A7AC58757B97BD1EB4A710F8405B9E009C31C3DC6C78108392

Function 00007FFD3477A169 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d77934657029bc41df64cc76edcf1169ea9099a1c55c39f93af84bdd87fa427
Instruction ID: f413b8f12ab6f63dbecff2268a444ed1e27342f1be2393673a55148e4cc1be82
Opcode Fuzzy Hash: 2d77934657029bc41df64cc76edcf1169ea9099a1c55c39f93af84bdd87fa427
Instruction Fuzzy Hash: A1216561B4D68A8FF74597688C725F67FF1EF8B210B4481BAD189C71C2CD5DA802C382

Function 00007FFD34770E80 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 783cd2ecce406c7086b544fa589bfa9fc07a5b97c7df12a47f6b2180d2afd7d5
Instruction ID: e9891cdf5189bcb4b7d7ec1f22d6cf4126913d81d666191cacba4e573a454c2f
Opcode Fuzzy Hash: 783cd2ecce406c7086b544fa589bfa9fc07a5b97c7df12a47f6b2180d2afd7d5
Instruction Fuzzy Hash: 7711B260B2CD2A9AFB54B7AC58667FE76D6EB49704F904578E00DC32C2CD6C781083D2

Function 00007FFD34778261 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6260a937cbc7839d7bf343a921cb3e4a45369ed56af33efe793521733b3fe2b8
Instruction ID: b60262e6a19f07127b78e8638ca525941c905ac1725a1ba01ce7eef6ded2406b
Opcode Fuzzy Hash: 6260a937cbc7839d7bf343a921cb3e4a45369ed56af33efe793521733b3fe2b8
Instruction Fuzzy Hash: F9115962E0CA8D4FEB41AB7898660FD7FB0FF2A311F4402B7D148C6193DA285941C381

Function 00007FFD347719B1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36f39773ae0795b86fb1e5d17ee474921a74cd0b71058e74401ab34af5c78c89
Instruction ID: 62048fbc678a8aa4cf19ee0ddde0f081453c8cf21c3a8eff9ba6fec042dfa0a9
Opcode Fuzzy Hash: 36f39773ae0795b86fb1e5d17ee474921a74cd0b71058e74401ab34af5c78c89
Instruction Fuzzy Hash: 00014491A0C6C28FE761AA385CB11793FE0CB92250B8845BAD4C9C6297E84CB94183C1

Function 00007FFD34778F1D Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2d06136bf6f74172757579eb0897983512022180607b2313b860acebc1fee1f
Instruction ID: 10ca297925dc07fc496afc40669d688e75c2b0e26bc43feb425fb8409600b115
Opcode Fuzzy Hash: a2d06136bf6f74172757579eb0897983512022180607b2313b860acebc1fee1f
Instruction Fuzzy Hash: 4301D170B1890B8AF758FBB88CA62B8BA82EF05315F804679E50AD20C3DD5DB45642C1

Function 00007FFD347720FD Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44685d1263791814f831e46651567cb441f089fa55cd78bf5ae174c04c3f7445
Instruction ID: 85c2c67e0b37e7cb2246fa112b030046e2f674df656a8c6b96cb6146f8e12c55
Opcode Fuzzy Hash: 44685d1263791814f831e46651567cb441f089fa55cd78bf5ae174c04c3f7445
Instruction Fuzzy Hash: B001A795F0D6824BF7A566B808F62783F81FF96300F9544BAD259C21D7EE9CB8429381

Function 00007FFD347788BC Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2db2175023569786d9aa06c8068e66aaab621cd8ffa64320fb4873dd0c05582d
Instruction ID: a3ddae7462dfb1c4a2fa105ef37e445ebef26b92a43ce250d617817a7d0dd5c4
Opcode Fuzzy Hash: 2db2175023569786d9aa06c8068e66aaab621cd8ffa64320fb4873dd0c05582d
Instruction Fuzzy Hash: 21E0D871929D4C8BDB40AE6898246E5BFA0FF49358F09006FE55CD2181C66DA550C391

Function 00007FFD3477172D Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 979d6415b5ee1f464011b13e7ea715878699e6dcc9624ded8d0e9637cad1319d
Instruction ID: 8f008a33b25cfedb4084e60a479b4240268b1e1a968068ad6c74d11147ddb51a
Opcode Fuzzy Hash: 979d6415b5ee1f464011b13e7ea715878699e6dcc9624ded8d0e9637cad1319d
Instruction Fuzzy Hash: 7CD01233F0881949F96473EC24721FCA241EF88171B900375E15EE25C3CD5A54220656

Function 00007FFD34771E38 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96a4a57f03f90a31f1a4876856ed32f7d525bc3369c6c599603533cb8bb3fef7
Instruction ID: 5df9e6a1c96a61204314c291c392f794a6683f8797f84a19dfb37576bdcea7a6
Opcode Fuzzy Hash: 96a4a57f03f90a31f1a4876856ed32f7d525bc3369c6c599603533cb8bb3fef7
Instruction Fuzzy Hash: B5D097B284878E8BEF016B1408210F87F60FF41200F8000DAF95C82000CAE4B22403C2

Function 00007FFD34770E88 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106401889.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34770000_0eVxwphG1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9830dde14e54febf771727031fcff9aed104f8cd4ea1f8e7aa52bde4560b1f7
Instruction ID: 757ce17e97001a805876615e61e2f5154f057367121d8787eab2d32cbc98c954
Opcode Fuzzy Hash: d9830dde14e54febf771727031fcff9aed104f8cd4ea1f8e7aa52bde4560b1f7
Instruction Fuzzy Hash: EDB01240D5644640A40431790CD20747840FB47100FD05870D508C00C1E8CE30A421C2

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 0eVxwphG1t.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_0eVxwphG1t.exe_95a65930a35ae566542ba72920c749d8fab6edd_085328c0_0326773b-bcb6-43e9-8356-2e517094e74f\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC6DF.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC867.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC897.tmp.xml

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.lnk

C:\Users\user\AppData\Roaming\WindowsUpdate.exe

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
0eVxwphG1t.exe