Edit tour

Windows Analysis Report
kJsfHgzi7N.exe

Overview

General Information

Sample name:	kJsfHgzi7N.exe renamed because original name is a hash value
Original sample name:	72f57ef98a51163156a99fd1603031ed934e0760afe52c4eb535c82bede72b63.exe
Analysis ID:	1583093
MD5:	98c6c6cab711f3b5eb8a3559ced3ab0e
SHA1:	c17019e5cda21689b3f9bfc5df5f5e63194ba57b
SHA256:	72f57ef98a51163156a99fd1603031ed934e0760afe52c4eb535c82bede72b63
Tags:	exeuser-Chainskilabs
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

kJsfHgzi7N.exe (PID: 4876 cmdline: "C:\Users\user\Desktop\kJsfHgzi7N.exe" MD5: 98C6C6CAB711F3B5EB8A3559CED3AB0E)

WerFault.exe (PID: 3452 cmdline: C:\Windows\system32\WerFault.exe -u -p 4876 -s 1248 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["192.248.185.253"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
kJsfHgzi7N.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
kJsfHgzi7N.exe	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x58a9:$str01: $VB$Local_Port 0x589a:$str02: $VB$Local_Host 0x5ba0:$str03: get_Jpeg 0x5552:$str04: get_ServicePack 0x6546:$str05: Select * from AntivirusProduct 0x6744:$str06: PCRestart 0x6758:$str07: shutdown.exe /f /r /t 0 0x680a:$str08: StopReport 0x67e0:$str09: StopDDos 0x68d6:$str10: sendPlugin 0x6956:$str11: OfflineKeylogger Not Enabled 0x6aae:$str12: -ExecutionPolicy Bypass -File " 0x6bd7:$str13: Content-length: 5235
kJsfHgzi7N.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6c80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6af2:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1210622241.0000000000762000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.1210622241.0000000000762000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6a80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6b1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6c32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x68f2:$cnc4: POST / HTTP/1.1
00000000.00000002.2718037492.0000000002931000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: kJsfHgzi7N.exe PID: 4876	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.kJsfHgzi7N.exe.760000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.kJsfHgzi7N.exe.760000.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x58a9:$str01: $VB$Local_Port 0x589a:$str02: $VB$Local_Host 0x5ba0:$str03: get_Jpeg 0x5552:$str04: get_ServicePack 0x6546:$str05: Select * from AntivirusProduct 0x6744:$str06: PCRestart 0x6758:$str07: shutdown.exe /f /r /t 0 0x680a:$str08: StopReport 0x67e0:$str09: StopDDos 0x68d6:$str10: sendPlugin 0x6956:$str11: OfflineKeylogger Not Enabled 0x6aae:$str12: -ExecutionPolicy Bypass -File " 0x6bd7:$str13: Content-length: 5235
0.0.kJsfHgzi7N.exe.760000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6c80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6af2:$cnc4: POST / HTTP/1.1

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T22:00:11.830544+0100	2852870	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:00:23.209479+0100	2852870	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:00:26.828489+0100	2852870	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:00:35.558460+0100	2852870	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:00:35.558550+0100	2852870	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:00:35.559220+0100	2852870	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:00:35.559473+0100	2852870	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:00:46.053311+0100	2852870	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:00:56.830267+0100	2852870	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:00:57.475415+0100	2852870	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:08.928508+0100	2852870	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:17.834581+0100	2852870	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:17.930827+0100	2852870	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:18.026684+0100	2852870	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:18.124423+0100	2852870	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:18.305983+0100	2852870	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:18.383799+0100	2852870	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:18.483456+0100	2852870	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:24.694204+0100	2852870	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:26.844743+0100	2852870	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:33.117454+0100	2852870	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:33.208816+0100	2852870	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:44.444827+0100	2852870	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:47.103131+0100	2852870	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:49.176782+0100	2852870	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:53.928759+0100	2852870	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:56.508161+0100	2852870	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:56.860513+0100	2852870	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:02:04.131775+0100	2852870	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:02:04.225182+0100	2852870	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:02:04.322117+0100	2852870	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:02:04.417558+0100	2852870	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:02:22.275882+0100	2852870	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:02:26.876846+0100	2852870	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T22:00:12.497239+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:00:23.211782+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:00:35.563456+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:00:46.054946+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:00:57.479317+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:08.937644+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:17.837185+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:17.932895+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:18.028706+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:18.126152+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:18.225577+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:18.307994+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:18.385661+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:18.484870+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:18.583533+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:18.589652+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:18.679784+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:18.684818+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:24.696021+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:33.125575+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:33.211659+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:44.447164+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:47.107242+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:49.180943+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:53.931001+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:56.509940+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:02:04.133594+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:02:04.228386+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:02:04.323916+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:02:04.419304+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.7	49699	192.248.185.253	7000	TCP

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T22:00:26.828489+0100	2852874	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:00:56.830267+0100	2852874	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:26.844743+0100	2852874	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:56.860513+0100	2852874	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:02:26.876846+0100	2852874	1	Malware Command and Control Activity Detected	192.248.185.253	7000	192.168.2.7	49699	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T22:02:22.085871+0100	2853193	1	Malware Command and Control Activity Detected	192.168.2.7	49699	192.248.185.253	7000	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: kJsfHgzi7N.exe

Avira: detected

Found malware configuration

Source: kJsfHgzi7N.exe

Malware Configuration Extractor: Xworm {"C2 url": ["192.248.185.253"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for submitted file

Source: kJsfHgzi7N.exe	ReversingLabs: Detection: 84%
Source: kJsfHgzi7N.exe	Virustotal: Detection: 79%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: kJsfHgzi7N.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: kJsfHgzi7N.exe	String decryptor: 192.248.185.253
Source: kJsfHgzi7N.exe	String decryptor: 7000
Source: kJsfHgzi7N.exe	String decryptor: <123456789>
Source: kJsfHgzi7N.exe	String decryptor: <Xwormmm>
Source: kJsfHgzi7N.exe	String decryptor: XWorm V5.6
Source: kJsfHgzi7N.exe	String decryptor: USB.exe

Source: kJsfHgzi7N.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: kJsfHgzi7N.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: kJsfHgzi7N.exe, 00000000.00000002.2719525423.000000001B7FF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: System.Xml.ni.pdb source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: kJsfHgzi7N.exe, 00000000.00000002.2719525423.000000001B7FF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: System.Windows.Forms.pdbMZ@ source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: System.Drawing.ni.pdb source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: kJsfHgzi7N.exe, 00000000.00000002.2719368634.000000001B389000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbo source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.pdb source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdb` source: kJsfHgzi7N.exe, 00000000.00000002.2719368634.000000001B389000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: \??\C:\Users\user\Desktop\kJsfHgzi7N.PDBc source: kJsfHgzi7N.exe, 00000000.00000002.2719525423.000000001B7FF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: System.pdb source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: kJsfHgzi7N.exe, 00000000.00000002.2719368634.000000001B389000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: System.Core.ni.pdb source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: kJsfHgzi7N.exe, 00000000.00000002.2719368634.000000001B389000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: mscorlib.pdb source: kJsfHgzi7N.exe, 00000000.00000002.2719525423.000000001B843000.00000004.00000020.00020000.00000000.sdmp, WERD7BF.tmp.dmp.14.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: kJsfHgzi7N.exe, 00000000.00000002.2719525423.000000001B7FF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb]2 source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: System.pdbH source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: System.Drawing.pdb source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: System.Management.pdb source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: mscorlib.ni.pdb source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: System.Management.ni.pdb source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: kJsfHgzi7N.exe, 00000000.00000002.2719525423.000000001B7FF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb6 source: kJsfHgzi7N.exe, 00000000.00000002.2719525423.000000001B7FF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: kJsfHgzi7N.exe, 00000000.00000002.2719368634.000000001B389000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: System.Drawing.pdbh source: WERD7BF.tmp.dmp.14.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49699 -> 192.248.185.253:7000
Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 192.248.185.253:7000 -> 192.168.2.7:49699
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.7:49699 -> 192.248.185.253:7000
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 192.248.185.253:7000 -> 192.168.2.7:49699
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49699 -> 192.248.185.253:7000

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 192.248.185.253

Source: global traffic

TCP traffic: 192.168.2.7:57696 -> 162.159.36.2:53

Source: Joe Sandbox View

ASN Name: AS-CHOOPAUS AS-CHOOPAUS

Source: unknown

DNS traffic detected: query: 241.42.69.40.in-addr.arpa replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 192.248.185.253

Source: global traffic

DNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa

Source: kJsfHgzi7N.exe, 00000000.00000002.2718037492.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.14.dr	String found in binary or memory: http://upx.sf.net

System Summary

Malicious sample detected (through community Yara rule)

Source: kJsfHgzi7N.exe, type: SAMPLE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: kJsfHgzi7N.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.kJsfHgzi7N.exe.760000.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.0.kJsfHgzi7N.exe.760000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1210622241.0000000000762000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Code function: 0_2_00007FFAAC516B22	0_2_00007FFAAC516B22
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Code function: 0_2_00007FFAAC515D76	0_2_00007FFAAC515D76
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Code function: 0_2_00007FFAAC512270	0_2_00007FFAAC512270
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Code function: 0_2_00007FFAAC51ACB8	0_2_00007FFAAC51ACB8

Source: C:\Users\user\Desktop\kJsfHgzi7N.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4876 -s 1248

Source: kJsfHgzi7N.exe, 00000000.00000000.1210622241.0000000000762000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs kJsfHgzi7N.exe
Source: kJsfHgzi7N.exe	Binary or memory string: OriginalFilenameXClient.exe4 vs kJsfHgzi7N.exe

Source: kJsfHgzi7N.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: kJsfHgzi7N.exe, type: SAMPLE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: kJsfHgzi7N.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.kJsfHgzi7N.exe.760000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.0.kJsfHgzi7N.exe.760000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1210622241.0000000000762000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: kJsfHgzi7N.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: kJsfHgzi7N.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: kJsfHgzi7N.exe, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/5@1/1

Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Mutant created: \Sessions\1\BaseNamedObjects\0odbjbwGJrMldHCX
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4876

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\61351380-78f1-4a96-b07a-63d86c65284d

Jump to behavior

Source: kJsfHgzi7N.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: kJsfHgzi7N.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\kJsfHgzi7N.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: kJsfHgzi7N.exe	ReversingLabs: Detection: 84%
Source: kJsfHgzi7N.exe	Virustotal: Detection: 79%

Source: C:\Users\user\Desktop\kJsfHgzi7N.exe

File read: C:\Users\user\Desktop\kJsfHgzi7N.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\kJsfHgzi7N.exe "C:\Users\user\Desktop\kJsfHgzi7N.exe"
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4876 -s 1248

Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\kJsfHgzi7N.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\kJsfHgzi7N.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: kJsfHgzi7N.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: kJsfHgzi7N.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: kJsfHgzi7N.exe, 00000000.00000002.2719525423.000000001B7FF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: System.Xml.ni.pdb source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: kJsfHgzi7N.exe, 00000000.00000002.2719525423.000000001B7FF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: System.Windows.Forms.pdbMZ@ source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: System.Drawing.ni.pdb source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: kJsfHgzi7N.exe, 00000000.00000002.2719368634.000000001B389000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbo source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.pdb source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdb` source: kJsfHgzi7N.exe, 00000000.00000002.2719368634.000000001B389000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: \??\C:\Users\user\Desktop\kJsfHgzi7N.PDBc source: kJsfHgzi7N.exe, 00000000.00000002.2719525423.000000001B7FF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: System.pdb source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: kJsfHgzi7N.exe, 00000000.00000002.2719368634.000000001B389000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: System.Core.ni.pdb source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: kJsfHgzi7N.exe, 00000000.00000002.2719368634.000000001B389000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: mscorlib.pdb source: kJsfHgzi7N.exe, 00000000.00000002.2719525423.000000001B843000.00000004.00000020.00020000.00000000.sdmp, WERD7BF.tmp.dmp.14.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: kJsfHgzi7N.exe, 00000000.00000002.2719525423.000000001B7FF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb]2 source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: System.pdbH source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: System.Drawing.pdb source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: System.Management.pdb source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: mscorlib.ni.pdb source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: System.Management.ni.pdb source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: kJsfHgzi7N.exe, 00000000.00000002.2719525423.000000001B7FF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb6 source: kJsfHgzi7N.exe, 00000000.00000002.2719525423.000000001B7FF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: kJsfHgzi7N.exe, 00000000.00000002.2719368634.000000001B389000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERD7BF.tmp.dmp.14.dr
Source:	Binary string: System.Drawing.pdbh source: WERD7BF.tmp.dmp.14.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: kJsfHgzi7N.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: kJsfHgzi7N.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: kJsfHgzi7N.exe, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: kJsfHgzi7N.exe, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: kJsfHgzi7N.exe, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Code function: 0_2_00007FFAAC517548 push ebx; iretd		0_2_00007FFAAC51756A
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Code function: 0_2_00007FFAAC517558 push ebx; iretd		0_2_00007FFAAC51756A

Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\kJsfHgzi7N.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Memory allocated: D90000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Memory allocated: 1A930000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\kJsfHgzi7N.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Window / User API: threadDelayed 8807			Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Window / User API: threadDelayed 1022			Jump to behavior

Source: C:\Users\user\Desktop\kJsfHgzi7N.exe TID: 6028	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe TID: 6660	Thread sleep count: 8807 > 30	Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe TID: 6660	Thread sleep count: 1022 > 30	Jump to behavior

Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\kJsfHgzi7N.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Amcache.hve.14.dr	Binary or memory string: VMware
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.14.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.14.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.14.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.14.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.14.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.14.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.14.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.14.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: kJsfHgzi7N.exe, 00000000.00000002.2717580523.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllr
Source: Amcache.hve.14.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.14.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.14.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.14.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.14.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.14.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.14.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.14.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.14.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.14.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.14.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\kJsfHgzi7N.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\kJsfHgzi7N.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\kJsfHgzi7N.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: kJsfHgzi7N.exe, 00000000.00000002.2718037492.0000000002AF7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: kJsfHgzi7N.exe, 00000000.00000002.2718037492.0000000002AF7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: kJsfHgzi7N.exe, 00000000.00000002.2718037492.0000000002AF7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: kJsfHgzi7N.exe, 00000000.00000002.2718037492.0000000002AF7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
Source: kJsfHgzi7N.exe, 00000000.00000002.2718037492.0000000002AF7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager2

Source: C:\Users\user\Desktop\kJsfHgzi7N.exe

Queries volume information: C:\Users\user\Desktop\kJsfHgzi7N.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\kJsfHgzi7N.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.14.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\kJsfHgzi7N.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: kJsfHgzi7N.exe, type: SAMPLE
Source: Yara match	File source: 0.0.kJsfHgzi7N.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1210622241.0000000000762000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2718037492.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kJsfHgzi7N.exe PID: 4876, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: kJsfHgzi7N.exe, type: SAMPLE
Source: Yara match	File source: 0.0.kJsfHgzi7N.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1210622241.0000000000762000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2718037492.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kJsfHgzi7N.exe PID: 4876, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	2 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	131 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	141 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Process Injection	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
kJsfHgzi7N.exe	84%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
kJsfHgzi7N.exe	79%	Virustotal		Browse
kJsfHgzi7N.exe	100%	Avira	HEUR/AGEN.1305769
kJsfHgzi7N.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
192.248.185.253	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
241.42.69.40.in-addr.arpa	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
192.248.185.253	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.14.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	kJsfHgzi7N.exe, 00000000.00000002.2718037492.0000000002931000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.248.185.253	unknown	France		20473	AS-CHOOPAUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583093
Start date and time:	2025-01-01 21:59:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	kJsfHgzi7N.exe renamed because original name is a hash value
Original Sample Name:	72f57ef98a51163156a99fd1603031ed934e0760afe52c4eb535c82bede72b63.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/5@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 48 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.89.179.12, 13.107.246.45, 4.245.163.56, 40.69.42.241, 40.126.32.136
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target kJsfHgzi7N.exe, PID 4876 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:59:58	API Interceptor	5358026x Sleep call for process: kJsfHgzi7N.exe modified
17:18:51	API Interceptor	1x Sleep call for process: WerFault.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-CHOOPAUS	DF2.exe	Get hash	malicious	Unknown	Browse	192.248.182.81
	setup.msi	Get hash	malicious	Unknown	Browse	45.77.249.79
	http://parrottalks.info	Get hash	malicious	Unknown	Browse	149.28.124.84
	botx.mips.elf	Get hash	malicious	Mirai	Browse	149.253.144.7
	db0fa4b8db0333367e9bda3ab68b8042.x86.elf	Get hash	malicious	Mirai, Gafgyt	Browse	78.141.232.165
	3OQL58yflv.exe	Get hash	malicious	Metasploit	Browse	202.182.125.24
	armv5l.elf	Get hash	malicious	Unknown	Browse	44.174.62.96
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	8.12.100.87
	d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Get hash	malicious	NetSupport RAT	Browse	45.76.253.210
	d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Get hash	malicious	NetSupport RAT	Browse	45.76.253.210

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_kJsfHgzi7N.exe_6e93cf24fbd62951e3558f64d8296fd8ae7a_00a58ed6_2dc9bf71-9b6a-444a-bdbd-43fc7e3d3cb2\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.21781300927216
Encrypted:	false
SSDEEP:	192:qgwzuN081iH5aWz8iyolHWHF3WzuiF4KZ24lO8m:5wzX81iZa48irIUzuiF4KY4lO8m
MD5:	317EF9D6F91089EE57E9EAE069C83FEB
SHA1:	9A0AB2F8ED8409A9AF93E4927B5BF80AD85320B8
SHA-256:	960CCBDA26F314C3009C5327307C13CA5B733758CFA3B752FA7E11B5E0EC3CB0
SHA-512:	EF88F9323BB02B7288AF9676F619577ED4C62F1D2241AEAC1D03D35D2F5A5F074A434B67F3E4496C85149C183E40C35E8ED10FC4E73CD810DD53F25E5EF00CDA
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.2.4.3.5.1.3.7.8.6.4.6.9.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.2.4.3.5.1.4.3.3.3.3.3.7.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.d.c.9.b.f.7.1.-.9.b.6.a.-.4.4.4.a.-.b.d.b.d.-.4.3.f.c.7.e.3.d.3.c.b.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.f.2.c.f.9.3.a.-.9.2.a.6.-.4.5.7.a.-.b.c.5.c.-.0.6.7.f.b.8.f.7.1.2.6.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.k.J.s.f.H.g.z.i.7.N...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.X.C.l.i.e.n.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.0.c.-.0.0.0.1.-.0.0.1.4.-.b.1.1.a.-.0.c.1.c.9.0.5.c.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.5.b.a.5.2.6.d.f.d.3.3.2.3.c.e.d.5.f.f.c.2.4.9.9.c.1.b.3.3.a.a.0.0.0.0.0.0.0.0.!.0.0.0.0.c.1.7.0.1.9.e.5.c.d.a.2.1.6.8.9.b.3.f.9.b.f.c.5.d.f.5.f.5.e.6.3.1.9.4.b.a.5.7.b.!.k.J.s.f.H.g.z.i.7.N...e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD7BF.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Wed Jan 1 22:18:34 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	555213
Entropy (8bit):	3.01543941730729
Encrypted:	false
SSDEEP:	3072:bPwegPd0ZHr1CCq4GFrbI4uS3+vowe9mo4IdAyGecSTPlNxTFRRBq:krPapDqPbI4P3QowyrT5Zj
MD5:	963D54267F6F0E1328E630E46C8814B2
SHA1:	40593B0C9FC69259DD4B8B2F1D4661CA116CAA79
SHA-256:	E9C7B40014D48C9BC904955E1AC58BC18FCE85BEF1F2C69771DC12DA304163AF
SHA-512:	E0B5B5BB166BE4D760020D727EA7068DBB150EB60E3B5155C60B61605EB97733E0BBDFA2BAF3FD907C1937589F9339ACA2ADE203E4D53C258366104C7D3DE038
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......:.ug............d...........H...........$....&......d....&......49.............l.......8...........T...........(B...6..........T4..........@6..............................................................................eJ.......6......Lw......................T............ug....0........................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD8F8.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8936
Entropy (8bit):	3.707254536626789
Encrypted:	false
SSDEEP:	192:R6l7wVeJteV6YNuPegmfZK8npr589bp8hmPHPrfTjm:R6lXJkV6YE2gmfwtpCmPHPrfG
MD5:	5E67C39E1A4B9429D73995DEE427FDEF
SHA1:	759D454F38F9F023DC5CF03E35ED77DC50112F62
SHA-256:	9FE7F4E417F960397C09FB5F24D4479996CF8FB34666A41592FC6EC95E8EB293
SHA-512:	BA6E3416E0C0073A3EB2F9F4BC7D52E9B645A3D2CA5E4E3C3B0E36694B5F374A6CFAE95ACA95D6A42E8CB6B92F20806D02DFFC16003E02B2011E5DDE2F9F2FA6
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.8.7.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD928.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4780
Entropy (8bit):	4.466411787079911
Encrypted:	false
SSDEEP:	48:cvIwWl8zs3Jg771I9SBkudWpW8VYCYm8M4J5LlCFZvyq8vOLl462qNmBd:uIjfZI73Bkus7VmJ5pAvWOp465mBd
MD5:	26D1E60CCB9F5AEE537B30BE01395683
SHA1:	0E023767BB03E242D76A69CC2EEA9713A14E3EC2
SHA-256:	5A88420E7D37C69675A68CCB7EF4A2279D17DACC9F824E5B0D284EDE3E08AAF1
SHA-512:	9F7C93B4DB7408693D17362D3169898ED537F68273E31649F8A5FE388CF09FB482AAC2B1DD5A71C785691DC48EE51FE234853624F5610D940B11035C5460A387
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="657441" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.416746311848536
Encrypted:	false
SSDEEP:	6144:Ycifpi6ceLPL9skLmb0mFSWSPtaJG8nAgex285i2MMhA20X4WABlGuNx5+:Ni58FSWIZBk2MM6AFBbo
MD5:	D07DE0330EA9AF926BAFA8550DE83937
SHA1:	2A9E7BDBB2EDC17C0E886E91DAD3CA76713B6B7F
SHA-256:	90A77088F7E7D2D17C3757E75EC42F7CA952FC4C840BE04E7F369BEB8D5BF6B5
SHA-512:	426697815C91F4BC9EEA89CB4CE234DC95C71E7EB1723F6BD7916F273A0C7B517CEAEDBF77F3224F922F288D1C2EDE9D7CC5129549E8614C9BEC73C24AB7FFFC
Malicious:	false
Reputation:	low
Preview:	regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..h..\...............................................................................................................................................................................................................................................................................................................................................E.,........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.589441063198639
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	kJsfHgzi7N.exe
File size:	33'280 bytes
MD5:	98c6c6cab711f3b5eb8a3559ced3ab0e
SHA1:	c17019e5cda21689b3f9bfc5df5f5e63194ba57b
SHA256:	72f57ef98a51163156a99fd1603031ed934e0760afe52c4eb535c82bede72b63
SHA512:	8c291eb5bc3801136ca50e7aa57af41597e754ce00c96bfacecf6d51b1c741076dafd16359f4b83d4247b5703871921320fac8c55485daff8b4d79e054aab62b
SSDEEP:	384:DEbmX5Qa+vN1h1+X3v6JFjL+g93Tm2eaFOfBdRApkFTBLTsOZwpGd2v99IkuiseE:QVa+vNtg+PB93Tw4iBdVFE9jjOjhOJy
TLSH:	A3E23A4877D44312DAEEAFB12DF3620612709517E913EF6E0CE485EA2B67AC047407EA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ug.................x..........n.... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40976e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6775EDBE [Thu Jan 2 01:37:02 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x971c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa000	0x4d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7774	0x7800	5d9eb24c02f95e0db6a4061aa0780c1a	False	0.50087890625	data	5.740305735272717	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa000	0x4d8	0x600	afbb984503128042cc38bf70e5e337f4	False	0.375	data	3.7203482473352403	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc000	0xc	0x200	3ee5eb55d2c84cad34ece42377c6f250	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xa0a0	0x244	data			0.4724137931034483
RT_MANIFEST	0xa2e8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-01T22:00:11.645414+0100	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:00:11.830544+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:00:12.497239+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:00:23.209479+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:00:23.211782+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:00:26.828489+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:00:26.828489+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:00:35.558460+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:00:35.558550+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:00:35.559220+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:00:35.559473+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:00:35.563456+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:00:46.053311+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:00:46.054946+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:00:56.830267+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:00:56.830267+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:00:57.475415+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:00:57.479317+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:08.928508+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:08.937644+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:17.834581+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:17.837185+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:17.930827+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:17.932895+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:18.026684+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:18.028706+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:18.124423+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:18.126152+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:18.225577+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:18.305983+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:18.307994+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:18.383799+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:18.385661+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:18.483456+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:18.484870+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:18.583533+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:18.589652+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:18.679784+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:18.684818+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:24.694204+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:24.696021+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:26.844743+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:26.844743+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:33.117454+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:33.125575+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:33.208816+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:33.211659+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:44.444827+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:44.447164+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:47.103131+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:47.107242+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:49.176782+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:49.180943+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:53.928759+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:53.931001+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:56.508161+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:56.509940+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:01:56.860513+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:01:56.860513+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:02:04.131775+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:02:04.133594+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:02:04.225182+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:02:04.228386+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:02:04.322117+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:02:04.323916+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:02:04.417558+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:02:04.419304+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:02:22.085871+0100	2853193	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.7	49699	192.248.185.253	7000	TCP
2025-01-01T22:02:22.275882+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:02:26.876846+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	192.248.185.253	7000	192.168.2.7	49699	TCP
2025-01-01T22:02:26.876846+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	192.248.185.253	7000	192.168.2.7	49699	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 1, 2025 22:00:00.015779972 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:00:00.022018909 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:00:00.022094011 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:00:00.191355944 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:00:00.196263075 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:00:11.645414114 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:00:11.650221109 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:00:11.830543995 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:00:11.883074999 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:00:12.497239113 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:00:12.502084970 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:00:23.024394035 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:00:23.029196978 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:00:23.209479094 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:00:23.211781979 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:00:23.216653109 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:00:26.828489065 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:00:26.883153915 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:00:28.453387976 CET	57696	53	192.168.2.7	162.159.36.2
Jan 1, 2025 22:00:28.458209038 CET	53	57696	162.159.36.2	192.168.2.7
Jan 1, 2025 22:00:28.458292007 CET	57696	53	192.168.2.7	162.159.36.2
Jan 1, 2025 22:00:28.463102102 CET	53	57696	162.159.36.2	192.168.2.7
Jan 1, 2025 22:00:28.913335085 CET	57696	53	192.168.2.7	162.159.36.2
Jan 1, 2025 22:00:28.918751955 CET	53	57696	162.159.36.2	192.168.2.7
Jan 1, 2025 22:00:28.918811083 CET	57696	53	192.168.2.7	162.159.36.2
Jan 1, 2025 22:00:34.446032047 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:00:34.450867891 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:00:35.558459997 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:00:35.558549881 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:00:35.558653116 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:00:35.559220076 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:00:35.559473038 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:00:35.559515953 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:00:35.559542894 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:00:35.563456059 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:00:35.568362951 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:00:45.867945910 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:00:45.872951984 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:00:46.053311110 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:00:46.054945946 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:00:46.059849977 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:00:56.830266953 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:00:56.883306026 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:00:57.290088892 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:00:57.295068979 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:00:57.475414991 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:00:57.479316950 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:00:57.484081030 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:08.713638067 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:08.718894005 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:08.928508043 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:08.937644005 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:08.942585945 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:17.649456024 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:17.654376984 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:17.665013075 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:17.669811010 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:17.774420977 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:17.779396057 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:17.790040970 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:17.794809103 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:17.834580898 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:17.837184906 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:17.842020988 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:17.868145943 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:17.873119116 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:17.899374008 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:17.904284000 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:17.915226936 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:17.920111895 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:17.930826902 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:17.932894945 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:17.981017113 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:17.981067896 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:17.986025095 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:18.026684046 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:18.028706074 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:18.033559084 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:18.040147066 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:18.045099020 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:18.124423027 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:18.126152039 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:18.134118080 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:18.212126970 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:18.217305899 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:18.223368883 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:18.225577116 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:18.273088932 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:18.273148060 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:18.277971029 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:18.290152073 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:18.295320988 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:18.305983067 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:18.307993889 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:18.353111029 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:18.353174925 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:18.358046055 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:18.383799076 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:18.385660887 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:18.433094978 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:18.483455896 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:18.484869957 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:18.489767075 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:18.581445932 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:18.583533049 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:18.589041948 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:18.589652061 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:18.594840050 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:18.677217007 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:18.679784060 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:18.684696913 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:18.684818029 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:18.689692020 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:24.508640051 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:24.513537884 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:24.694204092 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:24.696021080 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:24.700817108 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:26.844743013 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:26.899068117 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:32.931890011 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:32.936806917 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:33.011882067 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:33.016832113 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:33.117454052 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:33.125575066 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:33.130352974 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:33.208816051 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:33.211658955 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:33.216443062 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:44.259150982 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:44.264091969 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:44.444827080 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:44.447164059 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:44.451960087 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:46.917738914 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:46.922657967 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:47.103131056 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:47.107242107 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:47.112097979 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:48.977746964 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:48.996274948 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:49.176781893 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:49.180943012 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:49.185887098 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:53.743294001 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:53.749591112 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:53.928759098 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:53.931000948 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:53.935875893 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:56.321544886 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:56.326431990 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:56.508161068 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:56.509939909 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:01:56.514764071 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:56.860512972 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:01:56.917789936 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:02:03.946463108 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:02:03.951244116 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:02:03.962160110 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:02:03.966978073 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:02:03.977755070 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:02:03.982573986 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:02:04.118390083 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:02:04.123224974 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:02:04.131774902 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:02:04.133594036 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:02:04.181055069 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:02:04.225182056 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:02:04.228385925 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:02:04.233228922 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:02:04.322117090 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:02:04.323915958 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:02:04.331013918 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:02:04.417557955 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:02:04.419303894 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:02:04.424140930 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:02:22.085870981 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:02:22.090769053 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:02:22.275882006 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:02:22.321297884 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:02:26.876846075 CET	7000	49699	192.248.185.253	192.168.2.7
Jan 1, 2025 22:02:26.930706024 CET	49699	7000	192.168.2.7	192.248.185.253
Jan 1, 2025 22:02:27.437553883 CET	49699	7000	192.168.2.7	192.248.185.253

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 1, 2025 22:00:28.452795982 CET	53	53254	162.159.36.2	192.168.2.7
Jan 1, 2025 22:00:28.923448086 CET	55483	53	192.168.2.7	1.1.1.1
Jan 1, 2025 22:00:28.930855989 CET	53	55483	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 1, 2025 22:00:28.923448086 CET	192.168.2.7	1.1.1.1	0x78d0	Standard query (0)	241.42.69.40.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 1, 2025 22:00:28.930855989 CET	1.1.1.1	192.168.2.7	0x78d0	Name error (3)	241.42.69.40.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Target ID:	0
Start time:	15:59:55
Start date:	01/01/2025
Path:	C:\Users\user\Desktop\kJsfHgzi7N.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\kJsfHgzi7N.exe"
Imagebase:	0x760000
File size:	33'280 bytes
MD5 hash:	98C6C6CAB711F3B5EB8A3559CED3AB0E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1210622241.0000000000762000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1210622241.0000000000762000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2718037492.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	17:18:33
Start date:	01/01/2025
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 4876 -s 1248
Imagebase:	0x7ff7a4490000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FFAAC512270 Relevance: 2.4, Strings: 1, Instructions: 1143COMMON

Download Yara Rule

Strings

, xrefs: 00007FFAAC51A77F

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 367d2f137c877465165dd99e6097664d2379fe24665d78bfa8c1594df079c917
Instruction ID: 7c9311880c2cb6028f1bf618c27451e395463a49a864761b390d5984acc51a20
Opcode Fuzzy Hash: 367d2f137c877465165dd99e6097664d2379fe24665d78bfa8c1594df079c917
Instruction Fuzzy Hash: E5825170A9D51A8BFB94FB78C459A7972D6EF99300F508578E01FD32C3DE28E8468781

Function 00007FFAAC515D76 Relevance: .5, Instructions: 470COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 217532191256e490d7ecd5dfdbe8375884bc9ee2e25e0f7bdf384f0e4623bbfb
Instruction ID: f350ee48408518ef1f10cc56188e20530c27119a8e12e17c0d9c1ca077e414ba
Opcode Fuzzy Hash: 217532191256e490d7ecd5dfdbe8375884bc9ee2e25e0f7bdf384f0e4623bbfb
Instruction Fuzzy Hash: A4F1B570919A8E8FEBA8EF28C8557E937D1FF55310F04826AE84EC7291CF74D9448B81

Function 00007FFAAC516B22 Relevance: .5, Instructions: 456COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e53ac82ac55834129207063aa2cab053a59650e5f2df14fc3a85763a2ffb80c8
Instruction ID: 5bc91d8e1ca5488a8f9f589c9321dec52cba813264ba4c4f7835a7d8b3013938
Opcode Fuzzy Hash: e53ac82ac55834129207063aa2cab053a59650e5f2df14fc3a85763a2ffb80c8
Instruction Fuzzy Hash: C9E1A430919A8E8FEBA8EF28C8567E977D1EF55310F14826AE84EC7291CF74D94487C1

Function 00007FFAAC510758 Relevance: 5.4, Strings: 4, Instructions: 399COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC519ADB
r6, xrefs: 00007FFAAC519B53
6, xrefs: 00007FFAAC519A35
r6, xrefs: 00007FFAAC5198EB

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID: 6$r6$r6$r6
API String ID: 0-3926755054
Opcode ID: e58fac61dda58ca1227add3eb459793b83d4bb9c0158dcbdfdbbb7a622614420
Instruction ID: 1ebf394c4d8b8624594ef914c34222fe3103a2d19b571485a15d35c15146c12c
Opcode Fuzzy Hash: e58fac61dda58ca1227add3eb459793b83d4bb9c0158dcbdfdbbb7a622614420
Instruction Fuzzy Hash: 6CD1D5B1A5C91A8FE758FB2CC498AA577E1FB99310B5445BDE04FC72A2CE24EC0587C0

Function 00007FFAAC511D05 Relevance: 4.2, Strings: 3, Instructions: 477COMMON

Download Yara Rule

Strings

0", xrefs: 00007FFAAC511E2D
HB, xrefs: 00007FFAAC512041
r6, xrefs: 00007FFAAC511E71

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID: 0"$HB$r6
API String ID: 0-2729165795
Opcode ID: 3ff1541dfd9ea85ca334738b6086a9ba147a43f7275b326cd5f98c7d3b42e5f7
Instruction ID: 54d0e3e6eddb0b4ea9b5828301a7d7f5697a4c220c4f0f31a921bb2d6bb3e46b
Opcode Fuzzy Hash: 3ff1541dfd9ea85ca334738b6086a9ba147a43f7275b326cd5f98c7d3b42e5f7
Instruction Fuzzy Hash: 08E14AA2E5DA8A8FF759A73884192B97BD5EF5A210B0481FEE04FC71D3DD149C0983C1

Function 00007FFAAC511CD0 Relevance: 4.2, Strings: 3, Instructions: 459COMMON

Download Yara Rule

Strings

0", xrefs: 00007FFAAC511E2D
HB, xrefs: 00007FFAAC512041
r6, xrefs: 00007FFAAC511E71

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID: 0"$HB$r6
API String ID: 0-2729165795
Opcode ID: a593e7f16a1e492134d204d93efb7d47231a56c6e56ad839dafe3c8001762d74
Instruction ID: eded2d6a7484c15b956926f75944598b2348e9960ec1cc98f7c414aa168e61bb
Opcode Fuzzy Hash: a593e7f16a1e492134d204d93efb7d47231a56c6e56ad839dafe3c8001762d74
Instruction Fuzzy Hash: 58D14AA2E5DA4A8FF759A73C84196B97BD5EF9A310B0481BEE04FC71D3DD18980683C1

Function 00007FFAAC511738 Relevance: 4.0, Strings: 3, Instructions: 247COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFAAC511849
HB, xrefs: 00007FFAAC511809
/, xrefs: 00007FFAAC5117EA

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID: HB$/$/
API String ID: 0-2471025714
Opcode ID: 2b0d2941904af1bf097824d7cdccd4d5888e04832444eb3b5a5261bb16eb90e3
Instruction ID: 9acd62dd34dce2261574ca12a69dcb958d494917161dd4c342cee158e548df63
Opcode Fuzzy Hash: 2b0d2941904af1bf097824d7cdccd4d5888e04832444eb3b5a5261bb16eb90e3
Instruction Fuzzy Hash: DC816930D4D68A8FEB46E73488155AA7FA4EF57310F1842FAE05EC31D3CE28A846C791

Function 00007FFAAC510925 Relevance: 2.7, Strings: 2, Instructions: 211COMMON

Download Yara Rule

Strings

0D, xrefs: 00007FFAAC510A50
0D, xrefs: 00007FFAAC510AA1

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID: 0D$0D
API String ID: 0-2892953775
Opcode ID: 7851f553c715800e60700ffc8ad997db81f9b59ce30279c727ab15d8b5e91903
Instruction ID: e00d97b435209bc74612d03fe1ab071e72402908852320c8bc0a883fd86fe50c
Opcode Fuzzy Hash: 7851f553c715800e60700ffc8ad997db81f9b59ce30279c727ab15d8b5e91903
Instruction Fuzzy Hash: 95512761A99A4A8FE784F778D4695BC7BE5FF9D210B4049BDE00FC31D3DD2899058380

Function 00007FFAAC51262D Relevance: 1.5, Strings: 1, Instructions: 283COMMON

Download Yara Rule

Strings

6, xrefs: 00007FFAAC51266A

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID: 6
API String ID: 0-1452363761
Opcode ID: 8d1a01459f29c1f2a2041e2243bd83f76c9c29ceba2eb5eca4f388ba9c7ae37e
Instruction ID: 71b374fbb992f62a4cc4b97dbca5706f7cce24d684df9bb98247003007a47b3b
Opcode Fuzzy Hash: 8d1a01459f29c1f2a2041e2243bd83f76c9c29ceba2eb5eca4f388ba9c7ae37e
Instruction Fuzzy Hash: AF912E6079890A8BE784B77CD456BB9B2D6EF99301F548579E00FC33E3CD28B9418792

Function 00007FFAAC5105A0 Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

8e, xrefs: 00007FFAAC5110FD

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID: 8e
API String ID: 0-1620073548
Opcode ID: 3fb214f7374ae4d283edd724648c724a083c5a98dabe537d5eb26c05e26bcf06
Instruction ID: 6bfca50a3cd443b9ad47cc60dd27e9e831617df02a9b03911fd8cd6f55ecca90
Opcode Fuzzy Hash: 3fb214f7374ae4d283edd724648c724a083c5a98dabe537d5eb26c05e26bcf06
Instruction Fuzzy Hash: 8A412662F5DA4A4FF399B73CD84AA7A77C6EB95211B0444F9E44EC3293DC18AC428381

Function 00007FFAAC510B5E Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC510BD2

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: 4672170aedbc868578320d6b1f77513b949df49e13af5eb4bc9d0ed993862ab6
Instruction ID: 88d41fa1077377f1ec86330a012db1e55fc1dcc10dd028304eb6ddf6591500a4
Opcode Fuzzy Hash: 4672170aedbc868578320d6b1f77513b949df49e13af5eb4bc9d0ed993862ab6
Instruction Fuzzy Hash: D841276171DA890FE789A77CD85A6797BD6DF8A214F0901FFE04EC7293CD189C068341

Function 00007FFAAC5104C8 Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC510BD2

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: 805e85f6180aecf71defe31c303efcf325a2c0acf27c556e77d2a43e37a7a47f
Instruction ID: f1ff62fb4374ce564592d47091ab0720730502e8218ed13d4175bffde34c361a
Opcode Fuzzy Hash: 805e85f6180aecf71defe31c303efcf325a2c0acf27c556e77d2a43e37a7a47f
Instruction Fuzzy Hash: 1C31B362B199490FE798EB3CD85AA79B6C6EBD9315F0546BEF00EC3293DD649C058380

Function 00007FFAAC510E11 Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

6, xrefs: 00007FFAAC510E42

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID: 6
API String ID: 0-1452363761
Opcode ID: d2f9426ecca6d0e98a41a7f05f99d7c28bda5ca9a64a79dc7c64273fdb4f2f2e
Instruction ID: 26c9cf4ab39295a86bfde361d32e8d3d270ac3f0c92b58ee79476f9657c704d1
Opcode Fuzzy Hash: d2f9426ecca6d0e98a41a7f05f99d7c28bda5ca9a64a79dc7c64273fdb4f2f2e
Instruction Fuzzy Hash: D831B452B58A4A4FF784B7BCD81A7BC77D6EB99751F0442BAF00EC3292DD18AD018381

Function 00007FFAAC510CC1 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

HB, xrefs: 00007FFAAC510D00

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID: HB
API String ID: 0-408134297
Opcode ID: be5aa74a0af9eb7c71d5f70416ed0299fd5556d839b7d45e0d5eef813aa688e2
Instruction ID: e842816dfd410111327efed94f5f4e3a9ecb552d13d58d10e7c0ad396762bd34
Opcode Fuzzy Hash: be5aa74a0af9eb7c71d5f70416ed0299fd5556d839b7d45e0d5eef813aa688e2
Instruction Fuzzy Hash: EC41D565A5C64A8FEB45EB78C4566F97BF1FF99301F5045B9E00EC7287CD28A8018780

Function 00007FFAAC510E30 Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

6, xrefs: 00007FFAAC510E42

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID: 6
API String ID: 0-1452363761
Opcode ID: f2fbf8e2d900259f4f530d2ea943d6b2175fb29ec166c7513800ac43b34372c5
Instruction ID: bf66abb53fdfef19d9153ff33fa9ec7bf51fe6670845bd5f980f7b95a205af9d
Opcode Fuzzy Hash: f2fbf8e2d900259f4f530d2ea943d6b2175fb29ec166c7513800ac43b34372c5
Instruction Fuzzy Hash: 89318452B58D0A4BF784B7BCD81E7BD66D6EB99751F0042BAE00EC3292DD18AC414381

Function 00007FFAAC5113D5 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

HB, xrefs: 00007FFAAC511376

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID: HB
API String ID: 0-408134297
Opcode ID: 2e1c59f01258f1b31533997c74feab69033a42c1a9f1c7368adcd3f7a4e7b588
Instruction ID: b4d5cbf68688a38f034fd6ba8b4d5b3df215f1aed5acafc5b65548e59ebaab59
Opcode Fuzzy Hash: 2e1c59f01258f1b31533997c74feab69033a42c1a9f1c7368adcd3f7a4e7b588
Instruction Fuzzy Hash: 4B21B461E4E6838BF755B778C45A6B92696AF96710F1484F9F00FC71C3DE6CE80542C1

Function 00007FFAAC517CE1 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFAAC517D53

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 1e4926a07b00d3acfcb2a2a2c5074aa7e6578bbd62656b00060c49f713b4b895
Instruction ID: 9897f3874bccb2957c5d8040fdba7658a14fa28cb3159555086db294dc7d2489
Opcode Fuzzy Hash: 1e4926a07b00d3acfcb2a2a2c5074aa7e6578bbd62656b00060c49f713b4b895
Instruction Fuzzy Hash: 7821F531C4D25ACFEB05ABA888096F97BE4EF46310F0541BAE44ED3192DB2C944887D1

Function 00007FFAAC51135D Relevance: 1.3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

Strings

HB, xrefs: 00007FFAAC511376

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID: HB
API String ID: 0-408134297
Opcode ID: 53b43db06e8e58a05d17312b15b43ea6981f42ee03d83f288463c9c0338acedf
Instruction ID: 138e6ac979105f48b352b97463686e3b234efa7d37c1421b50de71ab4f53f1eb
Opcode Fuzzy Hash: 53b43db06e8e58a05d17312b15b43ea6981f42ee03d83f288463c9c0338acedf
Instruction Fuzzy Hash: 4201A251E4E6878FF7957778802A2792AD5AF66300F5484FAF04EC75C3DD1CA8058381

Function 00007FFAAC516736 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b33cab40b34d6397e31ec4abaf77c3d8af54496be07d2cbf73d4cfb317e15fc5
Instruction ID: daba05e89b3c521e74b9cc90e512115799d3b96a0f4839d74fc9a38c4f05bb64
Opcode Fuzzy Hash: b33cab40b34d6397e31ec4abaf77c3d8af54496be07d2cbf73d4cfb317e15fc5
Instruction Fuzzy Hash: 61B1A670509A8E8FEB69EF28C8557E93BE1FF55310F14826AE44EC7291CE34D945CB82

Function 00007FFAAC517FA6 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ba67d0cc3cf6372eba762fb5abbbe1421b85140eff990adac5a57ade8fbb1c3
Instruction ID: b632cece9daed50b461001dbef2d42b827463b608fcea00cd81332b90f84edad
Opcode Fuzzy Hash: 3ba67d0cc3cf6372eba762fb5abbbe1421b85140eff990adac5a57ade8fbb1c3
Instruction Fuzzy Hash: FDA10971A4DA4D8FEB45EB78C8495B97BE1EF46311B0445BAE00EC3292DF38A845C781

Function 00007FFAAC517578 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbbb31e6741565a5b522476fbae16d8f5bbfff2b0a50cd87d1774d98ea47c9cb
Instruction ID: 7ec316b2a23aa59289c846bd964a79c156dfeb94fd93b41e6104968d54f9e552
Opcode Fuzzy Hash: cbbb31e6741565a5b522476fbae16d8f5bbfff2b0a50cd87d1774d98ea47c9cb
Instruction Fuzzy Hash: 0E21A653A4DB868FF756A76C682A1FD3FA5EF57260B0905F7E08EC3193D814580A43D1

Function 00007FFAAC518F6A Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7d85128e185e81a2f33fa6e5ce62494171011a3f85b470679171bfa6ae2e5bc
Instruction ID: 48845e0db3356824f5714ee99c4308e1efd316c8e720ad5dbec714422d4f4826
Opcode Fuzzy Hash: e7d85128e185e81a2f33fa6e5ce62494171011a3f85b470679171bfa6ae2e5bc
Instruction Fuzzy Hash: E891297094C64A8FE744EB7CD819AF87BE5EF56310F04817AE00EC32D3DE29A8458791

Function 00007FFAAC518038 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9495960b176ca8d3c049265a364e02920a8116cefab33e2cec0099c60d7713e2
Instruction ID: a865b1b82be871b5cf6e7795a3ed435d015f3d4ef691a3f651bc97971b4ef032
Opcode Fuzzy Hash: 9495960b176ca8d3c049265a364e02920a8116cefab33e2cec0099c60d7713e2
Instruction Fuzzy Hash: 0B71C371A89A5D8FEB85FB7CC4595B97BE1FF59311B00457AE00EC3292DF3898458780

Function 00007FFAAC51845E Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcc73018f4e2e55fe5b051be746db93eaa44530f8f330bb7d7e8f7c87c663786
Instruction ID: d12127ac68d42d34541ad72b96dbf39cfaf7a579dc4820ec4d02dd7aee622c65
Opcode Fuzzy Hash: dcc73018f4e2e55fe5b051be746db93eaa44530f8f330bb7d7e8f7c87c663786
Instruction Fuzzy Hash: B071E27194DA4B8FF758FB38844A6A4BBD4EF56314F4585B9E04EC3193DE28E84A83C1

Function 00007FFAAC517DCD Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9158ebaf2e4f5b01cc57c9e14594a1a78209e09378d4a15b348f738f3a7d60e6
Instruction ID: ebb6af0f15f1f2eb61c0d1592c7c22f972db5cceac644f48c0b8bdc4b65c973e
Opcode Fuzzy Hash: 9158ebaf2e4f5b01cc57c9e14594a1a78209e09378d4a15b348f738f3a7d60e6
Instruction Fuzzy Hash: 2051947190860D8FDB58DB68D845BEDBBF1FF59310F1082AAD04ED3252CA34A946CB81

Function 00007FFAAC5186F1 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ca8f97a80c35c77d876313305cf626673b0d75efb5c7477801fc4f543a46016
Instruction ID: c11cd4d11e829572294734bec03d49a9d80a92466a2ad9572220db95aeb9d510
Opcode Fuzzy Hash: 0ca8f97a80c35c77d876313305cf626673b0d75efb5c7477801fc4f543a46016
Instruction Fuzzy Hash: 5C51F870A5D90A9FE758EB38D859ABCB7F6FF55300F0445B9E00EC3292CE28A8058780

Function 00007FFAAC517588 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 038b8b23adf10db27628f98f3b13cb00296201a23125667fa0bec55a334b5e72
Instruction ID: 019a56cde18eedf363c7a3f0c6528728b35abd94bd5305aa3c195312ebeacef3
Opcode Fuzzy Hash: 038b8b23adf10db27628f98f3b13cb00296201a23125667fa0bec55a334b5e72
Instruction Fuzzy Hash: AE21C552A4DBD64FF752A76CA82A1FD7FA5EF57260B0805F7E04EC3193D814580943D1

Function 00007FFAAC51366C Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54e57364648ccfc24ed8fdb103887e9ca72f46b9e3faf40d6c2ed343fc0eabc6
Instruction ID: 8f5e92add60c00a84dab4ac3e0bd12f9c0ebb48a5a5035ec5d0aebf02a4d2d9f
Opcode Fuzzy Hash: 54e57364648ccfc24ed8fdb103887e9ca72f46b9e3faf40d6c2ed343fc0eabc6
Instruction Fuzzy Hash: 42517471908A1C8FDB58DB58D855BE9BBF1FB59310F1082AAD04DD3252DE34A9858FC1

Function 00007FFAAC51897D Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 068d34b707a479b7e47048c03530d137746e75cbe902b25b2c8e51c6c70edb7e
Instruction ID: 67e6a3eb763c36defd7d296e0edff7773ea08fa276ef2aa0575e4848e793b358
Opcode Fuzzy Hash: 068d34b707a479b7e47048c03530d137746e75cbe902b25b2c8e51c6c70edb7e
Instruction Fuzzy Hash: 55514C71A5D6494FEB98E738C859AF97BE5EF59310F0541BAE00ED7292CD28DC42C780

Function 00007FFAAC519B72 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d67067c60c0df2574b589c46a1ce580a18463a0ce51fb6800eb99d3ff1f444f
Instruction ID: ba6dcb8190ecf6bf73e4255a55ee5e891284a77e79d864f21588d7c73d4843cd
Opcode Fuzzy Hash: 8d67067c60c0df2574b589c46a1ce580a18463a0ce51fb6800eb99d3ff1f444f
Instruction Fuzzy Hash: 88515875A5D68A8FE754B73888196B97BE4FF56320F0441FAE04EC7193DA28E809C381

Function 00007FFAAC517598 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fce01374c364e288a36194259bceeca293bb48d01ed6e2fd021008cd5e6ed898
Instruction ID: 80833fc07884aad7f4ba7cd9fdb186993b95c2a9b8123f7beb3ebfb758432be8
Opcode Fuzzy Hash: fce01374c364e288a36194259bceeca293bb48d01ed6e2fd021008cd5e6ed898
Instruction Fuzzy Hash: 4911E152A4DBDA4FF742A76C982A1FD7FE1EF46250B0801F7E04EC3193D818980943D2

Function 00007FFAAC5175A8 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e9ea13e820f3146bf2657231535f9ac618c414920b9eb61f65d15d35b3589bb
Instruction ID: 7bf454d6a054fb2c31148daa4ac0f4e3324fb7260940997f8cdd0dfcc1e3d72f
Opcode Fuzzy Hash: 1e9ea13e820f3146bf2657231535f9ac618c414920b9eb61f65d15d35b3589bb
Instruction Fuzzy Hash: 4F11CE6294DB9A4FEB42E76C982A1AD7BE5EF46250B0805F7E04EC3193DD18AC0943C2

Function 00007FFAAC51148D Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe6d5cce8682d59d16b6cebf23b5f45ae422a65d18cad262fd5352a0beb2d765
Instruction ID: 3eae9c45fc1b9a1eeb51f80a52ec3f77e8059281c10b64e62128a15a3d1722a9
Opcode Fuzzy Hash: fe6d5cce8682d59d16b6cebf23b5f45ae422a65d18cad262fd5352a0beb2d765
Instruction Fuzzy Hash: E05190B094DA5D8FEB58EB28D459AB97BF0FB59301B0041AEE00EC7292CB35D8058B81

Function 00007FFAAC5196FA Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 995965b403a02e2ff86c08be4c5b8f9c3c9512eb4b93ad18fe1b43f8e904bfa6
Instruction ID: 856690d336c50dd1d13b05cedd7cb2a86a1d567fc2cf543ed35b2234f510c314
Opcode Fuzzy Hash: 995965b403a02e2ff86c08be4c5b8f9c3c9512eb4b93ad18fe1b43f8e904bfa6
Instruction Fuzzy Hash: F1514C7194D78A8FE756EB3894546A57FE1EF4B310B1401FEE04EC71A3CA289C45C781

Function 00007FFAAC519C25 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b12538035c7f1d2a423fbf2d2ec74538be8c66cec48c07d4f06832c2944228c
Instruction ID: 1a5fc2c49269fe03be95b7f543fdc1db8db503f684a7419863647e2b2b352d3f
Opcode Fuzzy Hash: 1b12538035c7f1d2a423fbf2d2ec74538be8c66cec48c07d4f06832c2944228c
Instruction Fuzzy Hash: 48412575A4C64D8FEB54FB38C8156E97BE1FF5A320F0502BAE04EC3193DA28E8458781

Function 00007FFAAC5189D0 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4af17c5195d7873b32d5c009e33cbf41f8fcfee111ae32d208a2f33bcf7d832b
Instruction ID: b523d1b3bbacee0d364f4bee85a84568e06c210887ddf0b0187e677504a2b779
Opcode Fuzzy Hash: 4af17c5195d7873b32d5c009e33cbf41f8fcfee111ae32d208a2f33bcf7d832b
Instruction Fuzzy Hash: 97419471A1890D8FEB98FB7CC459AB9B7E2EF59310F154579E00ED3292DE24EC418780

Function 00007FFAAC5182F5 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43feb8f08db306040cd668f9fc443e47b5e4161f20a71b49bac216e609305f8a
Instruction ID: 4d200a37271f81f41ffa2acb3e108ea7ad5afb4c50115edca052d4d58312fbbd
Opcode Fuzzy Hash: 43feb8f08db306040cd668f9fc443e47b5e4161f20a71b49bac216e609305f8a
Instruction Fuzzy Hash: 0641246184D6C78FF31AA7648C565F5BBE5EF42310B1985BAE04BCB0D2CE1CA84A8781

Function 00007FFAAC519335 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43f7ca773fcc6187192888fa01570ccae8cfa05ef49ca2a18aba3d725f6b6699
Instruction ID: 35ee27688f0b2afe8c59f8aa57136e38917000321e6b2299eec5390f30cc9396
Opcode Fuzzy Hash: 43f7ca773fcc6187192888fa01570ccae8cfa05ef49ca2a18aba3d725f6b6699
Instruction Fuzzy Hash: 5F31B23140D7888FD756DBA8C889AEABFF0EF56311F0882AFD089C7563C764A409CB51

Function 00007FFAAC519141 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eb52843a0b74a12d1fc1a323e6dbb73839bb89e6bc3ae690eee18a58d1da97e
Instruction ID: f8b96ab2fc507da75c657f60475e23f7559aab8a6a7a7cb775348be0d6e5e669
Opcode Fuzzy Hash: 4eb52843a0b74a12d1fc1a323e6dbb73839bb89e6bc3ae690eee18a58d1da97e
Instruction Fuzzy Hash: EA21F560A9C95A4BE744B77CD816BE977D5EF5A310F4042BAF01EC32C3CD18A9448382

Function 00007FFAAC518B31 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b38bf40421f04e3276bd32fad609d51ad752a9f2c51ddf0d0ff66ac305dc007
Instruction ID: 995130cf553ad35e02900a79bcff5057677325ba44c98903c25596eb6d41aa88
Opcode Fuzzy Hash: 8b38bf40421f04e3276bd32fad609d51ad752a9f2c51ddf0d0ff66ac305dc007
Instruction Fuzzy Hash: 6221F671A5994A8FE76CEB28D4996BDF7D0EF55300F01467EE00FD3291CE299904C781

Function 00007FFAAC519259 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd4af874cc6e793e46f29b31b2b940eb9d4f577ef5e7003c17bc373f4b258904
Instruction ID: d74689ca1f6487a4c8a6e77d0d37941a2770b2994266facfc1f23ce74cbcdf8e
Opcode Fuzzy Hash: bd4af874cc6e793e46f29b31b2b940eb9d4f577ef5e7003c17bc373f4b258904
Instruction Fuzzy Hash: 71110A21A8D59B4FE746A76888156F93BD5DF97250F0481B6E04FC7193CD1C990A83D1

Function 00007FFAAC510580 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 344e2eb5e73ca36b6ec2e84b7a407bddbfd27a42a79035fde306dc43e87a2873
Instruction ID: 2e599ceaf9300611c863447cdbd0de7262fc63feafd65a157d81b75517e586a2
Opcode Fuzzy Hash: 344e2eb5e73ca36b6ec2e84b7a407bddbfd27a42a79035fde306dc43e87a2873
Instruction Fuzzy Hash: C101C430B9D91B8AFB59B72C844A6F973DAEB99355F408179E44FC3281DE28E80543C1

Function 00007FFAAC5112C1 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62d07a6b606140b2e6fc4b854b12d9d3f8ed1fff9b4b032a44edc228e76aaa7b
Instruction ID: 168d4327fba38882af5fed2abb0bffda80743fda0dd6090a43dd578a80e491d1
Opcode Fuzzy Hash: 62d07a6b606140b2e6fc4b854b12d9d3f8ed1fff9b4b032a44edc228e76aaa7b
Instruction Fuzzy Hash: B311A1B194C6CD8FE789DB3898A91F93FF0EBAA201B4444AFD04AD7593DA2444458741

Function 00007FFAAC517C21 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02f4b2b9002329f51f45f59fa0f22bafcbe92d874749f72df1f84ab9126512eb
Instruction ID: 54da38812b1521185f0268d7d1de2328c359d8a97a32acccf6580b5a532b02d2
Opcode Fuzzy Hash: 02f4b2b9002329f51f45f59fa0f22bafcbe92d874749f72df1f84ab9126512eb
Instruction Fuzzy Hash: A90126B2D09A8E8FDB44EBA8D81A5FD7BF0EF19201F0501FBD049CB193DE2898448781

Function 00007FFAAC511141 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dfb74087fd5b7ef7b9c565c6c4effef3327c4ce0a877e16d33698548c62928b
Instruction ID: 148beced2af800ded51f89eb526893c180d2e013f0abe6ec8555d32351517c3b
Opcode Fuzzy Hash: 3dfb74087fd5b7ef7b9c565c6c4effef3327c4ce0a877e16d33698548c62928b
Instruction Fuzzy Hash: F1F0B43546874C8FEB42BF64980519A7B64FB56314F41068BF81DC7091EB25D668C782

Function 00007FFAAC51143B Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0243393c2984c502dde9b2614b88ac31fd58a6f3e4ac159c46fa07a4e50c5463
Instruction ID: 8ecd3464075896dbfe0f0e029eb00ecbd37b6f85131d784ffda14759f244e62b
Opcode Fuzzy Hash: 0243393c2984c502dde9b2614b88ac31fd58a6f3e4ac159c46fa07a4e50c5463
Instruction Fuzzy Hash: 7DF08C70D8E5138AF251F729C04967A62AAABA6710F5085B4E01FC32C2DF78F44982C1

Function 00007FFAAC511284 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f0cfecfc4375da75714f86860b15d1bd87a265b6e11f50286a2caf3c4c8ce23
Instruction ID: 6ef10a325d3806942602bf26d758776511c5dae55b6cdfe4a52c6c4643f7a4ae
Opcode Fuzzy Hash: 9f0cfecfc4375da75714f86860b15d1bd87a265b6e11f50286a2caf3c4c8ce23
Instruction Fuzzy Hash: 8BD01205C9E2C74BF70B23790C565957FA48A531A0B8A42D1E459C74D3D98E949E82B2

Function 00007FFAAC510795 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9e65dd4ba68bbb97a4f2f36a3ef5b2bb626c93ac90d9831ab7b834ad64c2e06
Instruction ID: 689d7625a8744ae1924d79b93dd1ad205296503b6c065a30906f0da4024df402
Opcode Fuzzy Hash: b9e65dd4ba68bbb97a4f2f36a3ef5b2bb626c93ac90d9831ab7b834ad64c2e06
Instruction Fuzzy Hash: 3FB09200EFB48784A8093379094A0A8BBA49B8B134FD444B0F48E41082984D55EA42C2

Non-executed Functions

Function 00007FFAAC51ACB8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2720266682.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac510000_kJsfHgzi7N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c43756a28cc7ccfc75721bd11a449563869123567067beca766d2a2517bdd98
Instruction ID: fded61793f814468bf22de4280c831412007bc4df89cb0b8b441dca23fd72cea
Opcode Fuzzy Hash: 3c43756a28cc7ccfc75721bd11a449563869123567067beca766d2a2517bdd98
Instruction Fuzzy Hash: E171ED2158F7C54FE343A338D858AA57F95AF83325F0D81FAE08DCB4A3DA95850AC742

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report kJsfHgzi7N.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_kJsfHgzi7N.exe_6e93cf24fbd62951e3558f64d8296fd8ae7a_00a58ed6_2dc9bf71-9b6a-444a-bdbd-43fc7e3d3cb2\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD7BF.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD8F8.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD928.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Windows Analysis Report
kJsfHgzi7N.exe