Edit tour

Windows Analysis Report
173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe

Overview

General Information

Sample name:	173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe
Analysis ID:	1569859
MD5:	b4743a6a5638d49c9f30f552727423b3
SHA1:	ac26bfe26083f1097a9abb3c5c0d34d6173b10d6
SHA256:	4a568c15ed2c33916d74ce97eb7fd7b39a3e184c2c637ea7cb7a7a3e1e2e5108
Tags:	base64-decodedexeuser-abuse_ch
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe (PID: 6500 cmdline: "C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe" MD5: B4743A6A5638D49C9F30F552727423B3)

WerFault.exe (PID: 1424 cmdline: C:\Windows\system32\WerFault.exe -u -p 6500 -s 1756 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["87.120.116.179"], "Port": 1300, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7a30:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7acd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7be2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x76de:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2093444836.0000000000712000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.2093444836.0000000000712000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7830:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x78cd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x79e2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x74de:$cnc4: POST / HTTP/1.1
00000000.00000002.3468154623.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe PID: 6500	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe.710000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe.710000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7a30:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7acd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7be2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x76de:$cnc4: POST / HTTP/1.1

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-06T10:53:20.859432+0100	2852870	1	Malware Command and Control Activity Detected	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:53:23.012619+0100	2852870	1	Malware Command and Control Activity Detected	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:53:33.807978+0100	2852870	1	Malware Command and Control Activity Detected	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:53:46.824653+0100	2852870	1	Malware Command and Control Activity Detected	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:53:52.999772+0100	2852870	1	Malware Command and Control Activity Detected	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:00.015380+0100	2852870	1	Malware Command and Control Activity Detected	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:13.017743+0100	2852870	1	Malware Command and Control Activity Detected	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:17.369849+0100	2852870	1	Malware Command and Control Activity Detected	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:18.870204+0100	2852870	1	Malware Command and Control Activity Detected	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:22.543724+0100	2852870	1	Malware Command and Control Activity Detected	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:23.006227+0100	2852870	1	Malware Command and Control Activity Detected	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:23.223101+0100	2852870	1	Malware Command and Control Activity Detected	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:25.741168+0100	2852870	1	Malware Command and Control Activity Detected	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:30.660004+0100	2852870	1	Malware Command and Control Activity Detected	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:31.276861+0100	2852870	1	Malware Command and Control Activity Detected	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:32.365095+0100	2852870	1	Malware Command and Control Activity Detected	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:35.605713+0100	2852870	1	Malware Command and Control Activity Detected	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:35.859927+0100	2852870	1	Malware Command and Control Activity Detected	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:44.656533+0100	2852870	1	Malware Command and Control Activity Detected	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:47.283987+0100	2852870	1	Malware Command and Control Activity Detected	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:47.476031+0100	2852870	1	Malware Command and Control Activity Detected	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:47.607896+0100	2852870	1	Malware Command and Control Activity Detected	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:50.480564+0100	2852870	1	Malware Command and Control Activity Detected	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:53.036106+0100	2852870	1	Malware Command and Control Activity Detected	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:54.652876+0100	2852870	1	Malware Command and Control Activity Detected	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:55.407907+0100	2852870	1	Malware Command and Control Activity Detected	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:57.530420+0100	2852870	1	Malware Command and Control Activity Detected	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:59.452325+0100	2852870	1	Malware Command and Control Activity Detected	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:55:02.161487+0100	2852870	1	Malware Command and Control Activity Detected	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:55:07.821410+0100	2852870	1	Malware Command and Control Activity Detected	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:55:07.975265+0100	2852870	1	Malware Command and Control Activity Detected	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:55:08.097254+0100	2852870	1	Malware Command and Control Activity Detected	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:55:08.217398+0100	2852870	1	Malware Command and Control Activity Detected	87.120.116.179	1300	192.168.2.6	49709	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-06T10:53:20.913339+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:53:33.811007+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:53:46.830354+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:00.025595+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:13.029761+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:17.470002+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:18.874964+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:22.546680+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:23.224868+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:25.743429+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:30.662935+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:31.281192+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:32.367420+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:35.609597+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:35.862462+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:44.659163+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:47.295257+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:47.482432+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:47.610132+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:50.483648+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:54.655059+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:55.412215+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:57.535709+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:59.459333+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:55:02.163481+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:55:07.905385+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:55:08.025501+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:55:08.145400+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:55:08.265216+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49709	87.120.116.179	1300	TCP

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-06T10:53:23.012619+0100	2852874	1	Malware Command and Control Activity Detected	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:53:52.999772+0100	2852874	1	Malware Command and Control Activity Detected	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:23.006227+0100	2852874	1	Malware Command and Control Activity Detected	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:53.036106+0100	2852874	1	Malware Command and Control Activity Detected	87.120.116.179	1300	192.168.2.6	49709	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-06T10:53:20.470318+0100	2855924	1	Malware Command and Control Activity Detected	192.168.2.6	49709	87.120.116.179	1300	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe

Avira: detected

Found malware configuration

Source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe

Malware Configuration Extractor: Xworm {"C2 url": ["87.120.116.179"], "Port": 1300, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Multi AV Scanner detection for submitted file

Source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe

ReversingLabs: Detection: 84%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	String decryptor: 87.120.116.179
Source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	String decryptor: 1300
Source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	String decryptor: <123456789>
Source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	String decryptor: <Xwormmm>
Source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	String decryptor: 02-12-24
Source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	String decryptor: USB.exe

Source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Windows.Forms.ni.pdb source: WER3193.tmp.dmp.6.dr
Source:	Binary string: .pdb2 source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000002.3473524059.000000001B5E9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdb source: WER3193.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000002.3473524059.000000001B5E9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER3193.tmp.dmp.6.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER3193.tmp.dmp.6.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000002.3473524059.000000001B5E9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER3193.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdb source: WER3193.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER3193.tmp.dmp.6.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000002.3473524059.000000001B5E9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbC$ source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000002.3466018270.0000000000C34000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000002.3466018270.0000000000C34000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER3193.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdbMZ@ source: WER3193.tmp.dmp.6.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER3193.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WER3193.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000002.3473726847.000000001B9F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdbSystem.Configuration.ni.dll source: WER3193.tmp.dmp.6.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER3193.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbl source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000002.3473726847.000000001BA3D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER3193.tmp.dmp.6.dr
Source:	Binary string: System.Xml.ni.pdb source: WER3193.tmp.dmp.6.dr
Source:	Binary string: System.Drawing.pdbP source: WER3193.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WER3193.tmp.dmp.6.dr
Source:	Binary string: System.Management.pdbq1 source: WER3193.tmp.dmp.6.dr
Source:	Binary string: System.Core.pdbSystem.Xml.ni.dllSystem.Management.dll.> source: WER3193.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.PDBaMm source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000002.3473726847.000000001B9F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER3193.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb` source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000002.3473726847.000000001BA3D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER3193.tmp.dmp.6.dr
Source:	Binary string: System.Configuration.pdb source: WER3193.tmp.dmp.6.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdb` source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000002.3473524059.000000001B5E9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER3193.tmp.dmp.6.dr
Source:	Binary string: System.Windows.Forms.pdb` source: WER3193.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WER3193.tmp.dmp.6.dr
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb,R( source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000002.3473726847.000000001B9F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER3193.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000002.3473726847.000000001BA6A000.00000004.00000020.00020000.00000000.sdmp, 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000002.3473726847.000000001BA6C000.00000004.00000020.00020000.00000000.sdmp, WER3193.tmp.dmp.6.dr
Source:	Binary string: System.Management.pdb source: WER3193.tmp.dmp.6.dr
Source:	Binary string: System.Drawing.pdb source: WER3193.tmp.dmp.6.dr
Source:	Binary string: System.Management.ni.pdb source: WER3193.tmp.dmp.6.dr
Source:	Binary string: System.Core.pdb source: WER3193.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdbTEM source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000002.3473726847.000000001B9F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb\|B source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000002.3473726847.000000001B9F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000002.3473524059.000000001B5E9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER3193.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER3193.tmp.dmp.6.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49709 -> 87.120.116.179:1300
Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 87.120.116.179:1300 -> 192.168.2.6:49709
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.6:49709 -> 87.120.116.179:1300
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 87.120.116.179:1300 -> 192.168.2.6:49709

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 87.120.116.179

Source: global traffic

TCP traffic: 192.168.2.6:49709 -> 87.120.116.179:1300

Source: Joe Sandbox View

ASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG

Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179

Source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000002.3468154623.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, XLogger.cs

.Net Code: KeyboardLayout

System Summary

Malicious sample detected (through community Yara rule)

Source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe.710000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.2093444836.0000000000712000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Code function: 0_2_00007FFD34897711	0_2_00007FFD34897711
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Code function: 0_2_00007FFD34892A58	0_2_00007FFD34892A58
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Code function: 0_2_00007FFD34896961	0_2_00007FFD34896961
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Code function: 0_2_00007FFD34892A00	0_2_00007FFD34892A00

Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6500 -s 1756

Source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000000.2093459800.000000000071C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamefecha.exe4 vs 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe
Source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Binary or memory string: OriginalFilenamefecha.exe4 vs 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe

Source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe.710000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.2093444836.0000000000712000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@2/5@0/1

Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Mutant created: \Sessions\1\BaseNamedObjects\B48go7npq3kwDYCH
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6500

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\00024f70-2a8b-4ee8-b472-4737bb54f8a8

Jump to behavior

Source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe

ReversingLabs: Detection: 84%

Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe

File read: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe "C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe"
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6500 -s 1756

Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Windows.Forms.ni.pdb source: WER3193.tmp.dmp.6.dr
Source:	Binary string: .pdb2 source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000002.3473524059.000000001B5E9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdb source: WER3193.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000002.3473524059.000000001B5E9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER3193.tmp.dmp.6.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER3193.tmp.dmp.6.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000002.3473524059.000000001B5E9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER3193.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdb source: WER3193.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER3193.tmp.dmp.6.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000002.3473524059.000000001B5E9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbC$ source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000002.3466018270.0000000000C34000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000002.3466018270.0000000000C34000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER3193.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdbMZ@ source: WER3193.tmp.dmp.6.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER3193.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WER3193.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000002.3473726847.000000001B9F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdbSystem.Configuration.ni.dll source: WER3193.tmp.dmp.6.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER3193.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbl source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000002.3473726847.000000001BA3D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER3193.tmp.dmp.6.dr
Source:	Binary string: System.Xml.ni.pdb source: WER3193.tmp.dmp.6.dr
Source:	Binary string: System.Drawing.pdbP source: WER3193.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WER3193.tmp.dmp.6.dr
Source:	Binary string: System.Management.pdbq1 source: WER3193.tmp.dmp.6.dr
Source:	Binary string: System.Core.pdbSystem.Xml.ni.dllSystem.Management.dll.> source: WER3193.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.PDBaMm source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000002.3473726847.000000001B9F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER3193.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb` source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000002.3473726847.000000001BA3D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER3193.tmp.dmp.6.dr
Source:	Binary string: System.Configuration.pdb source: WER3193.tmp.dmp.6.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdb` source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000002.3473524059.000000001B5E9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER3193.tmp.dmp.6.dr
Source:	Binary string: System.Windows.Forms.pdb` source: WER3193.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WER3193.tmp.dmp.6.dr
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb,R( source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000002.3473726847.000000001B9F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER3193.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000002.3473726847.000000001BA6A000.00000004.00000020.00020000.00000000.sdmp, 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000002.3473726847.000000001BA6C000.00000004.00000020.00020000.00000000.sdmp, WER3193.tmp.dmp.6.dr
Source:	Binary string: System.Management.pdb source: WER3193.tmp.dmp.6.dr
Source:	Binary string: System.Drawing.pdb source: WER3193.tmp.dmp.6.dr
Source:	Binary string: System.Management.ni.pdb source: WER3193.tmp.dmp.6.dr
Source:	Binary string: System.Core.pdb source: WER3193.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdbTEM source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000002.3473726847.000000001B9F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb\|B source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000002.3473726847.000000001B9F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000002.3473524059.000000001B5E9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER3193.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER3193.tmp.dmp.6.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Memory allocated: B90000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Memory allocated: 1AA20000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Window / User API: threadDelayed 4769			Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Window / User API: threadDelayed 5062			Jump to behavior

Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe TID: 6368	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe TID: 1616	Thread sleep count: 4769 > 30	Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe TID: 1616	Thread sleep count: 5062 > 30	Jump to behavior

Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000002.3473726847.000000001B9F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW <%SystemRoot%\system32\mswsock.dlldlImporters>
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe

Queries volume information: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2093444836.0000000000712000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3468154623.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe PID: 6500, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2093444836.0000000000712000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3468154623.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe PID: 6500, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Disable or Modify Tools	1 Input Capture	131 Security Software Discovery	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	141 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	84%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	100%	Avira	TR/Spy.Gen
173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
87.120.116.179	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
87.120.116.179	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.6.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe, 00000000.00000002.3468154623.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
87.120.116.179	unknown	Bulgaria		25206	UNACS-AS-BG8000BurgasBG	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1569859
Start date and time:	2024-12-06 10:52:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@2/5@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 5 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe

Simulations

Behavior and APIs

Time	Type	Description
04:53:06	API Interceptor	4501706x Sleep call for process: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe modified
04:55:13	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
87.120.116.179	1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe	Get hash	malicious	XWorm	Browse
	17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe	Get hash	malicious	XWorm	Browse
	17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe	Get hash	malicious	XWorm	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNACS-AS-BG8000BurgasBG	1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe	Get hash	malicious	XWorm	Browse	87.120.116.179
	17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe	Get hash	malicious	XWorm	Browse	87.120.116.179
	17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe	Get hash	malicious	XWorm	Browse	87.120.116.179
	yIla7SeJ6r.doc	Get hash	malicious	XenoRAT	Browse	87.120.120.27
	gjot5vxpIC.exe	Get hash	malicious	XenoRAT	Browse	87.120.120.27
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Stealc, Vidar	Browse	87.120.125.31
	po4877383.exe	Get hash	malicious	RedLine	Browse	87.120.120.86
	e824975.html	Get hash	malicious	Unknown	Browse	87.120.114.172
	qqig1mHX8U.exe	Get hash	malicious	AveMaria, DBatLoader, UACMe	Browse	87.120.125.217

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ZRJNUZQFGKQ05XT0_3b786cba4f5746906da1f33bd2442e8438dc9b_e1beddc7_ccbdac7f-0f84-4b61-bad1-7ffdea0d5ca9\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2837951756032393
Encrypted:	false
SSDEEP:	192:3flGivSg2ntt3081iHRmuaWz8iyrHltlFTzuiF+Z24lO8WnY:3ghDnc81iZa48iYVTzuiF+Y4lO8n
MD5:	6533E92EA8ED8035661B8D44A7ADEE09
SHA1:	09ADF82B0A6056F63F60FA50CF6ED35F2EAB436C
SHA-256:	221DD6B71F6F868E547922B1FDE8757900961ABDD1645D16C999766B076E6BE6
SHA-512:	09749D540D18B88EBCD9AA381BF87ECAACDBEBF5A291C6D91D6F18FAC755839F27E7E86C6876F5F8E5398007D28005F2D1F7290E17E8F7CD2D4938BDAB0C4179
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.9.5.2.5.0.8.4.3.0.6.9.8.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.9.5.2.5.0.9.0.5.5.6.8.3.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.c.b.d.a.c.7.f.-.0.f.8.4.-.4.b.6.1.-.b.a.d.1.-.7.f.f.d.e.a.0.d.5.c.a.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.a.d.a.c.3.1.3.-.5.2.3.c.-.4.1.6.7.-.a.7.e.9.-.3.3.f.9.8.f.4.b.c.b.a.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.1.7.3.3.4.7.7.4.1.0.9.0.e.2.3.c.9.e.b.d.2.c.4.b.6.0.4.c.7.1.6.2.3.7.6.3.c.b.c.e.9.9.a.e.c.6.5.0.e.3.f.9.e.2.7.d.3.5.f.4.f.3.d.c.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.f.e.c.h.a...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.6.4.-.0.0.0.1.-.0.0.1.5.-.0.8.b.c.-.a.8.a.0.c.4.4.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.6.4.b.e.7.3.f.7.7.3.9.8.8.8.1.0.c.b.9.e.a.6.e.1.4.c.7.0.0.3.9.0.0.0.0.0.0.0.0.!.0.0.0.0.a.c.2.6.b.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3193.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Fri Dec 6 09:55:08 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	587670
Entropy (8bit):	3.024150247191282
Encrypted:	false
SSDEEP:	3072:0xarvo9ES1K291CCqKKRKuF73+vtPcybn4aP2FE1bcSK2Pt6:0xarSES/qKkKA3QhtrTOE1PZV
MD5:	955E943C4CE3CA394F82D3454CAD4851
SHA1:	F184D96752B718F04D831B8E28A6583047F420B9
SHA-256:	868B2EDD6199EA0E765F2D15B87273D9D9D5B46DADAAD576291B2C2CB7D31A6C
SHA-512:	B2B444DF48E6D66566CB8E6393825A56D5D86C2E87A282298336B64AA2CF6265DC1DD9F38B9789A463D3BA8F9BDB3F7E74E6CDEFA916849ACBA77B61B094AD75
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........Rg........................H...........$....&.......... '......dA..............l.......8...........T............D...............6...........8..............................................................................eJ.......8......Lw......................T.......d...y.Rg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER333A.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	9120
Entropy (8bit):	3.713809142870005
Encrypted:	false
SSDEEP:	192:R6l7wVeJsbeOl56Y2DQ/gmfZQA8Mprl89bymg2jfcGm:R6lXJbOr6Yd/gmfZyyx2jfE
MD5:	C172FACC2C631C34A421BA9D2FFFF572
SHA1:	72C0CD344AB31314180E6CC5FD2C350078CF50CC
SHA-256:	03F77616937FD2423A1E2C26AD6C91F089E0DA67C6D435EDE6D96E0583EC8B10
SHA-512:	28A3798A7ADD988EAB1613C23AF8A41E8B267D0469D2E6F140768BCA901FFA8D9DC6EB5D307ABC763930543A8DD41E7D2B2C9B428B67C9C334FA5ECF7127C45C
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.0.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER336A.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5018
Entropy (8bit):	4.585564108203294
Encrypted:	false
SSDEEP:	48:cvIwWl8zsZqJg771I9IiGWpW8VYiYm8M4Jtopgu15Fpyq8vagu1mE6BiUSUHd:uIjfiI7WH7VaJtNK9W1KmESvfHd
MD5:	43EB883497E368582109C1337FBDF72C
SHA1:	D2B7BACFE30B970CDD69C353249A574430767D7A
SHA-256:	8B66C4C330236598984AAF9A378ED89140FAC97A9533F8AAAED1645C465937C3
SHA-512:	3F266CFFBE39E7099446E9CD78709AB49806F66B970BE5EBDC2CC9DDEB51C86EAD2BA4DB37F739C13B881ADB6031E631A44C022F00402D870E2019CF3DECC522
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="619257" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.469198306835888
Encrypted:	false
SSDEEP:	6144:uzZfpi6ceLPx9skLmb0fvZWSP3aJG8nAgeiJRMMhA2zX4WABluuNajDH5S:wZHtvZWOKnMM6bFp4j4
MD5:	1D8063CB285A7B5FBC275E14765D806D
SHA1:	198344AEB4BE3547C61D06124598CA52CECB8EF6
SHA-256:	C1E68BB4EEFCE0C2FA07BE7DB5FAC09EC57B8ED27F7DDA8D08D03A40E9F92DBD
SHA-512:	2D4974EB415EBDACB7956E58B13FD484CD41F669BFCAFD3F70915923B90F1EBC66DD510CDDDED29BC2C6907E278FDD473408805DCFA3A7A4FD0C6F007BF2AF9F
Malicious:	false
Reputation:	low
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.....G...............................................................................................................................................................................................................................................................................................................................................&..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.609914403824082
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe
File size:	36'864 bytes
MD5:	b4743a6a5638d49c9f30f552727423b3
SHA1:	ac26bfe26083f1097a9abb3c5c0d34d6173b10d6
SHA256:	4a568c15ed2c33916d74ce97eb7fd7b39a3e184c2c637ea7cb7a7a3e1e2e5108
SHA512:	e9c1dbb0cc60a4aeb9ee48c8d06a040d630ba6a8afbcc4a520e46cc162ba95842be2132da5e98ecda1ed0251799568c80d080da2977a33d8aa3160196ed2ebb2
SSDEEP:	768:AL13A5Uno9RfHWa2BLTeo8icH1bxbFb9EKOMhyQXve:+xA5Uno9JHWXHeNicH1bBFb9EKOMg6e
TLSH:	31F24C48BBA04216D9ED6FF5A97372020674D613D917EB4E4CD48ADB6F27BC08D013EA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Mg................................. ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40a5de
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x674DD492 [Mon Dec 2 15:38:58 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa590	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x4d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x85e4	0x8600	ac228924f28390beeb61bde56a892df0	False	0.49903801305970147	data	5.746216076640766	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x4d0	0x600	5fcbb005cb3bd9247736c6d9baa0fd6c	False	0.3736979166666667	data	3.6919436416194142	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe000	0xc	0x200	0a3a083968c42d8366b2de0e8564a094	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xc0a0	0x23c	data			0.47202797202797203
RT_MANIFEST	0xc2e0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-06T10:53:20.470318+0100	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:53:20.859432+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:53:20.913339+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:53:23.012619+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:53:23.012619+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:53:33.807978+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:53:33.811007+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:53:46.824653+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:53:46.830354+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:53:52.999772+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:53:52.999772+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:00.015380+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:00.025595+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:13.017743+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:13.029761+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:17.369849+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:17.470002+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:18.870204+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:18.874964+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:22.543724+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:22.546680+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:23.006227+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:23.006227+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:23.223101+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:23.224868+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:25.741168+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:25.743429+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:30.660004+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:30.662935+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:31.276861+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:31.281192+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:32.365095+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:32.367420+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:35.605713+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:35.609597+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:35.859927+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:35.862462+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:44.656533+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:44.659163+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:47.283987+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:47.295257+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:47.476031+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:47.482432+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:47.607896+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:47.610132+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:50.480564+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:50.483648+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:53.036106+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:53.036106+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:54.652876+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:54.655059+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:55.407907+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:55.412215+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:57.530420+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:57.535709+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:54:59.452325+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:54:59.459333+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:55:02.161487+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:55:02.163481+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:55:07.821410+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:55:07.905385+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:55:07.975265+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:55:08.025501+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:55:08.097254+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:55:08.145400+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49709	87.120.116.179	1300	TCP
2024-12-06T10:55:08.217398+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.116.179	1300	192.168.2.6	49709	TCP
2024-12-06T10:55:08.265216+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.6	49709	87.120.116.179	1300	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 6, 2024 10:53:06.850649118 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:53:06.970417023 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:53:06.970515013 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:53:07.180315018 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:53:07.300112963 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:53:20.470318079 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:53:20.590065002 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:53:20.859431982 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:53:20.902277946 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:53:20.913338900 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:53:21.033163071 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:53:23.012619019 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:53:23.058593988 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:53:33.418396950 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:53:33.539777994 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:53:33.807977915 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:53:33.811007023 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:53:33.930751085 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:53:46.434525013 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:53:46.554335117 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:53:46.824652910 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:53:46.830353975 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:53:46.950211048 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:53:52.999772072 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:53:53.043112993 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:53:59.624898911 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:53:59.744832993 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:00.015379906 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:00.025594950 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:00.145390987 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:12.621562958 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:12.741523981 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:13.017743111 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:13.029761076 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:13.149547100 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:16.981009960 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:17.100699902 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:17.369848967 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:17.418179989 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:17.470001936 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:17.589875937 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:18.481168985 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:18.600981951 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:18.870203972 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:18.874963999 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:18.994699001 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:22.153013945 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:22.272716999 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:22.543724060 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:22.546679974 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:22.666573048 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:22.824795008 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:22.944569111 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:23.006227016 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:23.058845997 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:23.223100901 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:23.224868059 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:23.344779968 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:25.324821949 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:25.444617033 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:25.741168022 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:25.743428946 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:25.863185883 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:30.123842001 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:30.243628979 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:30.660003901 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:30.662935019 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:30.783260107 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:30.840539932 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:30.960264921 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:31.276860952 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:31.281192064 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:31.400917053 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:31.950340986 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:32.070790052 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:32.365094900 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:32.367419958 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:32.487226963 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:35.197060108 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:35.316759109 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:35.465569973 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:35.585283041 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:35.605712891 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:35.609596968 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:35.772458076 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:35.859926939 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:35.862462044 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:35.982271910 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:44.231354952 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:44.351103067 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:44.656533003 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:44.659162998 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:44.779004097 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:46.871927977 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:46.991662979 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:46.991727114 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:47.111397982 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:47.283987045 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:47.295257092 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:47.415621996 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:47.476031065 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:47.482431889 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:47.602844954 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:47.607896090 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:47.610131979 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:47.772404909 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:50.075989962 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:50.331238985 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:50.480564117 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:50.483648062 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:50.603486061 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:53.036106110 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:53.090287924 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:54.262645960 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:54.382564068 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:54.652875900 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:54.655059099 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:54.776168108 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:55.012562990 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:55.132329941 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:55.407907009 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:55.412214994 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:55.531879902 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:57.137948036 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:57.257891893 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:57.530420065 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:57.535708904 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:57.655432940 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:59.059984922 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:59.179676056 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:59.452325106 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:54:59.459332943 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:54:59.579185009 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:55:01.762281895 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:55:01.881951094 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:55:02.161487103 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:55:02.163480997 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:55:02.283564091 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:55:07.418857098 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:55:07.538594007 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:55:07.538667917 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:55:07.663300037 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:55:07.663364887 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:55:07.783795118 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:55:07.783849001 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:55:07.821409941 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:55:07.871583939 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:55:07.905340910 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:55:07.905385017 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:55:07.975265026 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:55:08.025451899 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:55:08.025501013 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:55:08.097254038 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:55:08.145343065 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:55:08.145400047 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:55:08.217397928 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:55:08.265130997 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:55:08.265216112 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:55:08.337363958 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:55:08.384959936 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:55:08.388326883 CET	49709	1300	192.168.2.6	87.120.116.179
Dec 6, 2024 10:55:08.507996082 CET	1300	49709	87.120.116.179	192.168.2.6
Dec 6, 2024 10:55:16.103601933 CET	49709	1300	192.168.2.6	87.120.116.179

Analysis Process: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exePID: 6500, Parent PID: 4004

General

Target ID:	0
Start time:	04:52:57
Start date:	06/12/2024
Path:	C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe"
Imagebase:	0x710000
File size:	36'864 bytes
MD5 hash:	B4743A6A5638D49C9F30F552727423B3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2093444836.0000000000712000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2093444836.0000000000712000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3468154623.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:55:08
Start date:	06/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6500 -s 1756
Imagebase:	0x7ff638fe0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exePID: 6500, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	17.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD34892A00 Relevance: 2.4, Strings: 1, Instructions: 1140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FFD3489B1A0

Memory Dump Source

Source File: 00000000.00000002.3474552152.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f106.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 2ebe0bdc7d3553c613c02e6bdf13272901c99caf7b2ce15c2e63856a3b03fbd8
Instruction ID: 37d5e1b970f25fdd403f2adb08dcec3cb13387f5d539c4c576ba9f5cd84d46cc
Opcode Fuzzy Hash: 2ebe0bdc7d3553c613c02e6bdf13272901c99caf7b2ce15c2e63856a3b03fbd8
Instruction Fuzzy Hash: 7D726230B1890A8FEB98FB7C84A56BD77D6FF9A310B514578D50ED7282DE2CE8429740

Function 00007FFD34892A58 Relevance: .6, Instructions: 594
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3474552152.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cba6fbd2e3e2de064dcb2b5b7abdb9071adb4284bdb0aad7b6fcbe65cc7d69d1
Instruction ID: d239f42fd5f59a4d8cf81cf3c52ae25f119bf760d51209b7b6884a4787b6c60d
Opcode Fuzzy Hash: cba6fbd2e3e2de064dcb2b5b7abdb9071adb4284bdb0aad7b6fcbe65cc7d69d1
Instruction Fuzzy Hash: 77020967B0DA924FE7929B6C54F51E53FA0EF93324B0804B6D289C71D3ED2D780A9391

Function 00007FFD34896961 Relevance: .4, Instructions: 397
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3474552152.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61452b2643fb7afa6e7535a756df8088bcf68e2e5535058923794ca3ad6b687e
Instruction ID: b2d6bd644fa8bf891f81db6a713afdb686b1579c9d06b15c0238bf7ec250dce6
Opcode Fuzzy Hash: 61452b2643fb7afa6e7535a756df8088bcf68e2e5535058923794ca3ad6b687e
Instruction Fuzzy Hash: 59D16330A18E4D8FEBA8DF28C8557E977D1FB58300F44826EE80DD7295DF78A9458B81

Function 00007FFD34897711 Relevance: .4, Instructions: 380
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3474552152.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a95e6aea3839ddfc7e47834dbc89b091a2e6d8bd65fce0d323a2b9b6b8e2d966
Instruction ID: 699e69ad3dc35150d950504132caf1f127cf93b69dc6530239be23a929ad7a3f
Opcode Fuzzy Hash: a95e6aea3839ddfc7e47834dbc89b091a2e6d8bd65fce0d323a2b9b6b8e2d966
Instruction Fuzzy Hash: EBD15230A18E4D8FEBA8DF28C8A57E977D1FB58311F14426ED80DC7695DF7899408B81

Function 00007FFD34891BE8 Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FFD34891CB1

Memory Dump Source

Source File: 00000000.00000002.3474552152.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f106.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: b1b13c417cee684506de27f537bcedb13f97b61234913f5642fcd3678d79046c
Instruction ID: e6368bedd745e84910216b782593a314238491212b13a921d341d08d842de850
Opcode Fuzzy Hash: b1b13c417cee684506de27f537bcedb13f97b61234913f5642fcd3678d79046c
Instruction Fuzzy Hash: 5B410A30A1CA4D4FEB18EF6C98566F97BE1EF5A321F04427ED049D3292CE75A85287C1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ZRJNUZQFGKQ05XT0_3b786cba4f5746906da1f33bd2442e8438dc9b_e1beddc7_ccbdac7f-0f84-4b61-bad1-7ffdea0d5ca9\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3193.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER333A.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER336A.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Windows Analysis Report
173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe

Function 00007FFD34892A00 Relevance: 2.4, Strings: 1, Instructions: 1140
COMMON

Function 00007FFD34892A58 Relevance: .6, Instructions: 594
COMMON

Function 00007FFD34896961 Relevance: .4, Instructions: 397
COMMON

Function 00007FFD34897711 Relevance: .4, Instructions: 380
COMMON

Function 00007FFD34891BE8 Relevance: 1.6, APIs: 1, Instructions: 140
COMMON