Edit tour

Windows Analysis Report
17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe

Overview

General Information

Sample name:	17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe
Analysis ID:	1580252
MD5:	5f7cf7d5ed198f081d03b18927e24fb5
SHA1:	8fb9bef0f4c7f737eee41971c5905d3f841dbf79
SHA256:	7d09a8b7b5a6152961c04de034fe72a97b7fcf4eef3938de998a5aca9f0fea6e
Tags:	AsyncRATbase64-decodedexeuser-abuse_ch
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe (PID: 6532 cmdline: "C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe" MD5: 5F7CF7D5ED198F081D03B18927E24FB5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["177.106.221.166"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x5951:$str01: $VB$Local_Port 0x5942:$str02: $VB$Local_Host 0x5c52:$str03: get_Jpeg 0x55fa:$str04: get_ServicePack 0x65ee:$str05: Select * from AntivirusProduct 0x67ec:$str06: PCRestart 0x6800:$str07: shutdown.exe /f /r /t 0 0x68b2:$str08: StopReport 0x6888:$str09: StopDDos 0x698a:$str10: sendPlugin 0x6a0a:$str11: OfflineKeylogger Not Enabled 0x6b70:$str12: -ExecutionPolicy Bypass -File " 0x6c99:$str13: Content-length: 5235
17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6d42:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6ddf:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6ef4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6bb4:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2008996703.0000000000832000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.2008996703.0000000000832000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6b42:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6bdf:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6cf4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x69b4:$cnc4: POST / HTTP/1.1
Process Memory Space: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe PID: 6532	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe.830000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe.830000.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x5951:$str01: $VB$Local_Port 0x5942:$str02: $VB$Local_Host 0x5c52:$str03: get_Jpeg 0x55fa:$str04: get_ServicePack 0x65ee:$str05: Select * from AntivirusProduct 0x67ec:$str06: PCRestart 0x6800:$str07: shutdown.exe /f /r /t 0 0x68b2:$str08: StopReport 0x6888:$str09: StopDDos 0x698a:$str10: sendPlugin 0x6a0a:$str11: OfflineKeylogger Not Enabled 0x6b70:$str12: -ExecutionPolicy Bypass -File " 0x6c99:$str13: Content-length: 5235
0.0.17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe.830000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6d42:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6ddf:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6ef4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6bb4:$cnc4: POST / HTTP/1.1

Suricata Signatures

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T07:38:37.718338+0100	2853193	1	Malware Command and Control Activity Detected	192.168.2.5	49981	177.106.221.166	7000	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe

Avira: detected

Found malware configuration

Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe

Malware Configuration Extractor: Xworm {"C2 url": ["177.106.221.166"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Multi AV Scanner detection for submitted file

Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Virustotal: Detection: 73%			Perma Link
Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	ReversingLabs: Detection: 84%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	String decryptor: 177.106.221.166
Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	String decryptor: 7000
Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	String decryptor: <123456789>
Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	String decryptor: <Xwormmm>
Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	String decryptor: XWorm V5.2
Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	String decryptor: USB.exe

Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49704 -> 177.106.221.166:7000
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49981 -> 177.106.221.166:7000

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 177.106.221.166

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 177.106.221.166:7000

Source: Joe Sandbox View

ASN Name: ALGARTELECOMSABR ALGARTELECOMSABR

Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166
Source: unknown	TCP traffic detected without corresponding DNS query: 177.106.221.166

Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe, 00000000.00000002.4457988171.0000000002A51000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Malicious sample detected (through community Yara rule)

Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe, type: SAMPLE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe.830000.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.0.17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe.830000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.2008996703.0000000000832000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Code function: 0_2_00007FF848F26B92	0_2_00007FF848F26B92
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Code function: 0_2_00007FF848F25DE6	0_2_00007FF848F25DE6
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Code function: 0_2_00007FF848F23ADD	0_2_00007FF848F23ADD

Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe, 00000000.00000000.2008996703.0000000000832000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe
Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Binary or memory string: OriginalFilenameXClient.exe4 vs 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe

Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe, type: SAMPLE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe.830000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.0.17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe.830000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.2008996703.0000000000832000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Mutant created: \Sessions\1\BaseNamedObjects\HrT4LMO4BK42UCbZ

Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Virustotal: Detection: 73%
Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	ReversingLabs: Detection: 84%

Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Memory allocated: CA0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	Memory allocated: 1AA50000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe

Window / User API: threadDelayed 9575

Jump to behavior

Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe TID: 4768	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe TID: 5008	Thread sleep count: 9575 > 30	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe TID: 5008	Thread sleep count: 273 > 30	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe, 00000000.00000002.4457317455.0000000000D38000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllE

Anti Debugging

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe

Process Stats: CPU usage > 42% for more than 60s

Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe

Process token adjusted: Debug

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe, 00000000.00000002.4457988171.0000000002B0B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe, 00000000.00000002.4457988171.0000000002B0B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe, 00000000.00000002.4457988171.0000000002B0B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe, 00000000.00000002.4457988171.0000000002B0B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe, 00000000.00000002.4457988171.0000000002B0B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager2

Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe

Queries volume information: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe, 00000000.00000002.4459162226.000000001B930000.00000004.00000020.00020000.00000000.sdmp, 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe, 00000000.00000002.4459162226.000000001B95E000.00000004.00000020.00020000.00000000.sdmp, 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe, 00000000.00000002.4459162226.000000001B995000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe.830000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2008996703.0000000000832000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe PID: 6532, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe.830000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2008996703.0000000000832000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe PID: 6532, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	221 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	232 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	232 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	74%	Virustotal		Browse
17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	84%	ReversingLabs	Win32.Exploit.Xworm
17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	100%	Avira	HEUR/AGEN.1305769
17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
177.106.221.166	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
177.106.221.166	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe, 00000000.00000002.4457988171.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
177.106.221.166	unknown	Brazil		53006	ALGARTELECOMSABR	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580252
Start date and time:	2024-12-24 07:35:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 95% Number of executed functions: 48 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe, PID 6532 because it is empty
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:36:01	API Interceptor	14433237x Sleep call for process: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ALGARTELECOMSABR	173502204417f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec108.dat-decoded.exe	Get hash	malicious	XWorm	Browse	191.55.136.12
	splspc.elf	Get hash	malicious	Unknown	Browse	200.225.212.176
	armv5l.elf	Get hash	malicious	Unknown	Browse	187.72.191.192
	loligang.arm7.elf	Get hash	malicious	Mirai	Browse	189.41.50.243
	nsharm7.elf	Get hash	malicious	Mirai	Browse	177.69.78.91
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	187.32.70.87
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	200.170.129.132
	17345063495d9ff9a239e91022aad8f2d11b89f02854c4b148235396ec7a0562f12ac23b56442.dat-decoded.exe	Get hash	malicious	Remcos	Browse	177.106.216.153
	sh4.elf	Get hash	malicious	Unknown	Browse	179.104.134.110
	armv5l.elf	Get hash	malicious	Unknown	Browse	187.32.190.62

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.541199616073073
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe
File size:	33'792 bytes
MD5:	5f7cf7d5ed198f081d03b18927e24fb5
SHA1:	8fb9bef0f4c7f737eee41971c5905d3f841dbf79
SHA256:	7d09a8b7b5a6152961c04de034fe72a97b7fcf4eef3938de998a5aca9f0fea6e
SHA512:	3b834ea2cb427c4edf7f618bc6c8037fbca59309eb4c7db95066accfcfcabb716b8bfc91e67aaa3f3cd19cdb34f09df9084baf9143ad3854483bfc37e6bad852
SSDEEP:	768:/Ua+vNohsXn42JiB70LVF49jKZOjh7br:ivNohsn4WiR05F49jKZOjFX
TLSH:	14E24A4477E48626DAEE6FF528F391010274D517D823EF6E0CE489EA2B67AC187407E6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`Icg.................z............... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40982e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67634960 [Wed Dec 18 22:14:56 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x97d4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa000	0x4d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7834	0x7a00	a56be12130466c8e0aba3ad82efdfe0f	False	0.493500256147541	data	5.6871351262871475	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa000	0x4d8	0x600	afbb984503128042cc38bf70e5e337f4	False	0.375	data	3.7203482473352403	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc000	0xc	0x200	1b2507215d7d787a9e1714fce30ae780	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xa0a0	0x244	data			0.4724137931034483
RT_MANIFEST	0xa2e8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-24T07:36:15.163817+0100	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.5	49704	177.106.221.166	7000	TCP
2024-12-24T07:38:37.718338+0100	2853193	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.5	49981	177.106.221.166	7000	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 07:36:02.133644104 CET	49704	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:36:02.253540039 CET	7000	49704	177.106.221.166	192.168.2.5
Dec 24, 2024 07:36:02.253633022 CET	49704	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:36:02.414382935 CET	49704	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:36:02.534018993 CET	7000	49704	177.106.221.166	192.168.2.5
Dec 24, 2024 07:36:15.163816929 CET	49704	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:36:15.283447027 CET	7000	49704	177.106.221.166	192.168.2.5
Dec 24, 2024 07:36:24.135482073 CET	7000	49704	177.106.221.166	192.168.2.5
Dec 24, 2024 07:36:24.135720015 CET	49704	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:36:27.390212059 CET	49704	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:36:27.391091108 CET	49726	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:36:27.510145903 CET	7000	49704	177.106.221.166	192.168.2.5
Dec 24, 2024 07:36:27.510696888 CET	7000	49726	177.106.221.166	192.168.2.5
Dec 24, 2024 07:36:27.510869026 CET	49726	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:36:27.546679020 CET	49726	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:36:27.666213989 CET	7000	49726	177.106.221.166	192.168.2.5
Dec 24, 2024 07:36:39.298135042 CET	49726	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:36:39.417819977 CET	7000	49726	177.106.221.166	192.168.2.5
Dec 24, 2024 07:36:49.401477098 CET	7000	49726	177.106.221.166	192.168.2.5
Dec 24, 2024 07:36:49.402790070 CET	49726	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:36:50.983813047 CET	49726	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:36:50.984594107 CET	49776	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:36:51.103571892 CET	7000	49726	177.106.221.166	192.168.2.5
Dec 24, 2024 07:36:51.104129076 CET	7000	49776	177.106.221.166	192.168.2.5
Dec 24, 2024 07:36:51.104401112 CET	49776	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:36:51.132477045 CET	49776	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:36:51.252224922 CET	7000	49776	177.106.221.166	192.168.2.5
Dec 24, 2024 07:37:02.765294075 CET	49776	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:37:02.884908915 CET	7000	49776	177.106.221.166	192.168.2.5
Dec 24, 2024 07:37:13.011498928 CET	7000	49776	177.106.221.166	192.168.2.5
Dec 24, 2024 07:37:13.011569977 CET	49776	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:37:15.016325951 CET	49776	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:37:15.023608923 CET	49832	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:37:15.136028051 CET	7000	49776	177.106.221.166	192.168.2.5
Dec 24, 2024 07:37:15.143234968 CET	7000	49832	177.106.221.166	192.168.2.5
Dec 24, 2024 07:37:15.143309116 CET	49832	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:37:15.222651005 CET	49832	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:37:15.342304945 CET	7000	49832	177.106.221.166	192.168.2.5
Dec 24, 2024 07:37:20.280831099 CET	49832	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:37:20.402705908 CET	7000	49832	177.106.221.166	192.168.2.5
Dec 24, 2024 07:37:20.797220945 CET	49832	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:37:20.916863918 CET	7000	49832	177.106.221.166	192.168.2.5
Dec 24, 2024 07:37:23.266490936 CET	49832	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:37:23.386080027 CET	7000	49832	177.106.221.166	192.168.2.5
Dec 24, 2024 07:37:28.921706915 CET	49832	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:37:29.041385889 CET	7000	49832	177.106.221.166	192.168.2.5
Dec 24, 2024 07:37:32.156246901 CET	49832	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:37:32.275721073 CET	7000	49832	177.106.221.166	192.168.2.5
Dec 24, 2024 07:37:32.475363970 CET	49832	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:37:32.594820023 CET	7000	49832	177.106.221.166	192.168.2.5
Dec 24, 2024 07:37:37.043164015 CET	7000	49832	177.106.221.166	192.168.2.5
Dec 24, 2024 07:37:37.043245077 CET	49832	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:37:40.921314955 CET	49832	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:37:40.922713995 CET	49891	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:37:41.040885925 CET	7000	49832	177.106.221.166	192.168.2.5
Dec 24, 2024 07:37:41.042222977 CET	7000	49891	177.106.221.166	192.168.2.5
Dec 24, 2024 07:37:41.042323112 CET	49891	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:37:41.086987019 CET	49891	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:37:41.206557989 CET	7000	49891	177.106.221.166	192.168.2.5
Dec 24, 2024 07:37:41.206717014 CET	49891	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:37:41.326428890 CET	7000	49891	177.106.221.166	192.168.2.5
Dec 24, 2024 07:37:43.405949116 CET	49891	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:37:43.525521040 CET	7000	49891	177.106.221.166	192.168.2.5
Dec 24, 2024 07:37:46.859178066 CET	49891	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:37:46.978816986 CET	7000	49891	177.106.221.166	192.168.2.5
Dec 24, 2024 07:37:46.978864908 CET	49891	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:37:47.098311901 CET	7000	49891	177.106.221.166	192.168.2.5
Dec 24, 2024 07:37:47.098372936 CET	49891	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:37:47.217936039 CET	7000	49891	177.106.221.166	192.168.2.5
Dec 24, 2024 07:37:57.424119949 CET	49891	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:37:57.733695030 CET	49891	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:37:57.891096115 CET	7000	49891	177.106.221.166	192.168.2.5
Dec 24, 2024 07:37:57.891145945 CET	7000	49891	177.106.221.166	192.168.2.5
Dec 24, 2024 07:38:02.918998957 CET	7000	49891	177.106.221.166	192.168.2.5
Dec 24, 2024 07:38:02.919076920 CET	49891	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:38:07.624623060 CET	49891	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:38:07.628571987 CET	49948	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:38:07.744210005 CET	7000	49891	177.106.221.166	192.168.2.5
Dec 24, 2024 07:38:07.748207092 CET	7000	49948	177.106.221.166	192.168.2.5
Dec 24, 2024 07:38:07.748764038 CET	49948	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:38:07.802180052 CET	49948	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:38:07.922703028 CET	7000	49948	177.106.221.166	192.168.2.5
Dec 24, 2024 07:38:12.874612093 CET	49948	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:38:12.994240046 CET	7000	49948	177.106.221.166	192.168.2.5
Dec 24, 2024 07:38:12.994302034 CET	49948	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:38:13.113827944 CET	7000	49948	177.106.221.166	192.168.2.5
Dec 24, 2024 07:38:13.113893032 CET	49948	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:38:13.233436108 CET	7000	49948	177.106.221.166	192.168.2.5
Dec 24, 2024 07:38:13.233525991 CET	49948	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:38:13.353168011 CET	7000	49948	177.106.221.166	192.168.2.5
Dec 24, 2024 07:38:18.281019926 CET	49948	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:38:18.401314020 CET	7000	49948	177.106.221.166	192.168.2.5
Dec 24, 2024 07:38:18.401377916 CET	49948	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:38:18.521034002 CET	7000	49948	177.106.221.166	192.168.2.5
Dec 24, 2024 07:38:29.437220097 CET	49948	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:38:29.556931019 CET	7000	49948	177.106.221.166	192.168.2.5
Dec 24, 2024 07:38:29.638528109 CET	7000	49948	177.106.221.166	192.168.2.5
Dec 24, 2024 07:38:29.638645887 CET	49948	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:38:33.890151978 CET	49948	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:38:33.892312050 CET	49981	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:38:34.009876013 CET	7000	49948	177.106.221.166	192.168.2.5
Dec 24, 2024 07:38:34.011934042 CET	7000	49981	177.106.221.166	192.168.2.5
Dec 24, 2024 07:38:34.012036085 CET	49981	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:38:34.100873947 CET	49981	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:38:34.221714973 CET	7000	49981	177.106.221.166	192.168.2.5
Dec 24, 2024 07:38:37.718338013 CET	49981	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:38:37.838105917 CET	7000	49981	177.106.221.166	192.168.2.5
Dec 24, 2024 07:38:42.999732018 CET	49981	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:38:43.124475956 CET	7000	49981	177.106.221.166	192.168.2.5
Dec 24, 2024 07:38:49.327954054 CET	49981	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:38:49.447765112 CET	7000	49981	177.106.221.166	192.168.2.5
Dec 24, 2024 07:38:49.447851896 CET	49981	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:38:49.567461014 CET	7000	49981	177.106.221.166	192.168.2.5
Dec 24, 2024 07:38:49.567564964 CET	49981	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:38:49.687454939 CET	7000	49981	177.106.221.166	192.168.2.5
Dec 24, 2024 07:38:49.687524080 CET	49981	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:38:49.807224989 CET	7000	49981	177.106.221.166	192.168.2.5
Dec 24, 2024 07:38:55.920888901 CET	7000	49981	177.106.221.166	192.168.2.5
Dec 24, 2024 07:38:55.920984030 CET	49981	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:38:59.905700922 CET	49981	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:38:59.908072948 CET	49982	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:39:00.025660038 CET	7000	49981	177.106.221.166	192.168.2.5
Dec 24, 2024 07:39:00.027667046 CET	7000	49982	177.106.221.166	192.168.2.5
Dec 24, 2024 07:39:00.027762890 CET	49982	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:39:00.061379910 CET	49982	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:39:00.180990934 CET	7000	49982	177.106.221.166	192.168.2.5
Dec 24, 2024 07:39:05.265254021 CET	49982	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:39:05.385318041 CET	7000	49982	177.106.221.166	192.168.2.5
Dec 24, 2024 07:39:05.484620094 CET	49982	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:39:05.604511976 CET	7000	49982	177.106.221.166	192.168.2.5
Dec 24, 2024 07:39:07.609169960 CET	49982	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:39:07.729058981 CET	7000	49982	177.106.221.166	192.168.2.5
Dec 24, 2024 07:39:12.327809095 CET	49982	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:39:12.447868109 CET	7000	49982	177.106.221.166	192.168.2.5
Dec 24, 2024 07:39:15.577843904 CET	49982	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:39:15.697602034 CET	7000	49982	177.106.221.166	192.168.2.5
Dec 24, 2024 07:39:15.734092951 CET	49982	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:39:15.853727102 CET	7000	49982	177.106.221.166	192.168.2.5
Dec 24, 2024 07:39:15.853790045 CET	49982	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:39:15.973848104 CET	7000	49982	177.106.221.166	192.168.2.5
Dec 24, 2024 07:39:15.973912954 CET	49982	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:39:16.093744993 CET	7000	49982	177.106.221.166	192.168.2.5
Dec 24, 2024 07:39:21.920228958 CET	7000	49982	177.106.221.166	192.168.2.5
Dec 24, 2024 07:39:21.920317888 CET	49982	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:39:26.062068939 CET	49982	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:39:26.064990044 CET	49983	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:39:26.182337999 CET	7000	49982	177.106.221.166	192.168.2.5
Dec 24, 2024 07:39:26.184617996 CET	7000	49983	177.106.221.166	192.168.2.5
Dec 24, 2024 07:39:26.184726954 CET	49983	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:39:26.222012997 CET	49983	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:39:26.341810942 CET	7000	49983	177.106.221.166	192.168.2.5
Dec 24, 2024 07:39:30.281055927 CET	49983	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:39:30.400829077 CET	7000	49983	177.106.221.166	192.168.2.5
Dec 24, 2024 07:39:37.827910900 CET	49983	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:39:37.947690964 CET	7000	49983	177.106.221.166	192.168.2.5
Dec 24, 2024 07:39:39.687278032 CET	49983	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:39:39.807025909 CET	7000	49983	177.106.221.166	192.168.2.5
Dec 24, 2024 07:39:42.327975035 CET	49983	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:39:42.447804928 CET	7000	49983	177.106.221.166	192.168.2.5
Dec 24, 2024 07:39:42.447882891 CET	49983	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:39:42.567445993 CET	7000	49983	177.106.221.166	192.168.2.5
Dec 24, 2024 07:39:43.062287092 CET	49983	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:39:43.181991100 CET	7000	49983	177.106.221.166	192.168.2.5
Dec 24, 2024 07:39:47.468527079 CET	49983	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:39:47.588386059 CET	7000	49983	177.106.221.166	192.168.2.5
Dec 24, 2024 07:39:47.588455915 CET	49983	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:39:47.708060026 CET	7000	49983	177.106.221.166	192.168.2.5
Dec 24, 2024 07:39:47.708137989 CET	49983	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:39:47.827738047 CET	7000	49983	177.106.221.166	192.168.2.5
Dec 24, 2024 07:39:48.092756033 CET	7000	49983	177.106.221.166	192.168.2.5
Dec 24, 2024 07:39:48.092833996 CET	49983	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:39:52.608895063 CET	49983	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:39:52.610527039 CET	49984	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:39:52.728627920 CET	7000	49983	177.106.221.166	192.168.2.5
Dec 24, 2024 07:39:52.730063915 CET	7000	49984	177.106.221.166	192.168.2.5
Dec 24, 2024 07:39:52.730190992 CET	49984	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:39:52.790776014 CET	49984	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:39:52.910382986 CET	7000	49984	177.106.221.166	192.168.2.5
Dec 24, 2024 07:39:57.921578884 CET	49984	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:39:58.041374922 CET	7000	49984	177.106.221.166	192.168.2.5
Dec 24, 2024 07:39:58.041460037 CET	49984	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:39:58.161267996 CET	7000	49984	177.106.221.166	192.168.2.5
Dec 24, 2024 07:40:03.142757893 CET	49984	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:40:03.262361050 CET	7000	49984	177.106.221.166	192.168.2.5
Dec 24, 2024 07:40:03.609005928 CET	49984	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:40:03.729346037 CET	7000	49984	177.106.221.166	192.168.2.5
Dec 24, 2024 07:40:14.698976040 CET	7000	49984	177.106.221.166	192.168.2.5
Dec 24, 2024 07:40:14.700871944 CET	49984	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:40:21.218964100 CET	49984	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:40:21.219069958 CET	49985	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:40:21.338850975 CET	7000	49984	177.106.221.166	192.168.2.5
Dec 24, 2024 07:40:21.338896036 CET	7000	49985	177.106.221.166	192.168.2.5
Dec 24, 2024 07:40:21.339154005 CET	49985	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:40:21.439230919 CET	49985	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:40:21.558862925 CET	7000	49985	177.106.221.166	192.168.2.5
Dec 24, 2024 07:40:36.437052011 CET	49985	7000	192.168.2.5	177.106.221.166
Dec 24, 2024 07:40:36.556773901 CET	7000	49985	177.106.221.166	192.168.2.5

Analysis Process: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exePID: 6532, Parent PID: 1028

General

Target ID:	0
Start time:	01:35:57
Start date:	24/12/2024
Path:	C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe"
Imagebase:	0x830000
File size:	33'792 bytes
MD5 hash:	5F7CF7D5ED198F081D03B18927E24FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2008996703.0000000000832000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2008996703.0000000000832000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exePID: 6532, Parent PID: 1028COMMON

Executed Functions

Function 00007FF848F25DE6 Relevance: .5, Instructions: 472COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fde7e88c7b9748c92fbedb6783c5e5cb7a4c7b3d05a217d8c20a9568cf6ce14
Instruction ID: 93e53084cdd1db5af6a1f6fadb3647d6caa66f1cb55e2572f70c91814785a523
Opcode Fuzzy Hash: 4fde7e88c7b9748c92fbedb6783c5e5cb7a4c7b3d05a217d8c20a9568cf6ce14
Instruction Fuzzy Hash: F1F1933091CA4D8FEBA8EF28D8557E977D1FF58350F14426AE84DC72D1CB39A8458B82

Function 00007FF848F26B92 Relevance: .5, Instructions: 458COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa8b64fb30e56dd9b26bf531104118c900a3a47689007ec224e09ab034ba15f2
Instruction ID: 852742f1f9af94e5a0b70482fbc2b3e27e7aa2af78deb3ecb677e209c2ccc81b
Opcode Fuzzy Hash: aa8b64fb30e56dd9b26bf531104118c900a3a47689007ec224e09ab034ba15f2
Instruction Fuzzy Hash: 7AE1C33090CA8E8FEBA8EF28D8557E977E1FB54350F14426ED84DC7291DF79A8408B85

Function 00007FF848F28FDA Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

pxH, xrefs: 00007FF848F28FF5

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID: pxH
API String ID: 0-439416440
Opcode ID: b724377d290ded4ce240655ac148e23260f567253d7488cc9e1a6f913a34d28c
Instruction ID: bf9ec4b6f6b587ca1adca731ddae3b9f4ab86ef5fa70783183fff90a92a04b57
Opcode Fuzzy Hash: b724377d290ded4ce240655ac148e23260f567253d7488cc9e1a6f913a34d28c
Instruction Fuzzy Hash: 87612631A0C64D8FE709EB78E819AB97BE0EF55360F0841BED049C76D2DB29A846C751

Function 00007FF848F27D12 Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

d, xrefs: 00007FF848F27DC3

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: ed35681fb87b88081eb0aabf53c2ef63c3018ea1a526dd21b9333822f53ce810
Instruction ID: 0acd36cd5cdfc19a81e33053673bbe87782ee5a8db6817cf6af901690f501d7d
Opcode Fuzzy Hash: ed35681fb87b88081eb0aabf53c2ef63c3018ea1a526dd21b9333822f53ce810
Instruction Fuzzy Hash: 1231B03180CA9D8FDB44EFA8D8485E9BBF0FF5A324F0402BBD449D3191EB3999558792

Function 00007FF848F222C0 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

d, xrefs: 00007FF848F27DC3

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 6bfc0506e9016e06b0ea1b7afdec498bc8a19b24a5ac8caafcd3868de59d91ce
Instruction ID: daa0d374b521585db0140584db3c1cd6fc2da833695008b8876c0b16e2e9d2be
Opcode Fuzzy Hash: 6bfc0506e9016e06b0ea1b7afdec498bc8a19b24a5ac8caafcd3868de59d91ce
Instruction Fuzzy Hash: E921A131D0C95E8FEF14BB68A8096FEB7A0EF49364F40023AD91DD22C0DF3A95508796

Function 00007FF848F21D65 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e209e4ace397d290806ea7980c57d0e1b612bd9f432cda343b3ce9e663bc1be4
Instruction ID: f6ecb039f0de4a89ae0cb73d57a97d138bd946625efeb0e87f8e8c23edc1e001
Opcode Fuzzy Hash: e209e4ace397d290806ea7980c57d0e1b612bd9f432cda343b3ce9e663bc1be4
Instruction Fuzzy Hash: 80C14871E1DD864FE359A77C64192B9BBE2FF95390F4401B9C049C32C7DE29A8468349

Function 00007FF848F21CC5 Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7facc7c41154ff38fa32425f9d071653880d5a23abb1d33c082dd64e641d0c1
Instruction ID: fc7593101b0d5d0b203c54a11bb20c0f90ffb2eda89bc7f537f700a7dbd707b4
Opcode Fuzzy Hash: a7facc7c41154ff38fa32425f9d071653880d5a23abb1d33c082dd64e641d0c1
Instruction Fuzzy Hash: 91B12631E1DE854FE399A77864192B9ABE2FF95390F4401BAD04DC72C7DF29A8428349

Function 00007FF848F267A6 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0693ac7232404cc673c4cde0cf00db0bd7fff9e718c9442b080976acb839435
Instruction ID: 8156754a801d7e1311448a10e9b8f495cb84f1ccd15c4d62ac06a5ba7f56ee56
Opcode Fuzzy Hash: b0693ac7232404cc673c4cde0cf00db0bd7fff9e718c9442b080976acb839435
Instruction Fuzzy Hash: 16B1B33050CA4D4FEBA8EF28D8557E93BE1FF55350F14426AE84DC7292CF3998458B86

Function 00007FF848F20700 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0165259f89c6f7f10a1bb8764659b67dc655453f4ad16e75730b53caade12368
Instruction ID: 9d2e485903c3e5b6a68d012c65a6e06ff0af72c60de54892e4baa807309c3f68
Opcode Fuzzy Hash: 0165259f89c6f7f10a1bb8764659b67dc655453f4ad16e75730b53caade12368
Instruction Fuzzy Hash: D1A10331E1DD494FE798E76C64193BAABE2FF98390F540579D04EC32C6DF2968428349

Function 00007FF848F22635 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f64ce062c0281aaef0f6a5850c0521eadbda2138eb63668fd8cf72c3f75c4fd
Instruction ID: 8776bc806e6e5815b2317e19af6bc8cfb6d16e294b20275665f4f888a68abf70
Opcode Fuzzy Hash: 0f64ce062c0281aaef0f6a5850c0521eadbda2138eb63668fd8cf72c3f75c4fd
Instruction Fuzzy Hash: 48A1552073A9099FE644B77C985A7BAB2D2FFD8740F640576E00DC32D7DE2CAC428665

Function 00007FF848F28469 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc6ee838b760f2ab263308df096f533e327e410885b8ea6ea275b4fb7fc4a685
Instruction ID: 7fada3184fd52c9e09837ab2ec62d4617ebe7aaf19560f0811488fe95b8d48fc
Opcode Fuzzy Hash: cc6ee838b760f2ab263308df096f533e327e410885b8ea6ea275b4fb7fc4a685
Instruction Fuzzy Hash: 2F91F331D2D94A4FE748FB38985A2B5BBD0EF543A0F4406BAD00DC31D2DF2DA8568395

Function 00007FF848F289ED Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79eae1682f18298dd1b05917f57f289ae320246c0193f3b3aacfbb1bdcb1ad82
Instruction ID: 905837564ec011edfe865b05e667e070e16c05e48643d633e1dff45c648106e4
Opcode Fuzzy Hash: 79eae1682f18298dd1b05917f57f289ae320246c0193f3b3aacfbb1bdcb1ad82
Instruction Fuzzy Hash: 7D71F531E1D9595FDB98EB28E859AF9B7E1EF59350F4401BAE00DD32D2CE29A841C740

Function 00007FF848F28A40 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9182076fd5bdea6caf2f7d03f608f8c0a81f84352709da7bb323f93b66825cc4
Instruction ID: a8b6a93e4257bf1b7b8fb5317cdfcb33b5536ea744314b2c413adf8ee410080a
Opcode Fuzzy Hash: 9182076fd5bdea6caf2f7d03f608f8c0a81f84352709da7bb323f93b66825cc4
Instruction Fuzzy Hash: 65619031E199188FEB98FB28D459AB9B7E2FF98350F440579D40ED32D2DF29AC418744

Function 00007FF848F20925 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 559806316800a066a967edd2bf4a869cd9ed446f32b68137c7d0df7545711b26
Instruction ID: 6e3e3c1dda9796d6daa7d0233d7b2cf1bb26adaccd7843c1fbbb540e9e98dc44
Opcode Fuzzy Hash: 559806316800a066a967edd2bf4a869cd9ed446f32b68137c7d0df7545711b26
Instruction Fuzzy Hash: 3051F532E1ED4E5FD794B738A4591BE7BA1FF88290F8445B9E40EC32C6DE2D69018750

Function 00007FF848F27E3D Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ea612adf72495890ab35c1681a7e06255d4e3edee3562666f06c53ac08412eb
Instruction ID: 60f33c3447bc7a9d90457ed7a31a7c25178e527defbc4ecf0798172af6e3602c
Opcode Fuzzy Hash: 8ea612adf72495890ab35c1681a7e06255d4e3edee3562666f06c53ac08412eb
Instruction Fuzzy Hash: CD517F30908A1C8FDB58EB68D8557E9BBF1FF59310F20426AD449D3296CB35A9868B81

Function 00007FF848F236DC Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c650c23049018405cf454014a7e5c0955b67e4d980e3f63fe3743ad5afd071ca
Instruction ID: 2f61e565529612254a547abceda6d5f148518315d0df1c3d83c5a39b94bc9b0c
Opcode Fuzzy Hash: c650c23049018405cf454014a7e5c0955b67e4d980e3f63fe3743ad5afd071ca
Instruction Fuzzy Hash: E2518471D08A1C8FDB58DB58D845BE9BBF1FB59310F1082AAD44DD3252DF34A9858F82

Function 00007FF848F21748 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 335689b1e48b4bdfcde809bddcc164aa1ffe2d1f34f7fc5fb7b036f6bacfaac8
Instruction ID: 1d13133becb6451d7e0643478e3dbde281502bffed071cbf575a1b9f581879df
Opcode Fuzzy Hash: 335689b1e48b4bdfcde809bddcc164aa1ffe2d1f34f7fc5fb7b036f6bacfaac8
Instruction Fuzzy Hash: A3511330D0D6864FE706A77458562A57FA1EF523A0F1802B9C099C71D3DE2DB886C759

Function 00007FF848F20588 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582e0ed7438324f81be0a42245e944f90433873a9710dbd8fa4a1c1171ea20f0
Instruction ID: 3b8e910bb548d3421ea3c9ba227c3d32aed88b4a21a27125529d967eab91b57d
Opcode Fuzzy Hash: 582e0ed7438324f81be0a42245e944f90433873a9710dbd8fa4a1c1171ea20f0
Instruction Fuzzy Hash: FC412631B1D9590FE398F73CA81A67A77D2EF887A0F080479E44DC32D6DD19AC828345

Function 00007FF848F20728 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4ba627bb6c18740f11785023e5e820355a0e790a3f016085f169bef0b46ea9f
Instruction ID: 9b7f1a96f9ee90dca592547e12b2327c98efa439e1787ca6ade97a15cab16f19
Opcode Fuzzy Hash: d4ba627bb6c18740f11785023e5e820355a0e790a3f016085f169bef0b46ea9f
Instruction Fuzzy Hash: F1516D30E289199FEB98FB28E8556BDB3E2FF88740F900579E00DD3295CF39A8419741

Function 00007FF848F28016 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b1d92176ef01ca50182138f23f76adb1ba99e3c5822aa81dc9f4e771dd11d58
Instruction ID: 759c4f090913be70260c9480095d345ac32d3de65dfb16b2bde1db4db1a1b277
Opcode Fuzzy Hash: 6b1d92176ef01ca50182138f23f76adb1ba99e3c5822aa81dc9f4e771dd11d58
Instruction Fuzzy Hash: 1A51E53194DA4DAFDB46FB7CD8459AA7BE1FF46360F0401AAD008C3292DB35E852C745

Function 00007FF848F28761 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c65d68e120dfe97332ba521d2c3e258c76b043f251e96c8ca59c724236b298a
Instruction ID: 0f2ed23cf168c778894911c232d1320261aaacfb967bf45fc2d8a41eccba0450
Opcode Fuzzy Hash: 9c65d68e120dfe97332ba521d2c3e258c76b043f251e96c8ca59c724236b298a
Instruction Fuzzy Hash: B651C030E2D9599FEB94EB28E8556B9B7E1FF84740F4401BAE009D32D2CF29A8418701

Function 00007FF848F2149D Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5265ed2745b10f7fdecb26f4b8a863d7cc3ce594cd71db3cad8c2e0fa82beeac
Instruction ID: aec44d9f7b7ffbc36bd643cac7b171a79150bebf6ca175c832cc055bb5d1ac51
Opcode Fuzzy Hash: 5265ed2745b10f7fdecb26f4b8a863d7cc3ce594cd71db3cad8c2e0fa82beeac
Instruction Fuzzy Hash: 50518D7090DA5D8FEB98EF6CD459AA977E0FF65311F10016EE04AC3692DB35E8428B40

Function 00007FF848F20B5E Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87a95b8926edcf335fb2e1d83efea291b2e6a8cc173fc83bffccbe8287093387
Instruction ID: 13ef1a907afa7b6779d100991f94b7af3bf8c6efb0cd9dd62152bb66e543a35d
Opcode Fuzzy Hash: 87a95b8926edcf335fb2e1d83efea291b2e6a8cc173fc83bffccbe8287093387
Instruction Fuzzy Hash: 5D412721B1DA890FE789A77C9869374BBD1EF9A655F0900FAE04DC72D3CE189C068341

Function 00007FF848F20E09 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfc4ad95307c130477dcf6b49d76bbdabea31572603f68712beca392cd0a5557
Instruction ID: 0ee8a638c83b681e81a3ea213bcb359b426cf73ecbe4c264291f1901ca74ac0f
Opcode Fuzzy Hash: dfc4ad95307c130477dcf6b49d76bbdabea31572603f68712beca392cd0a5557
Instruction Fuzzy Hash: 3F41B631B19D195FEB44BBACA8597BE7BE1FF98791F040276E40DC3282DE2898418791

Function 00007FF848F20768 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3768aa095690e11c241d4677ec6113026acb5107c452dd4dfc0c23a90e51d82
Instruction ID: 6df65595d191c009c50e0f44de2f10e7db48e8b780c54d531fe6ceb0b09117a3
Opcode Fuzzy Hash: d3768aa095690e11c241d4677ec6113026acb5107c452dd4dfc0c23a90e51d82
Instruction Fuzzy Hash: 7C418E74A09A1D8FEB98EF6CD459BB977E0FB25301F10017EE04AD3691DB75E8428B40

Function 00007FF848F20E20 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57f7c47ae6d8de8173a31fc8648943a8fd160ec61388db6dc69455638f8bfe61
Instruction ID: f224fbc4d27e2e5229d725ec3bdc1923bc54a070e53e405b19d8f11a89831b95
Opcode Fuzzy Hash: 57f7c47ae6d8de8173a31fc8648943a8fd160ec61388db6dc69455638f8bfe61
Instruction Fuzzy Hash: 2141A531B19D1D5FEB44BBACA8593BE77E1FF98791F10063AE40DC3282DE2898418791

Function 00007FF848F281A1 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 926d5a7da171e5d946b4bbf60763ef3854bac620e64eafbaca57e38f9673fc2c
Instruction ID: b5d4fc273a15efc98a44f5b1d2ddfc3e09030864fbd211af1ef29d8fff5df82a
Opcode Fuzzy Hash: 926d5a7da171e5d946b4bbf60763ef3854bac620e64eafbaca57e38f9673fc2c
Instruction Fuzzy Hash: 4341EE71E18A0D9FEB85EB78A4596BDBBF1FF98341F4401BAC009D32D2DF2998428711

Function 00007FF848F204C8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6fb3da483d018f4810c5db71d60c131d3d4c6a573bf0483262c93400539dd61
Instruction ID: 83914f906c762ee526f8b1276b129516217104811a33b1831302e34a7a631668
Opcode Fuzzy Hash: b6fb3da483d018f4810c5db71d60c131d3d4c6a573bf0483262c93400539dd61
Instruction Fuzzy Hash: 30310431B1D9480FE698BB2C986A379A6C2EF98755F0401BEE00EC32D7CE289C418340

Function 00007FF848F206F8 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5cc5d6a64748f031484c33a351ee05709a9ce72e3e92ff37866de3d12f0bc14
Instruction ID: d424cdcf132db2598c7428a557d38aba383c32d1ef6d5061a45678530fe77876
Opcode Fuzzy Hash: a5cc5d6a64748f031484c33a351ee05709a9ce72e3e92ff37866de3d12f0bc14
Instruction Fuzzy Hash: 82415C30E0890A8FEB58FBA894556B9B7E1FF54350F240179D01ED32D2DF29B881CB49

Function 00007FF848F20CC1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07cac0738b067fc223b60dc8c446fbe47d6e09971416142f0a12fcb4aad727d
Instruction ID: 1de911aea26b67d0bc2232a07ab0d2b60bd357b8e50ec77a15bb40ddc703acc5
Opcode Fuzzy Hash: b07cac0738b067fc223b60dc8c446fbe47d6e09971416142f0a12fcb4aad727d
Instruction Fuzzy Hash: 3841B331E1A90E9FEB45FB6894696BE7BB1FF88340F900579D409D32C6DE3DA8418750

Function 00007FF848F20730 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0ce4bc1a65f377def80d1024d691ee52a2d53ae00fa806b8eb69045a7522281
Instruction ID: c3eac6e556196a040ac08601aab5fba2cc4d6a68e3e3062fd768e39f217a3aff
Opcode Fuzzy Hash: c0ce4bc1a65f377def80d1024d691ee52a2d53ae00fa806b8eb69045a7522281
Instruction Fuzzy Hash: EE319870E1890D9FEF84FB6CA4592BDB7E2EF98341F40053AD409E3281DF3AA8418715

Function 00007FF848F293A5 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab7ac1522d38abb2c8ad67c90414ed02ece382a417be32304a8a219033e8b737
Instruction ID: 0f70840b20c50d30722caa1727d5e770db03ccf8cf010f80cf70d4d92a6d3d2f
Opcode Fuzzy Hash: ab7ac1522d38abb2c8ad67c90414ed02ece382a417be32304a8a219033e8b737
Instruction Fuzzy Hash: A931A33150DB888FD756DBA8D845AE9BFF0EF56310F0481AFD089C75A3C768A849CB61

Function 00007FF848F212B1 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db516192c2581f575400518123094f9852ea4c1db2c2fbc5cd32ab2054329f2
Instruction ID: 6191094e1bfb0d6efece1d4f942690bdca6e09615d01a8119dbdcd70d00c3c2d
Opcode Fuzzy Hash: 5db516192c2581f575400518123094f9852ea4c1db2c2fbc5cd32ab2054329f2
Instruction Fuzzy Hash: 0631E570D0DA898FE389EB7854692B93FE1EF95340F4500BFD04AC36D3EE6968458305

Function 00007FF848F280A8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9b2a0a6cabb14b750f369778e2e4c5d00edba17ea52fd47c5e04db5efb03f3
Instruction ID: 74f534cc8a537d7487c7d8a0b9741c5f77c4959d1169cbb63805b5196d89a144
Opcode Fuzzy Hash: 2f9b2a0a6cabb14b750f369778e2e4c5d00edba17ea52fd47c5e04db5efb03f3
Instruction Fuzzy Hash: AD31A070A58D1CEFDF85FF2CD8855AA77E1FB98310F00056AE408C3285EB35E9528B81

Function 00007FF848F291B1 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb920837095888b870ba9e1aaab9b7756d3704a6ede634b27fd59ea15c2afcb7
Instruction ID: 25a9521dbb163109b541c7dfe0b3e66a96ccd0da008c31255413eddea18cff9e
Opcode Fuzzy Hash: cb920837095888b870ba9e1aaab9b7756d3704a6ede634b27fd59ea15c2afcb7
Instruction Fuzzy Hash: 4121F820A2EA5D5FEB45B76C68157EA77D1FF48350F50027AE00CC32C3EE2CA85187A6

Function 00007FF848F20738 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9fb50e33a947acfab57c25eeeb98a617d58958ce31b1e03a20a31799be71489
Instruction ID: 97d21afa394339f294ee80f272cc75758b008dd2288ee5b267e9e13fb08af965
Opcode Fuzzy Hash: b9fb50e33a947acfab57c25eeeb98a617d58958ce31b1e03a20a31799be71489
Instruction Fuzzy Hash: 86217F70A59D1CEFDF85FB2CD485AAA77E1FB98310F40056AE409C3284DB36EC528B85

Function 00007FF848F28365 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2da9b6ae7f1046155755d3975f22e306d55e19232f3ed2d0570848944295a3e3
Instruction ID: 6b1ca653554ef90cae80b4bf7aa79724d35c66da016a28a4c597edf8bd7a0dbb
Opcode Fuzzy Hash: 2da9b6ae7f1046155755d3975f22e306d55e19232f3ed2d0570848944295a3e3
Instruction Fuzzy Hash: 1F21E132C2DA8A4FE345A724A8621FA7FB1FF45380F8901B6D049CB5D3CF2E29168355

Function 00007FF848F284CE Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18f7494dfdc199a6eec1f11ec40c89773f5fb0bcaad8b61f9b53b14ba4a715c3
Instruction ID: e71d08d0e4a77def23a57bc2da5e4799d4d0968c01dd7439a98dfc46f81b976b
Opcode Fuzzy Hash: 18f7494dfdc199a6eec1f11ec40c89773f5fb0bcaad8b61f9b53b14ba4a715c3
Instruction Fuzzy Hash: 0121C331E2D90A9FE748FB38984A265B7A0FF14360F54467DD00EC35C2DF29A8568781

Function 00007FF848F213E5 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0546887b498431c7523b12bbf78fad416f7bf9ec503d36ef29c21ff819a57aac
Instruction ID: d265cc6a1eb743f0d9f1619a3d43caa00da052f8cbb21a2df04cb6b75c7037bc
Opcode Fuzzy Hash: 0546887b498431c7523b12bbf78fad416f7bf9ec503d36ef29c21ff819a57aac
Instruction Fuzzy Hash: 3B21BF31E1E6425FE759B7B8A4162B92692EF92390F540079E00DC72C3DF2EBC52835D

Function 00007FF848F20778 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ded9cbd635d442780817d2f561eb452e36c283073209bb9e99c02fe80c0a571
Instruction ID: 9620ebd9b9a42f472cf3b35b53e48c4ec168c64521618961bc0527382666eb44
Opcode Fuzzy Hash: 4ded9cbd635d442780817d2f561eb452e36c283073209bb9e99c02fe80c0a571
Instruction Fuzzy Hash: AB21C420A2E91D6BEB44B76CA8167FA73D5FB48354F500275F00DC36C2EE2CA8508396

Function 00007FF848F292C9 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b9add3ec17aa797ca8ccbbc1ade7f54a15115b166453c5a0c95091260c17927
Instruction ID: 8f33b193d0bf8069e62806d0c7eb4c61c8117b05e262174b29bbfd0ee2fe5bf7
Opcode Fuzzy Hash: 5b9add3ec17aa797ca8ccbbc1ade7f54a15115b166453c5a0c95091260c17927
Instruction Fuzzy Hash: 67215730A4D68A0FE746A7789812AF67BE6EF8A340F0400BAD08DC35C2DE1D9C128355

Function 00007FF848F206F2 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b570f784980b9b56c9cdb781acf4b9ef7bbb7863e144603ea53cc3e9d84a4bb1
Instruction ID: be435d4915bc16ec898ecc0742413018ee422ef195bcb51f43d574b213c35810
Opcode Fuzzy Hash: b570f784980b9b56c9cdb781acf4b9ef7bbb7863e144603ea53cc3e9d84a4bb1
Instruction Fuzzy Hash: EE115532D0DA5A0FC740B7A8A8194FEBBE0FF55350F0001B7E418C3182EF25694487C1

Function 00007FF848F27C91 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91f5cc961f4b919a3977d395bc8eed431ea57fa7d523e2fecd7accb762cee0b3
Instruction ID: 606c788c07ea91cd196eb4332a2f8513567ebcb4c4e24dd6786c96c155e01d96
Opcode Fuzzy Hash: 91f5cc961f4b919a3977d395bc8eed431ea57fa7d523e2fecd7accb762cee0b3
Instruction Fuzzy Hash: 6801C472D0DA894FDB41AB64986A1ED7BF0EF15751F4401ABD408CB196EB2899448781

Function 00007FF848F20720 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcaf929658cb9ec3310966823dd6a0e43ebf1379c5a41715b3ef74c55a747446
Instruction ID: ff6bec1cfc3824c99bb0f940678844f8ef841df5f42657b6fac452d1145e35b1
Opcode Fuzzy Hash: fcaf929658cb9ec3310966823dd6a0e43ebf1379c5a41715b3ef74c55a747446
Instruction Fuzzy Hash: E8F0A431D1991E5EDB50BB68A8491FE77E0FF18790F000177E419D2185DF34694487C1

Function 00007FF848F21131 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c31338e7dada85e42fbf7107a1f984168aa81f96d2ccab27561d9e5ab3466e90
Instruction ID: 6021da465a3281ce036a4d4f92a33d83854df11a43946e16968fdd79463f55da
Opcode Fuzzy Hash: c31338e7dada85e42fbf7107a1f984168aa81f96d2ccab27561d9e5ab3466e90
Instruction Fuzzy Hash: 02F02435868B8C8FCB41BF20980509A7B64FF95314F04068BF85DC7091EB31D628C782

Function 00007FF848F21448 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b25594a2de3988f4e1e547e6f2291edd0a22c27dc3c468b5c16230c939cd3356
Instruction ID: 58f740cf326bbcb303dda42ccbc22f06c2bb41e94cdaf80d6f8236c1acf8bc89
Opcode Fuzzy Hash: b25594a2de3988f4e1e547e6f2291edd0a22c27dc3c468b5c16230c939cd3356
Instruction Fuzzy Hash: 01F08C31D0D4068FE365F768E4816B877A2AF923A0F500A34D00DC21C2DF3AB8A28748

Function 00007FF848F21274 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a326a1da92f9f5a0508d52f105d719d0f805761966f1473f56143972115fdb93
Instruction ID: 38e1202384739b861106c7fbb174573ff7031b0b78fffe4c78ec754ca89ca7e3
Opcode Fuzzy Hash: a326a1da92f9f5a0508d52f105d719d0f805761966f1473f56143972115fdb93
Instruction Fuzzy Hash: F9D01211C5E2C30FE70B37B41C565857F558F572E0F594391E454C60D3ED5E249A4276

Function 00007FF848F2077D Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39ff9c738aec7e2fc7d4f29038c60806858b07f9200a27eacaeb44f250bddbf1
Instruction ID: 0c43bed7e827a5d07dabeeb7f9901b98240f0550397d7e7d562c41aedb3b949c
Opcode Fuzzy Hash: 39ff9c738aec7e2fc7d4f29038c60806858b07f9200a27eacaeb44f250bddbf1
Instruction Fuzzy Hash: B7B09211EAE44A08E445737A6A460B8BBA09B9A1A0FC400B1D888445D69A4F18A68246

Non-executed Functions

Function 00007FF848F23ADD Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4459614911.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e08634b2c383b31dc26f7d54f056aee19aa4d9671f8e3b62eca64500b29b7e7
Instruction ID: 2a57aef6c6d4e29f1036b7328022c0bf4c811969bf8a9aaf83330241169cba51
Opcode Fuzzy Hash: 6e08634b2c383b31dc26f7d54f056aee19aa4d9671f8e3b62eca64500b29b7e7
Instruction Fuzzy Hash: 08C1BF3090DA8C8FDB59EB6898557E9BBB1FF56310F0442AED04DD3292CF746985CB82

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Windows Analysis Report
17350220448d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a634.dat-decoded.exe