Edit tour

Windows Analysis Report
173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe

Overview

General Information

Sample name:	173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe
Analysis ID:	1580251
MD5:	ab3766f7372b2245890555c9c664a18d
SHA1:	50f3b2a9a540e6d1530d85e637c86fba669f0a15
SHA256:	0e94f0ea1581540d383a7d87b54d37c1157ad38398bbe87d670214e56caf775f
Tags:	base64-decodedexeuser-abuse_ch
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe (PID: 7012 cmdline: "C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe" MD5: AB3766F7372B2245890555C9C664A18D)

WerFault.exe (PID: 7104 cmdline: C:\Windows\system32\WerFault.exe -u -p 7012 -s 1520 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["191.55.136.12"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x5951:$str01: $VB$Local_Port 0x5942:$str02: $VB$Local_Host 0x5c52:$str03: get_Jpeg 0x55fa:$str04: get_ServicePack 0x65ee:$str05: Select * from AntivirusProduct 0x67ec:$str06: PCRestart 0x6800:$str07: shutdown.exe /f /r /t 0 0x68b2:$str08: StopReport 0x6888:$str09: StopDDos 0x698a:$str10: sendPlugin 0x6a0a:$str11: OfflineKeylogger Not Enabled 0x6b70:$str12: -ExecutionPolicy Bypass -File " 0x6c99:$str13: Content-length: 5235
173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6d42:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6ddf:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6ef4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6bb4:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1690158878.0000000000E92000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.1690158878.0000000000E92000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6b42:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6bdf:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6cf4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x69b4:$cnc4: POST / HTTP/1.1
Process Memory Space: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe PID: 7012	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe.e90000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe.e90000.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x5951:$str01: $VB$Local_Port 0x5942:$str02: $VB$Local_Host 0x5c52:$str03: get_Jpeg 0x55fa:$str04: get_ServicePack 0x65ee:$str05: Select * from AntivirusProduct 0x67ec:$str06: PCRestart 0x6800:$str07: shutdown.exe /f /r /t 0 0x68b2:$str08: StopReport 0x6888:$str09: StopDDos 0x698a:$str10: sendPlugin 0x6a0a:$str11: OfflineKeylogger Not Enabled 0x6b70:$str12: -ExecutionPolicy Bypass -File " 0x6c99:$str13: Content-length: 5235
0.0.173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe.e90000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6d42:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6ddf:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6ef4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6bb4:$cnc4: POST / HTTP/1.1

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T07:37:18.768059+0100	2853193	1	Malware Command and Control Activity Detected	192.168.2.4	49776	191.55.136.12	7000	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe

Avira: detected

Found malware configuration

Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe

Malware Configuration Extractor: Xworm {"C2 url": ["191.55.136.12"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Multi AV Scanner detection for submitted file

Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Virustotal: Detection: 75%			Perma Link
Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	ReversingLabs: Detection: 84%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	String decryptor: 191.55.136.12
Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	String decryptor: 7000
Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	String decryptor: <123456789>
Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	String decryptor: <Xwormmm>
Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	String decryptor: XWorm V5.2
Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	String decryptor: USB.exe

Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, 00000000.00000002.2784541111.000000001BF58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: System.Xml.ni.pdb source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: System.Management.pdbSystem.Configuration.ni.dllSystem.Xml.dll source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: root:\Windows\dll\mscorlib.pdb source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, 00000000.00000002.2784541111.000000001BF58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, 00000000.00000002.2784541111.000000001BF58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, 00000000.00000002.2784446938.000000001BB28000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: System.Configuration.pdb source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdb` source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, 00000000.00000002.2784446938.000000001BB28000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: System.pdb source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, 00000000.00000002.2784446938.000000001BB28000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdb source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: Microsoft.VisualBasic.pdbpHY source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, 00000000.00000002.2782161396.0000000001294000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdbq source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, 00000000.00000002.2784541111.000000001BF58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: System.Management.pdb source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdb source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb" source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, 00000000.00000002.2784446938.000000001BB28000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdb source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: System.Core.pdb source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, 00000000.00000002.2784446938.000000001BB28000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER53E8.tmp.dmp.7.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49730 -> 191.55.136.12:7000
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49776 -> 191.55.136.12:7000

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 191.55.136.12

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 191.55.136.12:7000

Source: Joe Sandbox View

ASN Name: ALGARTELECOMSABR ALGARTELECOMSABR

Source: unknown	TCP traffic detected without corresponding DNS query: 191.55.136.12
Source: unknown	TCP traffic detected without corresponding DNS query: 191.55.136.12
Source: unknown	TCP traffic detected without corresponding DNS query: 191.55.136.12
Source: unknown	TCP traffic detected without corresponding DNS query: 191.55.136.12
Source: unknown	TCP traffic detected without corresponding DNS query: 191.55.136.12
Source: unknown	TCP traffic detected without corresponding DNS query: 191.55.136.12
Source: unknown	TCP traffic detected without corresponding DNS query: 191.55.136.12
Source: unknown	TCP traffic detected without corresponding DNS query: 191.55.136.12
Source: unknown	TCP traffic detected without corresponding DNS query: 191.55.136.12
Source: unknown	TCP traffic detected without corresponding DNS query: 191.55.136.12
Source: unknown	TCP traffic detected without corresponding DNS query: 191.55.136.12
Source: unknown	TCP traffic detected without corresponding DNS query: 191.55.136.12
Source: unknown	TCP traffic detected without corresponding DNS query: 191.55.136.12
Source: unknown	TCP traffic detected without corresponding DNS query: 191.55.136.12
Source: unknown	TCP traffic detected without corresponding DNS query: 191.55.136.12
Source: unknown	TCP traffic detected without corresponding DNS query: 191.55.136.12
Source: unknown	TCP traffic detected without corresponding DNS query: 191.55.136.12
Source: unknown	TCP traffic detected without corresponding DNS query: 191.55.136.12
Source: unknown	TCP traffic detected without corresponding DNS query: 191.55.136.12
Source: unknown	TCP traffic detected without corresponding DNS query: 191.55.136.12
Source: unknown	TCP traffic detected without corresponding DNS query: 191.55.136.12
Source: unknown	TCP traffic detected without corresponding DNS query: 191.55.136.12
Source: unknown	TCP traffic detected without corresponding DNS query: 191.55.136.12
Source: unknown	TCP traffic detected without corresponding DNS query: 191.55.136.12
Source: unknown	TCP traffic detected without corresponding DNS query: 191.55.136.12
Source: unknown	TCP traffic detected without corresponding DNS query: 191.55.136.12
Source: unknown	TCP traffic detected without corresponding DNS query: 191.55.136.12
Source: unknown	TCP traffic detected without corresponding DNS query: 191.55.136.12
Source: unknown	TCP traffic detected without corresponding DNS query: 191.55.136.12
Source: unknown	TCP traffic detected without corresponding DNS query: 191.55.136.12
Source: unknown	TCP traffic detected without corresponding DNS query: 191.55.136.12
Source: unknown	TCP traffic detected without corresponding DNS query: 191.55.136.12
Source: unknown	TCP traffic detected without corresponding DNS query: 191.55.136.12
Source: unknown	TCP traffic detected without corresponding DNS query: 191.55.136.12
Source: unknown	TCP traffic detected without corresponding DNS query: 191.55.136.12

Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, 00000000.00000002.2783198253.00000000030D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net

System Summary

Malicious sample detected (through community Yara rule)

Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, type: SAMPLE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe.e90000.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.0.173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe.e90000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1690158878.0000000000E92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Code function: 0_2_00007FFD9B885DE6		0_2_00007FFD9B885DE6
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Code function: 0_2_00007FFD9B886B92		0_2_00007FFD9B886B92

Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7012 -s 1520

Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, 00000000.00000000.1690158878.0000000000E92000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe
Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Binary or memory string: OriginalFilenameXClient.exe4 vs 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe

Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, type: SAMPLE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe.e90000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.0.173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe.e90000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1690158878.0000000000E92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/5@0/1

Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7012
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Mutant created: \Sessions\1\BaseNamedObjects\Vbpbf1UvMZzk7oZY

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\ab52ada7-6d5b-4b43-bf48-f26506d6a173

Jump to behavior

Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Virustotal: Detection: 75%
Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	ReversingLabs: Detection: 84%

Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe

File read: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe "C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe"
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7012 -s 1520

Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, 00000000.00000002.2784541111.000000001BF58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: System.Xml.ni.pdb source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: System.Management.pdbSystem.Configuration.ni.dllSystem.Xml.dll source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: root:\Windows\dll\mscorlib.pdb source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, 00000000.00000002.2784541111.000000001BF58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, 00000000.00000002.2784541111.000000001BF58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, 00000000.00000002.2784446938.000000001BB28000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: System.Configuration.pdb source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdb` source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, 00000000.00000002.2784446938.000000001BB28000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: System.pdb source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, 00000000.00000002.2784446938.000000001BB28000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdb source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: Microsoft.VisualBasic.pdbpHY source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, 00000000.00000002.2782161396.0000000001294000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdbq source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, 00000000.00000002.2784541111.000000001BF58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: System.Management.pdb source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdb source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb" source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, 00000000.00000002.2784446938.000000001BB28000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdb source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: System.Core.pdb source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, 00000000.00000002.2784446938.000000001BB28000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER53E8.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER53E8.tmp.dmp.7.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Memory allocated: 16D0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Memory allocated: 1B0D0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Window / User API: threadDelayed 9437			Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Window / User API: threadDelayed 415			Jump to behavior

Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe TID: 6348	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe TID: 6376	Thread sleep count: 9437 > 30	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe TID: 6376	Thread sleep count: 415 > 30	Jump to behavior

Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, 00000000.00000002.2782161396.00000000012E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, 00000000.00000002.2783198253.0000000003697000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, 00000000.00000002.2783198253.0000000003697000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, 00000000.00000002.2783198253.0000000003697000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, 00000000.00000002.2783198253.0000000003697000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager2y
Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, 00000000.00000002.2783198253.0000000003697000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@

Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe

Queries volume information: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, 00000000.00000002.2784541111.000000001BF58000.00000004.00000020.00020000.00000000.sdmp, 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, 00000000.00000002.2784541111.000000001BF30000.00000004.00000020.00020000.00000000.sdmp, 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, 00000000.00000002.2782161396.0000000001220000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe.e90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1690158878.0000000000E92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe PID: 7012, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe.e90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1690158878.0000000000E92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe PID: 7012, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	2 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	131 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	141 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Process Injection	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	75%	Virustotal		Browse
173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	84%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	100%	Avira	HEUR/AGEN.1305769
173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
191.55.136.12	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
191.55.136.12	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.7.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, 00000000.00000002.2783198253.00000000030D1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
191.55.136.12	unknown	Brazil		53006	ALGARTELECOMSABR	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580251
Start date and time:	2024-12-24 07:35:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/5@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 47 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.89.179.12, 20.12.23.50, 13.107.246.63, 20.190.177.22
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe, PID 7012 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:36:02	API Interceptor	1625688x Sleep call for process: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe modified
01:37:47	API Interceptor	1x Sleep call for process: WerFault.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ALGARTELECOMSABR	splspc.elf	Get hash	malicious	Unknown	Browse	200.225.212.176
	armv5l.elf	Get hash	malicious	Unknown	Browse	187.72.191.192
	loligang.arm7.elf	Get hash	malicious	Mirai	Browse	189.41.50.243
	nsharm7.elf	Get hash	malicious	Mirai	Browse	177.69.78.91
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	187.32.70.87
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	200.170.129.132
	17345063495d9ff9a239e91022aad8f2d11b89f02854c4b148235396ec7a0562f12ac23b56442.dat-decoded.exe	Get hash	malicious	Remcos	Browse	177.106.216.153
	sh4.elf	Get hash	malicious	Unknown	Browse	179.104.134.110
	armv5l.elf	Get hash	malicious	Unknown	Browse	187.32.190.62
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	189.41.131.148

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_KWTQ2QTIX5Z3IKMK_d74501e9c317ebe9026991a5361205662c78bb2_221d1681_994cad59-7b7d-45ae-bec4-0a62cd7695e7\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2465980401160877
Encrypted:	false
SSDEEP:	192:9JdGczd9N081iHBaWz8iyolHHFVzuiFhZ24lO8b:TdGodE81iha48irnHzuiFhY4lO8b
MD5:	BCA008729B1F64B92FA369D2802376CA
SHA1:	5CF395BC5CE1C7C4D33F3732BD4A7DA386F0AF2E
SHA-256:	643EC6277392C7E0256CC3B9586B50EA650E17952950834FBC2959E599A675B8
SHA-512:	606DC21CC2C053A042B1F4A1919C752E4B8FDFE377E839CA0D0649A6BEA23EC0A65912855A8A3231C1C1207DFBF0D0E402DB5686373B7CB9C952BAB31A5CB0F5
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.4.9.5.8.4.6.9.1.7.8.6.4.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.4.9.5.8.4.7.7.1.4.7.2.6.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.9.4.c.a.d.5.9.-.7.b.7.d.-.4.5.a.e.-.b.e.c.4.-.0.a.6.2.c.d.7.6.9.5.e.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.a.e.4.7.9.7.8.-.1.f.7.1.-.4.a.0.c.-.b.9.9.1.-.3.2.1.a.0.7.0.4.5.8.e.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.1.7.3.5.0.2.2.0.4.4.1.7.f.1.2.9.d.f.8.9.d.a.4.d.d.b.3.f.c.a.8.4.e.d.c.a.9.d.2.d.b.6.1.d.e.c.e.c.3.1.7.e.4.2.9.2.a.4.5.f.c.f.6.a.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.X.C.l.i.e.n.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.6.4.-.0.0.0.1.-.0.0.1.4.-.9.a.6.a.-.e.2.1.7.c.e.5.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.8.e.7.d.1.0.2.a.b.1.b.8.1.8.3.4.5.4.f.f.8.4.8.0.d.0.7.7.5.1.0.0.0.0.0.0.0.0.!.0.0.0.0.5.0.f.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER53E8.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Tue Dec 24 06:37:27 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	462180
Entropy (8bit):	3.056926940128552
Encrypted:	false
SSDEEP:	3072:HMuaOY5a2/69mqBt4dRmANcS1NPB1CCqh4utoH29X3+vQtdN9tdN9tdN9tdHiW:HMUHXnBt2m+35qyutY2h3QuB
MD5:	BD00B7FF3F34C023D320A09DBD7A0E87
SHA1:	6829F95AE98C3597A7E514B918F21EE2B547CA3D
SHA-256:	34869D658DDE011B7473043032A8965F762C3D14F744D4F532B383FBCF082C16
SHA-512:	F7303A5C1CF7EDD0FE50C221545FAF1AC9F0194487EC75B22A90B09B7882F09B3F2DCA97131C9394B9F7DDD1EEB1C45B23E13FFB22BEB5066C692761DB4F1597
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........Vjg........................p...........$...d%...........%.......2..............l.......8...........T............;..............d1..........P3..............................................................................eJ.......3......Lw......................T.......d...NVjg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER55AF.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	9078
Entropy (8bit):	3.7149995724188294
Encrypted:	false
SSDEEP:	192:R6l7wVeJNdyW6Y9YBBhgmfZf8RprK89b0D7af78m:R6lXJXyW6YSBXgmfhO0faf1
MD5:	19ED62A6ED12D61A5DBDBE564EB497EB
SHA1:	5B5775E57BE439B92B574B827E1FA2271AD57400
SHA-256:	B29D4A58F023607F6170CE237843A8988ED842BB9794AD9251FE198FA2D77020
SHA-512:	6571E7C16DFF2418BFBBBBFD73CEC3665B30176F92B9471A56409EC2A6DDBF97A42B0C8FEEE2E5EBF0929BED2BC3D9FCF7E9D48AB3367C62F26828214F9AEB99
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.1.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER55DE.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5024
Entropy (8bit):	4.581858594531639
Encrypted:	false
SSDEEP:	48:cvIwWl8zsHJg771I9O5WpW8VYNYm8M4JI68AtDFuyq8vktDV5kb68mnb68mZd:uIjfpI79I7VlJgWsVtsZd
MD5:	3DBB94CF84BFE30C147301E39E5EA0E6
SHA1:	377BFD56B20DEC99551FA6F3A16AEA9C65FBAA44
SHA-256:	8798E690A596475F99C7860F43B5B95FB36574FEBC11D9F3453102B7B36968B7
SHA-512:	B5EC58DA38EA60DC587A3A7E9F16D513600AC49E3FB8979A79583AA9912C6744BE720A434DC9D478356CA908325C405FD0EC148D40F538B1C459AFB7AEF12C99
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="644980" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.466108738272469
Encrypted:	false
SSDEEP:	6144:/IXfpi67eLPU9skLmb0b4cWSPKaJG8nAgejZMMhA2gX4WABl0uNxdwBCswSbyi:wXD94cWlLZMM6YFHj+yi
MD5:	E00C3E103CD4F27A2971CD00098B63D2
SHA1:	78FAB50F8DD60BBECF50D3A7E23A5EBA97EFD4AF
SHA-256:	4D7C9013A8278F420D923E500CA99550E04E392018456312BE49B70AA877C776
SHA-512:	7B53FFAD66492103D1922D121540ADFF7211EED2FE30C0E1C143035B7C16F215768C89F956D5DA47628597AAB61437B6CFC293ABE1BD8ABEC33123A964F3DCFD
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..8L.U................................................................................................................................................................................................................................................................................................................................................/x........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.541561963145867
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe
File size:	33'792 bytes
MD5:	ab3766f7372b2245890555c9c664a18d
SHA1:	50f3b2a9a540e6d1530d85e637c86fba669f0a15
SHA256:	0e94f0ea1581540d383a7d87b54d37c1157ad38398bbe87d670214e56caf775f
SHA512:	3275d222f026dd25e7732a2b1215e1b26abc4af6f58475dfe2911e4cad302d4be7660d9c7df4fc8333ead31b75445fb3a23aea9f3d624407f4c7a9fff67d1acc
SSDEEP:	768:hUa+vNohsXn42JiB70LVF49j0QOjhobT:cvNohsn4WiR05F49jROjCf
TLSH:	C1E24A4477A48626DAEE6FF528F352051274D517CC23EF6E0CE489EA2B67AC087407E7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....^ig.................z............... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40982e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67695EA9 [Mon Dec 23 12:59:21 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x97d4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa000	0x4d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7834	0x7a00	708c13698d02f83c99647d69f7d07106	False	0.4934362192622951	data	5.687318504846938	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa000	0x4d8	0x600	afbb984503128042cc38bf70e5e337f4	False	0.375	data	3.7203482473352403	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc000	0xc	0x200	1b2507215d7d787a9e1714fce30ae780	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xa0a0	0x244	data			0.4724137931034483
RT_MANIFEST	0xa2e8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-24T07:36:14.617844+0100	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.4	49730	191.55.136.12	7000	TCP
2024-12-24T07:37:18.768059+0100	2853193	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.4	49776	191.55.136.12	7000	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 07:36:03.147241116 CET	49730	7000	192.168.2.4	191.55.136.12
Dec 24, 2024 07:36:03.267019033 CET	7000	49730	191.55.136.12	192.168.2.4
Dec 24, 2024 07:36:03.267144918 CET	49730	7000	192.168.2.4	191.55.136.12
Dec 24, 2024 07:36:03.452023029 CET	49730	7000	192.168.2.4	191.55.136.12
Dec 24, 2024 07:36:03.571693897 CET	7000	49730	191.55.136.12	192.168.2.4
Dec 24, 2024 07:36:14.617844105 CET	49730	7000	192.168.2.4	191.55.136.12
Dec 24, 2024 07:36:14.737584114 CET	7000	49730	191.55.136.12	192.168.2.4
Dec 24, 2024 07:36:25.167157888 CET	7000	49730	191.55.136.12	192.168.2.4
Dec 24, 2024 07:36:25.167262077 CET	49730	7000	192.168.2.4	191.55.136.12
Dec 24, 2024 07:36:26.471328020 CET	49730	7000	192.168.2.4	191.55.136.12
Dec 24, 2024 07:36:26.472919941 CET	49737	7000	192.168.2.4	191.55.136.12
Dec 24, 2024 07:36:26.590878010 CET	7000	49730	191.55.136.12	192.168.2.4
Dec 24, 2024 07:36:26.592489004 CET	7000	49737	191.55.136.12	192.168.2.4
Dec 24, 2024 07:36:26.592631102 CET	49737	7000	192.168.2.4	191.55.136.12
Dec 24, 2024 07:36:26.622848034 CET	49737	7000	192.168.2.4	191.55.136.12
Dec 24, 2024 07:36:26.742449999 CET	7000	49737	191.55.136.12	192.168.2.4
Dec 24, 2024 07:36:39.377660990 CET	49737	7000	192.168.2.4	191.55.136.12
Dec 24, 2024 07:36:39.497447014 CET	7000	49737	191.55.136.12	192.168.2.4
Dec 24, 2024 07:36:48.510988951 CET	7000	49737	191.55.136.12	192.168.2.4
Dec 24, 2024 07:36:48.511069059 CET	49737	7000	192.168.2.4	191.55.136.12
Dec 24, 2024 07:36:49.986552000 CET	49737	7000	192.168.2.4	191.55.136.12
Dec 24, 2024 07:36:49.987529039 CET	49738	7000	192.168.2.4	191.55.136.12
Dec 24, 2024 07:36:50.106542110 CET	7000	49737	191.55.136.12	192.168.2.4
Dec 24, 2024 07:36:50.107131958 CET	7000	49738	191.55.136.12	192.168.2.4
Dec 24, 2024 07:36:50.107213020 CET	49738	7000	192.168.2.4	191.55.136.12
Dec 24, 2024 07:36:50.136521101 CET	49738	7000	192.168.2.4	191.55.136.12
Dec 24, 2024 07:36:50.257761002 CET	7000	49738	191.55.136.12	192.168.2.4
Dec 24, 2024 07:37:02.389374971 CET	49738	7000	192.168.2.4	191.55.136.12
Dec 24, 2024 07:37:02.508861065 CET	7000	49738	191.55.136.12	192.168.2.4
Dec 24, 2024 07:37:11.314948082 CET	49738	7000	192.168.2.4	191.55.136.12
Dec 24, 2024 07:37:11.435112000 CET	7000	49738	191.55.136.12	192.168.2.4
Dec 24, 2024 07:37:11.435180902 CET	49738	7000	192.168.2.4	191.55.136.12
Dec 24, 2024 07:37:11.554820061 CET	7000	49738	191.55.136.12	192.168.2.4
Dec 24, 2024 07:37:11.554903984 CET	49738	7000	192.168.2.4	191.55.136.12
Dec 24, 2024 07:37:11.674472094 CET	7000	49738	191.55.136.12	192.168.2.4
Dec 24, 2024 07:37:12.011676073 CET	7000	49738	191.55.136.12	192.168.2.4
Dec 24, 2024 07:37:12.014676094 CET	49738	7000	192.168.2.4	191.55.136.12
Dec 24, 2024 07:37:12.014676094 CET	49738	7000	192.168.2.4	191.55.136.12
Dec 24, 2024 07:37:12.018789053 CET	49776	7000	192.168.2.4	191.55.136.12
Dec 24, 2024 07:37:12.134532928 CET	7000	49738	191.55.136.12	192.168.2.4
Dec 24, 2024 07:37:12.138370991 CET	7000	49776	191.55.136.12	192.168.2.4
Dec 24, 2024 07:37:12.139285088 CET	49776	7000	192.168.2.4	191.55.136.12
Dec 24, 2024 07:37:12.354983091 CET	49776	7000	192.168.2.4	191.55.136.12
Dec 24, 2024 07:37:12.474562883 CET	7000	49776	191.55.136.12	192.168.2.4
Dec 24, 2024 07:37:17.377671003 CET	49776	7000	192.168.2.4	191.55.136.12
Dec 24, 2024 07:37:17.497292042 CET	7000	49776	191.55.136.12	192.168.2.4
Dec 24, 2024 07:37:17.497358084 CET	49776	7000	192.168.2.4	191.55.136.12
Dec 24, 2024 07:37:17.616949081 CET	7000	49776	191.55.136.12	192.168.2.4
Dec 24, 2024 07:37:17.617013931 CET	49776	7000	192.168.2.4	191.55.136.12
Dec 24, 2024 07:37:17.736476898 CET	7000	49776	191.55.136.12	192.168.2.4
Dec 24, 2024 07:37:17.736568928 CET	49776	7000	192.168.2.4	191.55.136.12
Dec 24, 2024 07:37:17.857001066 CET	7000	49776	191.55.136.12	192.168.2.4
Dec 24, 2024 07:37:18.768059015 CET	49776	7000	192.168.2.4	191.55.136.12
Dec 24, 2024 07:37:18.887721062 CET	7000	49776	191.55.136.12	192.168.2.4
Dec 24, 2024 07:37:34.043109894 CET	7000	49776	191.55.136.12	192.168.2.4
Dec 24, 2024 07:37:34.043237925 CET	49776	7000	192.168.2.4	191.55.136.12
Dec 24, 2024 07:37:48.328964949 CET	49776	7000	192.168.2.4	191.55.136.12
Dec 24, 2024 07:37:48.339245081 CET	49776	7000	192.168.2.4	191.55.136.12
Dec 24, 2024 07:37:48.339893103 CET	49868	7000	192.168.2.4	191.55.136.12
Dec 24, 2024 07:37:48.448561907 CET	7000	49776	191.55.136.12	192.168.2.4
Dec 24, 2024 07:37:48.458842039 CET	7000	49776	191.55.136.12	192.168.2.4
Dec 24, 2024 07:37:48.459486961 CET	7000	49868	191.55.136.12	192.168.2.4
Dec 24, 2024 07:37:48.459578037 CET	49868	7000	192.168.2.4	191.55.136.12
Dec 24, 2024 07:37:49.019381046 CET	49868	7000	192.168.2.4	191.55.136.12

Analysis Process: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exePID: 7012, Parent PID: 2580

General

Target ID:	0
Start time:	01:35:58
Start date:	24/12/2024
Path:	C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe"
Imagebase:	0xe90000
File size:	33'792 bytes
MD5 hash:	AB3766F7372B2245890555C9C664A18D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1690158878.0000000000E92000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1690158878.0000000000E92000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	01:37:26
Start date:	24/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7012 -s 1520
Imagebase:	0x7ff602fe0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exePID: 7012, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9B885DE6 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 240f333ae106e1ac253e64b28dcc235a075ad1b6af38611e231dff39845211e1
Instruction ID: a22f5c1ec9a08cce9fefbe5b48f0a9a851c1720412735441514ed4a87eb2e3d5
Opcode Fuzzy Hash: 240f333ae106e1ac253e64b28dcc235a075ad1b6af38611e231dff39845211e1
Instruction Fuzzy Hash: 48F1A570A09A8E8FEBA8DF28C8557E937E1FF58310F04426EE85DC7295DF3499458B81

Function 00007FFD9B886B92 Relevance: .5, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9a4ddcb41ff2cfa22f797ddbdf5559503838ea8586fd28897faa419894a90d0
Instruction ID: 696e1f928ec68f4c73f70280eacad8d9507d3a6826fa09f78ff1c3557e9e2684
Opcode Fuzzy Hash: d9a4ddcb41ff2cfa22f797ddbdf5559503838ea8586fd28897faa419894a90d0
Instruction Fuzzy Hash: 97E1D670A09E4E8FEBA8DF28C8657E937E1FF58310F14426ED85DC7295DE34A9418B81

Function 00007FFD9B887D51 Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9B887DC3

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 4824044fe6b3a1ee54ccace01e478d4ef8b8d038494db3c9915879ab13494b1e
Instruction ID: d1efd192482366ef399fa6bc53b8de9e1ef0f6eddc68d56848652da8c0b934df
Opcode Fuzzy Hash: 4824044fe6b3a1ee54ccace01e478d4ef8b8d038494db3c9915879ab13494b1e
Instruction Fuzzy Hash: 4B213231D0EA9E4FEB10DBA4C8246F9BBF0EF4A310F0A01BBC469D71A2CB3855418791

Function 00007FFD9B8822C0 Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9B887DC3

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 78b330f31961cd4a8009c2c1b0befce9904f7be8a062533294d783bd060e5d48
Instruction ID: 858c847cf42ac285e15d750d5d100ba67136f1ca88c603364cb9d07e0d86c68b
Opcode Fuzzy Hash: 78b330f31961cd4a8009c2c1b0befce9904f7be8a062533294d783bd060e5d48
Instruction Fuzzy Hash: 8E11A535E0A91E4BEB24EBA884156FDB6B1EF4C314F01013AD92DE2294DB3966404791

Function 00007FFD9B881D85 Relevance: .4, Instructions: 375COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e348dc0f4214b0ff27d6df6922c2d27743ca91d2c43db1d8c9e686fb1b5c42
Instruction ID: 41040d5c3979ebb9aa1084ae1f8eb313b150075101c70887ee0f760389507246
Opcode Fuzzy Hash: a8e348dc0f4214b0ff27d6df6922c2d27743ca91d2c43db1d8c9e686fb1b5c42
Instruction Fuzzy Hash: C1C15961B1DE890FE7A9AB7C48356B967D2FF9C350B4401BED46DC72D7DE2868028381

Function 00007FFD9B8874C5 Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5048e417c28feaf344357da40542a272961d6338c02f01b620e888e1736dbe87
Instruction ID: fa9692c6a6b066c66600fa8e28663a8c5d36fe1f35179a36d0092dd0a8ce651c
Opcode Fuzzy Hash: 5048e417c28feaf344357da40542a272961d6338c02f01b620e888e1736dbe87
Instruction Fuzzy Hash: BA41E556B0FAC94FE762A7B818351B87FA0EF56614B0901FBD4ACC70E3DD285A418352

Function 00007FFD9B8867A6 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8b625522f40578691b6658d6d61e53e7f594313e73b2d332ec8f9a008666d49
Instruction ID: bf1742c6fda12228eea38cf0b7d66c432da8560f71aa880bc22b2f7f45bb5071
Opcode Fuzzy Hash: f8b625522f40578691b6658d6d61e53e7f594313e73b2d332ec8f9a008666d49
Instruction Fuzzy Hash: D9B1F77060DA4D8FEB69DF28D8557E93BE0FF59310F00426AE85DC72D2CA3499458B82

Function 00007FFD9B880700 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da8ffa8260d45c8582065756d83abd88ecc656746cdc372aa5511a3baf352ba3
Instruction ID: 1610c688e11f9622eb3d8c063650fe72c460c37abbe1af91ae42b009f59668df
Opcode Fuzzy Hash: da8ffa8260d45c8582065756d83abd88ecc656746cdc372aa5511a3baf352ba3
Instruction Fuzzy Hash: 31A13521B19E4D4BE7ACEB6C44657B9A6D2FF9C350F94017DE46EC32D6DE3868028381

Function 00007FFD9B882635 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d973ba555fe3151332b6a14a37ff427b93e123494dbbbbb9f8314c5866dec7cf
Instruction ID: f2439f1e3dbe969ba36532501dae737de25419bc3bed46f353083a2b32eecde3
Opcode Fuzzy Hash: d973ba555fe3151332b6a14a37ff427b93e123494dbbbbb9f8314c5866dec7cf
Instruction Fuzzy Hash: E9A146207299098BE799B7AC9865BB9B2D2FF98301F5401B7E81DC33E7DD2C6C428651

Function 00007FFD9B880740 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 908f6fd5ad3b2977cc275bfbe6233ec29b8e36740541767609af42bde6862aee
Instruction ID: cd8897271315b2448b1e3120058af594f09a9346cd6dae8de0f771e139ab7f44
Opcode Fuzzy Hash: 908f6fd5ad3b2977cc275bfbe6233ec29b8e36740541767609af42bde6862aee
Instruction Fuzzy Hash: C2810761F0ED4E4FE768EB7888696A577D1EF48310F0541BAD02DC31E6EE38A9478781

Function 00007FFD9B8889ED Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e23e114bb639f4e97048a4a8e247c7fed56e13da307ed2beeafb79bb33eec69c
Instruction ID: 788518f2ebe7cace88394dc6b0cb373bedb35f499c78ba3a6ec7d0bb9ef76bf1
Opcode Fuzzy Hash: e23e114bb639f4e97048a4a8e247c7fed56e13da307ed2beeafb79bb33eec69c
Instruction Fuzzy Hash: 66710731B1994C4FDBA8EB689865AF977E2EF58310F05017AE41DD31E6CE38AD42C741

Function 00007FFD9B888A40 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98ca44079c235d11f46194806b51e412dead5a4be345fd4036770cee1df635b0
Instruction ID: c3cd17fb2a5a4f3a0366204ace8384ca5ba098a9677d561483bc5b6360668c40
Opcode Fuzzy Hash: 98ca44079c235d11f46194806b51e412dead5a4be345fd4036770cee1df635b0
Instruction Fuzzy Hash: C5618231B1990D4FDBA8EB68D865ABDB7E2EF58310F150179E41ED32E6CE34AC418741

Function 00007FFD9B887E3D Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9af89867c124c5acdbc68de736e07c47691648beb4d2d39b7a8d86f1ab5682c6
Instruction ID: 4306a8c14aca17a00c40b115d05e3d70bdc0c45aa39d0c7837857e3bbb1306de
Opcode Fuzzy Hash: 9af89867c124c5acdbc68de736e07c47691648beb4d2d39b7a8d86f1ab5682c6
Instruction Fuzzy Hash: AF51A570A18A0C8FDB58DF68D855BEDBBF1FF58310F1042AAD05DD3296DA34A942CB81

Function 00007FFD9B880925 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08bd47b74bae7b81d0f54244f29a1cc3f1fa695da8839b63ee7046a37c12e770
Instruction ID: f97a5bd1f21586285f4856d486b4ff1c35f6eee9a2e8d3ee9a253833994fe41e
Opcode Fuzzy Hash: 08bd47b74bae7b81d0f54244f29a1cc3f1fa695da8839b63ee7046a37c12e770
Instruction Fuzzy Hash: 2C51F321B2AE4E4FD798E77848756AD77E2FF88214B8004BDE46EC31D7DE38A9018341

Function 00007FFD9B8836DC Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03eea33f1127883be17cf55702805b44bf14ede5146285dcdc25e27cbd7b592d
Instruction ID: f93b4fa0518eb7e2ca5b9e3a5f5c53ffe2d48f907cb72c07947f57334026180b
Opcode Fuzzy Hash: 03eea33f1127883be17cf55702805b44bf14ede5146285dcdc25e27cbd7b592d
Instruction Fuzzy Hash: E2518330908A1C8FDB68DF58D855BE9BBF1FF59310F1082AAD45DD3292DE34A9858F81

Function 00007FFD9B888FDA Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b6d108e86afe595e192704f1491cac0d3028335694c9f90346fbbc8d984a815
Instruction ID: 1c8815fd555faa16cb9219440975436f896aeeacd355a47da53366fe3e31e535
Opcode Fuzzy Hash: 6b6d108e86afe595e192704f1491cac0d3028335694c9f90346fbbc8d984a815
Instruction Fuzzy Hash: B9511731A0DA0D8FD718DFA8C859AB87BE0EF55321F0441BED45DC71A2DB39A446CB41

Function 00007FFD9B880588 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1aab04cd164faae0e06f5af14440200f9f4c1b43314f54ad0035f9bde808a4f
Instruction ID: 287d259b631347bc7585c512bdeefd720f94f972ee47f1de86795e53ea428750
Opcode Fuzzy Hash: a1aab04cd164faae0e06f5af14440200f9f4c1b43314f54ad0035f9bde808a4f
Instruction Fuzzy Hash: ED412C21F1DD4A0FE7A9B73C582697977D1DF89714B094079E45DC32EADD28AC824341

Function 00007FFD9B881748 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed616e8f60159b38adcb13e2abdb00b4cee0687a31eb1d7ca2950c4557f358f
Instruction ID: cb8c7106c0997d6bf2948eb1ac79685fa6a2b7dbb35d24191fe804342c0c5fae
Opcode Fuzzy Hash: fed616e8f60159b38adcb13e2abdb00b4cee0687a31eb1d7ca2950c4557f358f
Instruction Fuzzy Hash: 04513830E0D68A8FE716A77448226A57FA0EF5A320F1902F9D0A9C31E7DE7C6842C751

Function 00007FFD9B880728 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9a9852b8b28439170629c8de7cfc39c5c31b4ac3f3f5a8571eb2157ca9b418d
Instruction ID: af63e3ec172cd104cc6d3729960cac6008642fe11dfee335840a195a42a85547
Opcode Fuzzy Hash: b9a9852b8b28439170629c8de7cfc39c5c31b4ac3f3f5a8571eb2157ca9b418d
Instruction Fuzzy Hash: 0E514130B2991D8FEBA8EB68D865ABD73F1FF98304F510179E41DD3295CE38A9428741

Function 00007FFD9B888761 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 329ffd71c9795e317697f60a6373718866598112ed610b0ade388d0e52f1aa6e
Instruction ID: a1f6af56e312d7dcedbff6beb0663502bcf03c2132ce3b9579acbc07cbdb2912
Opcode Fuzzy Hash: 329ffd71c9795e317697f60a6373718866598112ed610b0ade388d0e52f1aa6e
Instruction Fuzzy Hash: 9151C030B1A95D8FEBA4EB68D864ABD77F1FF49304F4500BAE41DD31A6CE3869428741

Function 00007FFD9B88149D Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8399d9a73781eb2dbc6139defcf48ae27deb003766082a38e6af48b24eeddfbc
Instruction ID: 55141998a8dd98cb79e607c3bf77b6d1dad7ace0ea8fd10c9f6c645f69bed2d3
Opcode Fuzzy Hash: 8399d9a73781eb2dbc6139defcf48ae27deb003766082a38e6af48b24eeddfbc
Instruction Fuzzy Hash: 57519130A09A5DCFDB68EF68C465BA977E0FF59311F01016ED84AC36A2CB75D841CB41

Function 00007FFD9B880B5E Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9455361bf86b79211a459be16609d6ace9603e4b8147083cd209277611f8bd13
Instruction ID: 27325373a28a86bf372206b0906b3c74249e2a93131df7b270685b07e1a1dc49
Opcode Fuzzy Hash: 9455361bf86b79211a459be16609d6ace9603e4b8147083cd209277611f8bd13
Instruction Fuzzy Hash: 49415A2170DA880FE789A77C58696787BD2DF8A614F0901FFE44DC72E7DD185C028341

Function 00007FFD9B880768 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f5da797b60e9bcfd43aa6a54757df619892a13636499d12c05af04a40119f09
Instruction ID: fe7a9e70e4825e75134959fdbf5d3235408c54cf96646ce757185fd65a01675b
Opcode Fuzzy Hash: 4f5da797b60e9bcfd43aa6a54757df619892a13636499d12c05af04a40119f09
Instruction Fuzzy Hash: 41416E74A09A1DCFDBA8EF68C465BB977E1FB58311F10016EE80AD36A1CB75E841CB41

Function 00007FFD9B8881A1 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d841f75fcdfaa801eaedaa30e01d04d7d022d38a77f59a1ee43466d1785dd878
Instruction ID: 7f7544cf00d2df416e2e0a0c597e8a8805585a8686101987a6718bde01ade9b5
Opcode Fuzzy Hash: d841f75fcdfaa801eaedaa30e01d04d7d022d38a77f59a1ee43466d1785dd878
Instruction Fuzzy Hash: B941B031B09E4D4FEB94EBA884696E977F1FF5D301B0401BAD419D72A2DF3898428701

Function 00007FFD9B8804C8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5546184dbd3da251c870b1bf0bb4835b1d0c80814f0e041afc1881227b86c4d8
Instruction ID: 3f547d667f5e2179077a4cee1966cf5b916b02151b2140ba69fd2400895b5502
Opcode Fuzzy Hash: 5546184dbd3da251c870b1bf0bb4835b1d0c80814f0e041afc1881227b86c4d8
Instruction Fuzzy Hash: 5A310621B18D4C0FE798EB6C986AB78A6C2EF9C719F0505BEE41DC32E7DD685C418341

Function 00007FFD9B8806F8 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb44436314dc04d2f4cb781054de2ec67bb4fd79475d38d31f8e8d2023e29df0
Instruction ID: df5ee2cf5e48fde30d7e95f7541f0ce1561e5bd3d703a7671635a3e389cb6a4b
Opcode Fuzzy Hash: eb44436314dc04d2f4cb781054de2ec67bb4fd79475d38d31f8e8d2023e29df0
Instruction Fuzzy Hash: 02419D30F0990E8BDB98FBA88465AB9B6E1EF58310F15017DD02ED32D2DE39A941C781

Function 00007FFD9B880E09 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c80f86f02e156072e38ca9cdd0e4546a89f6ba28ea456f08cd1d30ca4293ca79
Instruction ID: 95c98d3936abe55c0c6b23196858637785e1cef6b1be3adc5d09c1f9b1dbe45f
Opcode Fuzzy Hash: c80f86f02e156072e38ca9cdd0e4546a89f6ba28ea456f08cd1d30ca4293ca79
Instruction Fuzzy Hash: AB31B351B19D094FEB98BBBC5C297BD66D1EF98701F0402B7E02DC32D6DD2899414391

Function 00007FFD9B880CC1 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8109943487c2f0acfbe5cb74b1de34005a837fd57f4695bf05ca02e55723972
Instruction ID: 20bf6a7940ba1a27d3f65aa3216e9d41689be482097b11b00b9dc17da54c6afa
Opcode Fuzzy Hash: d8109943487c2f0acfbe5cb74b1de34005a837fd57f4695bf05ca02e55723972
Instruction Fuzzy Hash: 0541D230B19A4E8FEB59EBA898656FD77F1FF88310F4001B6D458D32D6DE3868418751

Function 00007FFD9B888469 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1195d14d81fef3f616bb157b738344e69ccdd8cbca069ce1555602a27978c202
Instruction ID: 552aac32496e26dcd3e9e9404f2b4c788f28dc987b655583bdf18d7e2dded6ef
Opcode Fuzzy Hash: 1195d14d81fef3f616bb157b738344e69ccdd8cbca069ce1555602a27978c202
Instruction Fuzzy Hash: 1A312971B0ED4A4FE758EB7888656A077E0FF58310F0546BAD02DC31A2EE38E9478781

Function 00007FFD9B880E20 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c18c95eb595232f9e141b0b67b1538a8d96838c80a0ec74b92ba02628dcc1ae7
Instruction ID: 1787de6e3e7e57a2d43c789c79dbf4e29a298aef9cb8706623862c0fbeeb5b44
Opcode Fuzzy Hash: c18c95eb595232f9e141b0b67b1538a8d96838c80a0ec74b92ba02628dcc1ae7
Instruction Fuzzy Hash: C531C751B28D0E4BEB98B7BC582A7BD66D2FFD8711F10017BE02DC32D6DD28A8424391

Function 00007FFD9B8893A5 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12bab0a4470d43e473964270cec5e785e66d9fe3305d3aa2db0f07b28bfd077e
Instruction ID: 6c214ccb5ac9e142206cc4420d777efdb3e5c9eead448fe3718f6991db4b6ae8
Opcode Fuzzy Hash: 12bab0a4470d43e473964270cec5e785e66d9fe3305d3aa2db0f07b28bfd077e
Instruction Fuzzy Hash: A331E13190DB488FDB29DFA8D845AE9BBF0FF46320F0481AFD059C31A2C7246445CB51

Function 00007FFD9B8884A9 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf79b1388c8b12baf00008272ad6027ad4cf88b8fa23c2ae70777feddd6a81df
Instruction ID: cb2cead509af4f04e86ad58686f26c4673a34d4b9edea8e226c167034f3d1c18
Opcode Fuzzy Hash: cf79b1388c8b12baf00008272ad6027ad4cf88b8fa23c2ae70777feddd6a81df
Instruction Fuzzy Hash: 8931EC71F0ED4E4FE764AB7888656A577A1FF58310F01457AD02DC3192EE38E9478781

Function 00007FFD9B888069 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12716be0fa8dac864446c203a8394a7cb5ecc3c775acfb89d9caf07f392c58e9
Instruction ID: a4e04ffb1f722cba0891815c3b34f4fc4d01c0d45d381bb5459246283e8a4bc9
Opcode Fuzzy Hash: 12716be0fa8dac864446c203a8394a7cb5ecc3c775acfb89d9caf07f392c58e9
Instruction Fuzzy Hash: FD31E93060DD898FDB56EB78C8A1A9977F0FF0A30574501E6D818C72A2CB38A852C741

Function 00007FFD9B888365 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 970848657cc6ea1dc3ff1fd4a3ad3d29ec491aebc55121a3bbdffeb30e9fcb80
Instruction ID: 9d3986466e40b8ade96f03ae5a2aaf1143c0dbdea140234acec2b2f72e71c00f
Opcode Fuzzy Hash: 970848657cc6ea1dc3ff1fd4a3ad3d29ec491aebc55121a3bbdffeb30e9fcb80
Instruction Fuzzy Hash: 13210622A1EA8E0FE75597A44C724F97BB1FF45340B4602B6E06DC71E3DD2D29038791

Function 00007FFD9B8813E5 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bc91f0948f9d29025046516c749ce4ad8ed90c93785032cdd2fa5c38ebf7b1d
Instruction ID: 21aca5543065c798700baf5bdb3f0a46184fb24603eec0fd2b83c1649f242cd4
Opcode Fuzzy Hash: 1bc91f0948f9d29025046516c749ce4ad8ed90c93785032cdd2fa5c38ebf7b1d
Instruction Fuzzy Hash: EA210920F1EA4A4BF7A9B7B444315B83692AF89314F560079E02DC71E7DE7CA9428341

Function 00007FFD9B8891B1 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1ae0c19e53f7c52cd07f3b0ca2cdfbdde820eddb674653fa44bf9149d20f2b9
Instruction ID: d1e8a2c4884d1159141f57a868872995c89469550524604e55af6a3aba1aab72
Opcode Fuzzy Hash: b1ae0c19e53f7c52cd07f3b0ca2cdfbdde820eddb674653fa44bf9149d20f2b9
Instruction Fuzzy Hash: 4021C350B2CD598BEB4AB3AC5825BF977D2EF58310F4502B6E468C32D7DD2C69118392

Function 00007FFD9B8892C9 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8308821a349dff71f3f82ada7a63513af7c65cd3513c8fcd52e78ffcff591617
Instruction ID: a6fbe1394ea0b9425dd039b36b9220d59be6d4ee71a0768f1ced40650abbed01
Opcode Fuzzy Hash: 8308821a349dff71f3f82ada7a63513af7c65cd3513c8fcd52e78ffcff591617
Instruction Fuzzy Hash: 39218B20B0EA8E0FD751D7A448255F97BE1EFCE200F0500F6D59EC31E2CD2C9A428341

Function 00007FFD9B880778 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14df24c647eec819977c0024913b695116a9c9209f935f292cf48055cd39ea23
Instruction ID: 8f4af3133056a6de5b6c0d9a8987cbf66d09c4be06970350eec63a345f35106b
Opcode Fuzzy Hash: 14df24c647eec819977c0024913b695116a9c9209f935f292cf48055cd39ea23
Instruction Fuzzy Hash: 6611C410B28D1D8BEB59B7AC6826BF972C6EF48710F5002B5F42DC32D7DE2C69118382

Function 00007FFD9B8812B1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8381f1a3dd1e44f531bde9302f978988973b739a59a1e91b0d2017b8f4334a7
Instruction ID: 57cc25cb7be557db3d027458735488c107092e633860c1d440c307a387532a04
Opcode Fuzzy Hash: e8381f1a3dd1e44f531bde9302f978988973b739a59a1e91b0d2017b8f4334a7
Instruction Fuzzy Hash: 4E110670909B8D8FD75DDB2888B52A87FE0EF99211F8440AFDC99D7592DF3910158700

Function 00007FFD9B887C91 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f280f8f05219356c81e60fe9ac77824f6b3463b5f76a3bd88ed36c074662a0
Instruction ID: a2f4289d828170762e9098036e3bc03f891a4699076af8d9d40c83e09395a37b
Opcode Fuzzy Hash: a6f280f8f05219356c81e60fe9ac77824f6b3463b5f76a3bd88ed36c074662a0
Instruction Fuzzy Hash: 57010472E09A8D0FDB40EBA4882A1FD7BF1EF59310F4101B7D418CB1E6DA3899448382

Function 00007FFD9B880720 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80786c48d3bfbeff1ae86eca79f0d2c2d806ab23227ef9ac42f2f712743284cd
Instruction ID: 14e7d6a467fa1f109d677d6133dba0091868ac058a90e0dcc13cc94fe7d2c633
Opcode Fuzzy Hash: 80786c48d3bfbeff1ae86eca79f0d2c2d806ab23227ef9ac42f2f712743284cd
Instruction Fuzzy Hash: F7F08131E1491E4ADB50EBA898195FE77F1EF58304F000177E529D7199DE34698047C1

Function 00007FFD9B881361 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50ec4731d97ceea24fdfe35f033c586a586fcae4e891151d22411b0fba77d285
Instruction ID: c901a16ba7a46c5e43e5e5edfae1f90cf2f0446919d02baf7f464b8f961e6c9c
Opcode Fuzzy Hash: 50ec4731d97ceea24fdfe35f033c586a586fcae4e891151d22411b0fba77d285
Instruction Fuzzy Hash: 22012610F1EA4A4FF7A4B7B848352782AD1EF99304F0600BDD06AC7AE7DE6C68418302

Function 00007FFD9B881448 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f572ebe6ae4d1cb20790fe9a17920fadd2ea74810d72dd5b01ac84f8cbb1d9ae
Instruction ID: 249872107ce5d8b7a506fa33e193c09347ca8f0fdc5730d88d81b6af9be5b4be
Opcode Fuzzy Hash: f572ebe6ae4d1cb20790fe9a17920fadd2ea74810d72dd5b01ac84f8cbb1d9ae
Instruction Fuzzy Hash: C7F06D30E0E81A8BE365F758C4616B867A2AF9D324F510534D42DC71E5DF38BA528680

Function 00007FFD9B881131 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96a50438c27a2aad9c5ac32b67ea2e779b5dd888657e19399c1ddb729af6ed86
Instruction ID: 69ef0c00a3aa1b7c7c14b95d3d5ba66247bc3246e0958bdd9dff30d612ccca36
Opcode Fuzzy Hash: 96a50438c27a2aad9c5ac32b67ea2e779b5dd888657e19399c1ddb729af6ed86
Instruction Fuzzy Hash: A2E0C23586A7CC8FC7625BA068221D67B34EF56200F4605CBF458CB0A3E624A618C793

Function 00007FFD9B881274 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59139a2902906171ffb0815e1b3d40a440c565dc942bd7a24595468f32d8a16a
Instruction ID: 111cfd63b7ca9bc8d41beb999793176e89d056a7801eb81f6f557ef406ce3ef5
Opcode Fuzzy Hash: 59139a2902906171ffb0815e1b3d40a440c565dc942bd7a24595468f32d8a16a
Instruction Fuzzy Hash: AFD0C204C5F6870BE31B23B41C624807F208E0B1A0F4A0291D4A4CA0E3EC6D259A8372

Function 00007FFD9B888162 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e283a4e927a8357826d774c0ca9dbd31ff1df8d218fb31e0efd644b61faf442c
Instruction ID: f7c5f32dee371d717d2b1f0d23223dea2c0840c8dc2997df16610e8aaf36329b
Opcode Fuzzy Hash: e283a4e927a8357826d774c0ca9dbd31ff1df8d218fb31e0efd644b61faf442c
Instruction Fuzzy Hash: 0EE04F74548A1C9FCF44FF6898449C937F4F728324B00061AE41DC7148E735D6A48B80

Function 00007FFD9B88077D Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2785093761.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39ff9c738aec7e2fc7d4f29038c60806858b07f9200a27eacaeb44f250bddbf1
Instruction ID: eaaca7a7be651ccf9b0d135ac5a05acb222064f76a0bc680956bd83ffb10d97b
Opcode Fuzzy Hash: 39ff9c738aec7e2fc7d4f29038c60806858b07f9200a27eacaeb44f250bddbf1
Instruction Fuzzy Hash: F0B09204FAF84E42E46533B94A6A0A8BBE09F8E530FC614B0D499400A7985E1AA64242

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_KWTQ2QTIX5Z3IKMK_d74501e9c317ebe9026991a5361205662c78bb2_221d1681_994cad59-7b7d-45ae-bec4-0a62cd7695e7\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER53E8.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER55AF.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER55DE.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Windows Analysis Report
173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe